P

packet

The fundamental unit of information transmitted over a network or over a digital communication link. Packets usually contain a header with control information about the packet type, source address, and destination address. They can also contain error-checking information. Packets have a logical structure based on the protocol used, but the general structure of a packet includes a header followed by a payload (data) and an optional trailer (footer). Packets can also have different sizes and structures depending on the underlying network architecture. A packet might also be called a datagram, a frame, or a cell.

NOTE

From the perspective of the Open Systems Interconnection (OSI) reference model, the terms “packet” and “frame” have precise definitions. A packet is an electronic envelope containing information formed in one of the layers from layer 3 through layer 7 of the OSI model. A frame is an electronic envelope of information that includes the packet as well as other information from all seven layers of the OSI model.

packet assembler/disassembler (PAD)

A telecommunications device that breaks a data stream into individual packets and formats the packet headers for asynchronous transmission over an X.25 network. It also accepts packets from the network and translates them into a data stream. Packet assembler/disassemblers (PADs) are a form of data communications equipment (DCE) for connecting asynchronous data terminal equipment (DTE) such as computers and dumb terminals to the X.25 packet-switching service.

Graphic P-1. Packet assembler/disassembler (PAD).

How It Works

When one computer on an X.25 network wants to communicate with another computer in a remote location, the first computer sends a signal to its attached PAD requesting a connection to the remote computer. The remote computer responds by either accepting the request and initiating full-duplex communication or rejecting the request. Either computer can terminate the link at any time. Note that this communication link is for data only—X.25 does not support voice transmission. Note also that PADs are DCEs, and even though they are located at the customer premises, they are considered nodes on the X.25 network.

The PAD’s function is simply to assemble data such as strings of characters into packets to transmit over the X.25 network to the remote host and to disassemble packets that are received. PADs are often used for providing remote access via dumb terminals over X.25 to mainframe or minicomputer hosts. In this scenario, the terminals require PADs but the mainframe hosts do not—they are directly connected to the X.25 network. To configure the PAD, the administrator must specify a number of PAD parameters such as echo control, data forwarding, break signals, line folding, and binary speed. The PAD parameters (usually 22 for each terminal that the PAD services) are defined by an International Telecommunication Union (ITU) protocol called X.3. Communication between terminals and PADs is governed by the protocol X.28, and communication between the PAD and the remote host is governed by X.29.

PADs come in different configurations. Some PADs support eight or more asynchronous DTE connections and have multiple DCE interfaces for maximum configurability. Typically, you connect your asynchronous hosts (computers) to the PAD using RJ-45 connectors on twisted-pair cabling. The PAD then connects to a Channel Service Unit/Data Service Unit (CSU/DSU), which interfaces with the X.25 connection using a serial interface such as RS-232 or V.35.

NOTE

The Remote Access Service (RAS) on Microsoft Windows NT and Windows 2000 supports PADs and other ways of connecting to X.25 networks, such as X.25 smart cards and special modems for dialing up X.25 carriers such as SprintNet and Infonet.

TIP

Some PADs support both X.25 and frame relay packet-switching services and can be used to ease the migration path from X.25 to frame relay.

packet filtering

The process of controlling the flow of packets based on packet attributes such as source address, destination address, type, length, and port number.

How It Works

Many routers and proxy servers use some form of packet filtering that provides firewall capabilities for protecting the network from unauthorized traffic. Administrators can create rules for filtering out unwanted packets and can arrange these rules in the most efficient order. A packet that passes all the rules is allowed through, while a packet that violates any rule is dropped.

Packet filtering can be implemented on routers and firewall devices in two ways: static filtering and dynamic filtering.

Static packet filtering provides limited security by configuring selected ports as either permanently open or permanently closed. For example, to deny outside packets access to a company intranet server on port 80 (the standard port number for the Hypertext Transfer Protocol, or HTTP) you could configure the router or firewall to block all incoming packets directed toward port 80.

Dynamic packet filtering provides enhanced security by allowing selected ports to be opened at the start of a legitimate session and then closed at the end of the session to secure the port against attempts at unauthorized access. This is particularly useful for protocols that allocate ports dynamically—for example, with the File Transfer Protocol (FTP). If you want to grant outside users secure access to an FTP server behind the firewall (within the corporate network), you need to consider the following:

• Port 21 (the FTP control port) needs to be left permanently open so that the FTP server can “listen” for connection attempts from outside clients. A static filtering rule can accomplish this.

• Port 20 (the FTP data port) needs to be opened only when data will be uploaded to or downloaded from the FTP server. With static filtering this port would have to be configured as permanently open, which could provide a door for hacking attempts. Dynamic filtering allows this port to be opened at the start of an FTP session and then closed at the end of the session.

• In order to establish an FTP connection with the client, the FTP server randomly assigns two port numbers in the range 1024 through 65,535 to the client, one for the control connection and one to transfer data. Because these ports are assigned randomly, there is no way to predict which ports above 1024 must be able to be opened by the firewall. With static filtering, you would therefore have to leave all ports above 1024 permanently open if you wanted to allow FTP access through the firewall, which would be a real security risk. With dynamic filtering, however, you can configure rules on the firewall that will read the packets issued by the server, dynamically open the two randomly assigned ports to allow a session to be opened, monitor the flow of packets to ensure that no attempt is made to hijack the session by an unauthorized user, and close the randomly assigned ports when the FTP session ends.

Graphic P-2. Packet filtering.

TIP

Microsoft Proxy Server includes a number of predefined filters that you can use to configure exceptions for common protocols. You can use these to quickly configure Proxy Server for securing your network from the Internet.

Packet filtering on a typical router can cause a performance hit of about 30 percent on the router’s ability to handle network traffic. This suggests that instead of using a packet-filtering router for a firewall, you should consider installing proper firewall software such as Microsoft Proxy Server on a dedicated server. Proxy Server includes dynamic packet filtering among its security features. If packet filtering is enabled, all incoming and outgoing packets are rejected unless an exception is explicitly created that allows them to pass. Packet filters can be enabled on Proxy Server only if the machine has an external network interface, such as one connected to a distrusted network (the Internet, for example).

NOTE

Some routers and firewalls can actually ping the source address of each packet to ensure that addresses local to the company network are coming from inside the network and are not being spoofed by a hacker outside the network.

Proxy Server also supports domain filters for allowing or denying access to World Wide Web (WWW) or FTP services based on the source IP address or Domain Name System (DNS) domain name. Proxy Server can issue alerts to inform you when packets are rejected or illegal packets are detected. It will also keep a log of alerts that occur for analysis and record keeping.

packet forwarding

The process of a networking component accepting a packet and transmitting it to its destination. For example, a router receives packets from hosts on one attached network and forwards them to hosts on another attached network or to another router for further forwarding. How a packet is forwarded is based on a comparison of the packet’s destination address with the routing table stored in the router. Each act of forwarding performed by a router is called a hop across the internetwork.

packet switching

The process by which a networking or telecommunications device accepts a packet and switches it to a telecommunications device that will take it closer to its destination. Packet switching allows data to be sent over the telecommunications network in short bursts or “packets” that contain sequence numbers so that they can be reassembled at the destination. Wide area network (WAN) devices called switches route packets from one point on a packet-switched network to another. Data within the same communication session might be routed over several different paths, depending on factors such as traffic congestion and switch availability.

Packet switching is the transmission method used for most computer networks because the data transported by these networks is fundamentally bursty in character and can tolerate latency (due to lost or dropped packets). In other words, the transmission bandwidth needed varies greatly in time, from relatively low traffic because of background services such as name resolution services, to periods of high bandwidth usage during activities such as file transfer. This contrasts with voice or video communication, in which a steady stream of information must be transmitted in order to maintain transmission quality and in which latency must remain minimized to preserve intelligibility.

The Internet is the prime example of a packet-switched network based on the TCP/IP protocol suite. A series of routers located at various points on the Internet’s backbone forward each packet received on the basis of destination address until the packet reaches its ultimate destination. TCP/IP is considered a connectionless packet-switching service because Transmission Control Protocol (TCP) connections are not kept open after data transmission is complete.

X.25 public data networks are another form of packet-switching service, in which packets (or more properly, frames) formatted with the High-level Data Link Control (HDLC) protocol are routed between different X.25 end stations using packet switches maintained by X.25 service providers. Unlike TCP/IP, X.25 is considered a connection-oriented packet-switching protocol because it is possible to establish permanent virtual circuits (PVCs) that keep the logical connection open even when no data is being sent. However, X.25 can be configured for connectionless communication by using switched virtual circuits (SVCs). An X.25 packet-switched network typically has a higher and more predictable latency (about 0.6 seconds between end stations) than a TCP/IP internetwork. This is primarily because X.25 packet switches use a store-and-forward mechanism to buffer data for transmission bursts, which introduces additional latency in communication. In addition, X.25 uses error checking between each node on the transmission path, while TCP/IP uses only end-to-end error checking.

Frame relay (also called fast packet switching) is another connection-oriented packet-switching service that gives better performance than X.25. It does this by switching packets immediately instead of using the store-and-forward mechanism of X.25 networks. Frame relay also eliminates flow control and error checking to speed up transmission. This is possible because frame relay networks use modern digital telephone lines, which are intrinsically much more reliable than the older analog phone lines on which much of the X.25 public network still depends. Frame relay supports only connection-oriented PVCs for its underlying switching architecture.

Finally, Asynchronous Transfer Mode (ATM) is another packet-switching service in which small fixed-length packets called cells are switched between points on a network.

NOTE

Packet switching is different from circuit switching, in which switches are configured in a fixed state for the duration of the session so that the route the data takes is fixed. A network that is circuit-switched requires a dedicated switched communication path for each communication even if its full bandwidth is not being used. In packet switching, bandwidth can be used when available for more efficient transmission. Circuit switching is generally used in telephone systems, while packet switching is used for computer networks. Digital cellular phone services are generally also circuit-switched, but Personal Communications Services (PCS) cellular systems are gradually being migrated to packet-switched networks for greater efficiency in data transmission.

Another difference between packet switching and circuit switching is that circuits must first be established before any data is sent, and this generally involves a certain amount of setup time. During this process, the request for a circuit connection must pass through the circuit-switched network, resources must be reserved for the connection, and a signal must be returned to the initiating station when the circuit is established and data transmission can begin. Circuit-switched networks are thus useful only when the duration of the data transmission is much longer than the setup time involved in establishing the circuit. With packet switching, data can be sent at the start of transmission, which is better suited to the bursty, irregular nature of short network transmissions over a computer network or WAN link.

See also packet-switching services

packet-switching services

Telecommunications services provided by telcos and long distance carriers that route packets of data between local area networks (LANs) in diverse geographical locations to form a wide area network (WAN). Packet-switching services are used to connect multiple LANs into a point-to-multipoint configuration, usually called a multipoint WAN.

How It Works

A customer’s local network is typically connected through routers, bridges, frame relay access devices (FRADs), or other devices to a telco’s central office (CO). These devices either have built-in technology for connecting directly to packet-switching services or use intermediary devices located at the customer premises. Packet-switching devices take network frames and “package” them into packets suitable for the type of packet-switching service being used. These services can include frame relay, X.25, Asynchronous Transfer Mode (ATM), or Switched Multimegabit Data Services (SMDS) public or private packet-switched networks. If virtual private network (VPN) technologies are used, the public Internet can also be used as a packet-switching service for multipoint WAN connections.

Graphic P-3. Packet-switching services.

The packaging process varies with the particular service used, but it basically consists of breaking down network frames into relatively small individual packets of data and tagging the packets with the destination address of the remote node to which the packet is directed. Each end node (local network access device) connected to the cloud has a layer 2, or data-link layer, address that is known to every other end node. These addresses are used to route packet data between individual nodes on the WAN or to broadcast packets to all nodes when needed. Other information is also tagged onto the packets for error correction and other purposes, depending on the service used. The packets are usually small to lessen the load on the switching devices and to enable quick retransmission when transmission errors occur.

Packets are individually placed onto the carrier’s packet-switched network and switched from circuit to circuit until they reach their destination. Two packets forming part of the same network message might take entirely different routes to reach their destination node—it depends on the best route available at any given moment, as determined by the packet-switching services themselves. This is different from circuit-switched networks, in which all packets are sent over the same switched circuits for the duration of the connection. At the destination, the packets are reassembled into network frames and delivered to the remote network, where they are routed to their destination computers.

In networking diagrams, a public packet-switched network is typically depicted as a cloud because the details of the switches and connections are not of interest to the customer—they are the responsibility of the carrier or carriers providing the services.

Advantages of packet-switching services include the following:

• Customers are not restricted to a single destination, as with point-to-point connections using leased lines.

• Packets can be routed to any destination that supports similar services, so businesses are not tied to a particular carrier or telco.

• Packet-switched networks have low latency and are suitable for hosting dedicated services such as company Web servers if the connection has sufficient bandwidth.

• Customers usually pay monthly rates plus additional charges based on bandwidth use, which means that the primary charges are on a per-transaction basis. The less you use the service, the less you pay.

See also circuit-switched services, leased line

PAD

See packet assembler/disassembler (PAD)

page fault

A condition that occurs in Microsoft Windows operating systems when a process looks for application code or data in its working set and doesn’t find it, causing the Virtual Memory Manager to swap the necessary information into memory. Windows handles process information in 4-KB blocks called pages. This information can be stored as virtual memory that can be swapped from the hard disk to RAM. Pages are the basic building blocks of virtual memory in Windows and are managed by the Virtual Memory Manager.

See also virtual memory

pagefile

See paging file

paging file

A file on a hard disk that Microsoft Windows NT or Windows 2000 uses to store program code that is temporarily not needed to maximize the functionality of the limited RAM on most machines. The paging file, sometimes referred to as the pagefile, is managed by the Virtual Memory Manager.

NOTE

The default size for the paging file on Windows NT is equal to the amount of installed RAM plus 12 MB. The default size for the paging file on Windows 2000 is equal to 1.5 times the amount of installed RAM. The minimum allowed paging file size is 2 MB. The default location of the paging file is %SystemRoot%\pagefile.sys

TIP

During installation of Windows NT and Windows 2000, the paging file is automatically installed on the partition that has the most free space. You achieve the best performance by moving the paging file to a separate hard drive with its own controller. Use the System utility in Control Panel to configure the paging file.

See also virtual memory

PAP

See Password Authentication Protocol (PAP)

parallel transmission

A form of signal transmission that sends information 8 or more bits at a time over a cable. Parallel interfaces are used mainly to connect printers, hard drives, and other peripherals to computers.

How It Works

While a serial interface such as RS-232 transfers only 1 bit of data at a time, parallel interfaces typically transfer 8 bits (1 byte) of data at a time. A typical parallel interface for a computer uses a port that accepts a female DB25 connector. The parallel interface for a printer often uses a 36-pin Centronics connector.

For the DB25 connector, all 25 of the leads must be working for parallel transmission to function. In contrast, serial interfaces, which sometimes use DB25 connectors, require only three active leads to transmit data. The parallel 25-pin connector has 17 leads for carrying signals and 8 leads for grounding. Of the 17 leads, 8 are used for data bit signals, 5 for status signals, and 4 for handshaking. Typical throughput of a parallel interface is 16 KBps or 128 Kbps. Parallel communication is usually limited to cables of up to 6 meters, but devices can be used to boost signals for longer distances.

NOTE

A new type of parallel interface, conforming to the IEEE 1284 standard, supports bidirectional parallel communication at speeds of up to 1 MBps over distances of up to 10 meters. Parallel ports that support this standard are referred to as Enhanced Parallel Ports (EPPs) or Extended Capabilities Ports (ECPs).

See also serial transmission

parent domain

A domain in a Microsoft Windows 2000 domain tree whose Domain Name System (DNS) name forms the basis of subdomains called child domains. For example, the parent domain named microsoft.com could include three child domains named dev.microsoft.com, marketing.microsoft.com, and support.microsoft.com. A two-way transitive trust exists between a parent domain and its associated child domains.

See also Active Directory, domain tree

parity information

Redundant information associated with any block of information that provides fault tolerance. Parity information calculated from the block of data can be used to reconstruct the block of data in the event of data loss or failure.

How It Works

RAID-5 volumes stripe data and parity information across a set of physical disks in such a way that for each stripe one disk contains the parity information while the other disks contain the data being stored. Each stripe uses a different (rotating) disk for storing its parity data.

The parity information for the stripe is created using an exclusive OR (Boolean XOR) operation on the data in the stripe. As a simple example, suppose that the block of binary data 10011 is to be written to a stripe on a RAID-5 volume that comprises six physical disks. Bit “1” is written to the first disk, bit “0” to the second disk, bit “0” to the third disk, and so on. The sixth, or parity, disk in the stripe contains the parity bit:

 1 XOR 0 XOR 0 XOR 1 XOR 1 = 1 

If the first disk fails so that the “1” bit stored on it is lost, the missing bit can be mathematically reconstructed using the remaining data bits and the parity bit for the stripe as follows:

 ? XOR (0 XOR 0 XOR 1 XOR 1) = 1 ? XOR 0 = 1 Therefore:  ? = 1 

partition in Active Directory

A logical divider for organization information in Active Directory in Microsoft Windows 2000. Partitions divide Active Directory into separate sections and enable it to store large numbers of objects in a distributed directory over the network. They also allow Active Directory to scale millions of objects. A partition functions as a physical storage container for a portion of the directory data for an organization. Each domain’s directory information is stored in a separate partition and is identified using the distinguished name of the domain. The global catalog server can find an object in Active Directory by using the object’s distinguished name, which can be used to identify a replica of a partition that contains the object.

partition of a disk

A portion of a physical disk that functions like a completely separate physical disk. Partitions allow physical disks to function as multiple separate storage units for isolating operating systems from applications data on a single-boot system or for isolating operating systems from one another on a multiboot system.

Disks can have two types of partitions:

• Primary partitions: You can install a bootable operating system along with its associated file system on primary partitions. A physical disk can have up to four primary partitions.

• Extended partitions: A series of logical drives can be created on extended partitions. You can create an extended partition on a disk to overcome the limitation of four primary partitions per disk.

NOTE

You can create partitions by using the fdisk command in MS-DOS and all versions of Microsoft Windows, by using Disk Administrator in Windows NT, or by using the Disk Management tool in Windows 2000. Using the fdisk command, you can create one primary partition and one extended partition. Disk Administrator can create up to four primary partitions or three primary and one extended partition. Disk Management can create partitions only on basic disks, not on dynamic disks.

passfilt.dll

A file in Microsoft Windows NT Service Pack 3 or later that allows administrators to increase password strength. The file establishes the following rules for password creation:

• The minimum password length is six characters.

• The password cannot contain a username or any part of the user’s full name.

• The password must contain characters from at least three of the following categories:

  • Uppercase letters

  • Lowercase letters

  • Numbers

  • Non-alphanumeric characters, specifically:

    . , ; : * & % !

TIP

To install passfilt.dll, first install Windows NT Service Pack 3 or later on your domain controller, which copies passfilt.dll into the %SystemRoot%\system32 directory. Then use registry editor to edit the following key:

 HKEY_LOCAL_MACHINE     System         CurrentControlSet             Control                 Lsa 

and create or modify the following values:

• Value: Notification Packages

• Type: REG_MULTI_SZ

• Data: passfilt.dll

See also Account policy

passive hub

See patch panel

passive termination

A terminator such as a resistor that absorbs signal energy and prevents signal bounce. Passive terminations are generally used in bus topology networks such as 10Base2 and 10Base5 networks of the Ethernet variety. Termination is not required in star topology networks because the central concentrator (hub) provides the termination for each signal path. Ring topology networks such as Token Ring also do not require termination points because the signal path has no beginning or end. Passive termination is also used in some forms of Small Computer System Interface (SCSI) systems for terminating a chain of SCSI devices. Active termination, which involves electronically canceling the signal incident on the end of a transmission system, is generally more expensive than passive termination but more efficient.

pass-through authentication

In Microsoft Windows NT–based networks, a method of performing authentication to a domain controller that resides in a trusted domain. Pass-through authentication enables users to log on to computers in domains in which they do not have a valid user account. Users in a multidomain Windows NT–based network can thus access resources anywhere in the enterprise for which they have suitable permissions.

How It Works

Consider the example of an enterprise consisting of three domains—two resource domains (the trusting domains) in which network resources such as shared folders or printers reside, and a master domain (the trusted domain) in which all user accounts are defined. The resource domains trust the master domain using Windows NT one-way nontransitive trusts. When a user attempts to log on to a computer in a resource domain, pass-through authentication takes place in one of two ways:

• When the user first logs on to the computer, the domain controller in the resource domain passes the user’s credentials to the domain controller in the master domain. The user is authenticated, and the user’s security identifier (SID) and group membership are returned to the domain controller in the resource domain.

• If the user tries to access a shared folder or printer in the other resource domain, the user’s credentials are passed to the domain controller in the master domain in order to be authenticated for resource access.

password

A secure identifier that enables a user to access a secured resource. For example, a password can be used to log on to a network and access personal files. Passwords are a part of a user’s credentials, which include, at a minimum, the username and password, and in a multidomain Microsoft Windows 2000–based or Windows NT–based enterprise also include the user’s domain. Passwords are generally known only to users themselves and possibly to members of the Administrators or Account Operators group on Windows 2000–based or Windows NT–based networks.

NOTE

If a user forgets his or her password, the user cannot log on to the network without contacting the administrator. On a Windows NT network, the administrator uses the tool User Manager for Domains to create a new password for the user. On a Windows 2000–based network, the administrator uses the Computer Management tool to create a new password for the user.

TIP

When establishing a password policy for your company, you should determine

• Who will control passwords—the administrators or the users. Giving users control over their own passwords makes them completely responsible for their systems and personal folders. You can configure Windows NT and Windows 2000 so that the first time users log on to the network they must change their initial password to one that only they know. This is usually the best solution.

• How complex passwords should be and how often they should be changed. If you make passwords too complex, such as random scrambles of letters, numbers, and symbols, the network might be less secure instead of more because users are likely to write down a difficult-to-remember password and tape it under their keyboard or in some other handy location. Also, if passwords must be changed frequently, users will typically make simple changes such as adding an incremental number to the end of each new password. The best policy is usually to require a password of six to eight characters that doesn’t change and to teach users to select passwords that do not include family names, addresses, postal codes, and so on. Passwords should usually be simple combinations of letters and numbers, such as “blue144” or “max13one.”

See also Account policy, username

Password Authentication Protocol (PAP)

A clear-text authentication scheme used in Point-to-Point Protocol (PPP) connections over WAN links that is outlined in Request for Comments (RFC) 1334. Password Authentication Protocol (PAP) is not a secure form of authentication because the user’s credentials are passed over the link in unencrypted form. For this reason, Challenge Handshake Authentication Protocol (CHAP) or some other authentication protocol is preferable if the remote client supports it. If the password of a remote client using PAP has been compromised, the authentication server can be attacked using replay attacks or remote client impersonation.

How It Works

PAP uses a two-way handshake to perform authentication. Once the PPP link is established using the Link Control Protocol (LCP), the PPP client sends a username and password to the PPP server. The server uses its own authentication scheme and user database to authenticate the user, and if the authentication is successful, the server sends an acknowledgment to the client.

PAP is typically used only if the remote access server and the remote client cannot negotiate any higher form of authentication. The remote client initiates the PAP session when it attempts to connect to the PPP server or router. PAP merely identifies the client to the PPP server; the server then authenticates the client based on whatever authentication scheme and user database are implemented on the server.

TIP

You should disable PAP on the Remote Access Service (RAS) for Microsoft Windows NT to ensure that user passwords are never sent as clear text over an unsecured connection.

PASTE

See Provider Architecture for Differentiated Services and Traffic Engineering (PASTE)

patch cable

A short cable, usually unshielded twisted-pair (UTP) cabling, that connects a port on a patch panel to a port on a hub or a switch. Patch cables are usually terminated at both ends with RJ-45 connectors. Cable vendors usually supply patch cables in fixed lengths such as 1, 3, 6, 10, 25, 50, and 100 feet, and also in custom lengths. Patch cables usually come in various colors, which can be helpful in organizing the cabling joining devices on your equipment racks and avoiding “spaghetti.” You should use patch cables that meet the requirements of the equipment you are using. Category 5 patch cables, which are certified to 100 MHz, or enhanced category 5 patch cables, which are certified to 350 MHz and higher, are generally recommended.

Graphic P-4. Patch cable.

NOTE

Be sure to purchase the correct type of patch cable. For example:

• The wiring type (pinning) of the cable should match that of your installed premise cabling. Pinning types include TSB 568A, TSB 568B, and USOC, which are described in the table.

• Use straight-pinning or crossover cabling. Crossover cabling, which has the send and receive wire pairs switched, is used primarily for connecting hubs.

TIP

Use patch cables with molded boots to prevent kinks from forming and to prevent pins from becoming bent through rough handling. Molded boots can also reduce the amount of crosstalk in the cable and allow it to perform at higher frequencies.

TIP

Category 5 UTP patch cables should be no longer than 10 meters.

Color Codes by Cable Type

patch panel

A rack-mounted panel with a series of connectors that provides a branching-out point for network cabling to leave the wiring closet and make horizontal runs to wall plates in the work areas.

Graphic P-5. Patch panel.

Patch panels are usually standard 19-inch-wide panels for mounting in equipment racks in wiring closets. They typically contain between 16 and 96 ports for connecting to hubs and switches using patch cables. Patch panels themselves cannot be used to network computers; they are mainly used to organize wiring and to avoid “spaghetti.” The horizontal cables running from the wiring closet to the wall plates are usually connected to the back of the patch panel, while the patch cords connecting to the hubs and switches plug into the front of the patch panel. The back of the patch panel is a form of punchdown block—wires are not soldered but punched down using a sharp tool called a punchdown block tool.

NOTE

Another name for a patch panel is passive hub. A patch panel is a hub only in the sense that it is a physical device in which wires are concentrated, but it cannot be used to network computers. All true hubs used in networking are active hubs, which are powered devices that regenerate signals coming into one port for transmission through other ports on the hub. The term “passive hub” is an older term that is not generally used today.

In telephony applications, the termination point for twisted-pair wiring is usually called a punchdown block instead of a patch panel.

There are a few things you should be aware of when selecting patch panels:

• Be sure that your patch panels are category 5–approved if you plan to upgrade your network.

• Do not remove excessive amounts of cable jacket when you terminate category 5 cables to terminal blocks.

• Purchase patch panels with built-in surge protection to protect expensive Ethernet switches.

Front-access patch panels are easiest to install in cramped conditions. You can use hinged or folding patch panels as a convenient alternative to full-size, rack-mounted patch panels. Modular patch panels allow the greatest flexibility of configuration. Use cable managers to organize and support cables connected to patch panels.

path

The route that a user or application follows to locate a file in a file system, an object in a directory, a server on a network, or some other kind of resource in a hierarchical system. A path to an object can be one of the following:

• An absolute path, which starts from the root of the file system or directory

• A relative path, which starts from the user’s current directory or location

Example

On a system running Microsoft Windows, the absolute path to a file is expressed using backslashes, as follows:

C:\Windows\Profiles\Administrator\User.dat

If the current directory is C:\Windows\Profiles, the relative path to the same file is as follows:

\Administrator\User.dat

To access files in shared folders on a Windows network, you can use the Universal Naming Convention (UNC) path:

\\server16\pub\readme.txt

On UNIX platforms, forward slashes are used instead of backslashes, as in this example:

/user/bin/blah.gz

To request a Web page on the Internet, you specify the page’s Uniform Resource Locator (URL), which is essentially the path to the page in the hierarchical Domain Name System (DNS):

http://www.microsoft.com/support/FAQ.htm

PBX

See Private Branch Exchange (PBX)

PCM

See pulse code modulation (PCM)

PCS

See Personal Communications Services (PCS)

PDA

See Personal Digital Assistant (PDA)

PDC

See primary domain controller (PDC)

PEC

See primary enterprise controller (PEC)

peer server

A computer that functions as a server for a group of users in a peer-to-peer network. For example, in a small office with only five users running Microsoft Windows 95 or Windows 98, you can set aside an additional machine running Windows 95 or Windows 98 as a peer server for storing company files.

You should use peer servers only in small networks with no great need for security. Security on peer servers is limited to share-level security, which allows only three kinds of access:

• Read-only access based on a password

• Full-control access based on a password

• A combination of the above, based on two separate passwords

If security is an issue, consider using a dedicated server running Windows NT.

peer-to-peer network

A network in which the computers are managed independently of one another and have equal rights for initiating communication with each other, sharing resources, and validating users.

How It Works

A peer-to-peer network has no special server for authenticating users. Each computer manages its own security, so a separate user account might need to be created for each computer that a user needs to access. Users usually store files on their own computers and are responsible for ensuring that those files are appropriately backed up. In a peer-to-peer network, each computer typically runs both client and server software and can be used to make resources available to other users or to access shared resources on the network.

Peer-to-peer networks are simple to set up and are often ideal for small businesses that have fewer than 10 computers and that cannot afford a server-based solution. The disadvantages of peer-to-peer networks are poor security and lack of centralized file storage and backup facilities.

Microsoft Windows 98 is an ideal operating system for peer-to-peer networks. Networking is easy to set up and configure, folders and printers can be shared, user profiles allow multiple users to share one computer, and you can create an office intranet using the Microsoft Personal Web Server.

See also server-based network

Performance

See Performance Monitor

Performance Monitor

A Microsoft Windows NT administrative tool for monitoring the performance of Windows NT servers on a network. (In Windows 2000, this tool is called System Monitor.)

You can use Performance Monitor to

• Capture real-time performance objects and counters

• Log, graph, and set alert conditions for performance data

• Identify bottlenecks and trends in resource usage

• Observe the effect of system configuration changes

• Establish a baseline and determine system capacity

  

  Graphic P-6. Performance Monitor.

How It Works

When you use Performance Monitor, you should collect data on the four main system resources (the memory, processor, disk, and network subsystems) in addition to resources specific to the aspect of server usage you are studying. The following table shows the recommended objects to monitor.

Recommended Objects to Monitor

TIP

In Windows NT, Performance Monitor can run as a background service without user intervention. Use the monitor.exe utility from the Microsoft Windows NT Server Resource Kit, and use the Windows NT at command to schedule the service to run at appropriate times.

See also System Monitor

Performance Optimizer

A Microsoft Exchange Server tool that automatically analyzes your hard disk subsystem and suggests where to locate various Exchange components such as the information store and transaction logs. Performance Optimizer also modifies certain registry settings to improve messaging performance.

Performance Optimizer runs when you finish setting up a new Exchange server. You should also run it whenever you change the configuration of a server’s core services—for example, if you change the configuration of the information store, Exchange directory service, or Message Transfer Agent (MTA), if you install or remove a connector or gateway, or if you add more RAM or another disk or processor.

Graphic P-7. Performance Optimizer.

Perl

An acronym for Practical Extraction and Reporting Language, an interpreted scripting language that is often used on UNIX platforms to develop Common Gateway Interface (CGI) programs. CGI scripts written in Perl are often used as input handlers for Hypertext Markup Language (HTML) forms because of Perl’s powerful string manipulation capabilities. However, because Perl is an interpreted scripting language, applications such as form handlers for Web pages that are written in Perl run more slowly than if they were compiled programs written in C or some other high-level programming language.

NOTE

You can use Microsoft’s Windows Script Host (WSH) to run administrative scripts written in Perl by installing a third-party ActiveX scripting engine for Perl. Administrators from UNIX backgrounds can do this to leverage their knowledge of Perl to administer Microsoft Windows NT and Windows 2000.

permanent virtual circuit (PVC)

A form of telecommunications service for wide area networks (WANs) that provides a dedicated switched circuit between two nodes in a circuit-switched network.

How It Works

The switches of a permanent virtual circuit (PVC) are set up and configured by the telco or carrier to provide a permanent, point-to-point connection between the two nodes. These circuits are called “permanent” because the telco dedicates specific resources (switches) to your company—they can’t be used by anyone else as long as you lease the service. The switches are called “virtual” because the customer does not have a physical wire connecting two networks but rather a logical connection between switches configured by the telco’s management software. In fact, the customer does not even need to know how the circuit is set up.

Graphic P-8. Permanent virtual circuit (PVC).

PVCs offer guaranteed bandwidth and extremely low latency for establishing a connection. Also, because the switching pathway is permanent, the quality of the connection does not vary with time. The result is more reliable service than switched virtual circuits (SVCs). However, PVCs are more expensive than SVCs because telco resources are dedicated to the customer and cannot be used for other purposes. Furthermore, with a PVC you pay for the bandwidth whether or not you use it; with SVCs, the amount you pay depends on how much bandwidth you use.

PVCs are best for WAN links that carry steady, high volumes of network traffic. They are commonly used in leased lines for point-to-point WAN links between two networks.

NOTE

The term “permanent virtual circuit” is also used in frame relay networking. This type of circuit is configured in a similar fashion to those used in leased line connections.

See also switched virtual circuit (SVC), virtual circuit

permissions

Settings that you establish for a resource to control which users and groups can access the resource and what degree of access they have. Permissions are implemented at several levels in Microsoft Windows operating systems and other Microsoft BackOffice applications. Permissions are implemented in Microsoft systems using discretionary access control lists (DACLs), which are attached to the object they control.

Examples of permission types include the following:

• Shared folder permissions: Can be applied to shared folders on Windows systems to control access to network shares by users

• NTFS permissions: Can be applied to files and folders on NTFS volumes for both local and network control of access to the resources

• Print permissions: Can be assigned to printers to control who can manage printers, manage documents, or print documents

• Active Directory permissions: Can be assigned to objects within Active Directory of Windows 2000 using Active Directory Users and Computers

• Exchange permissions: Can be assigned to objects in the Microsoft Exchange Server directory hierarchy to control who can administer different parts of an Exchange organization using the Exchange Administrator program

• Public folder permissions: Can be assigned using Microsoft Outlook to files in public folders to control who can read, edit, or delete those files

Per Seat licensing

A licensing mode in which a client access license (CAL) is assigned to a particular client computer for a particular Microsoft BackOffice server product. A CAL allows the client to access the services of a particular BackOffice product that can be running on any server within the network. Per Seat licensing can be applied to any BackOffice product that requires CALs, such as Microsoft Windows 2000 Server, Windows NT Server, Microsoft Exchange Server, Microsoft SQL Server, Microsoft SNA Server, Microsoft Site Server, and Microsoft Systems Management Server (SMS).

Example

Consider a network that consists of three servers running Windows 2000 Server and 50 assorted client computers running Windows 2000 Professional, Windows 98, Windows for Workgroups, Mac OS, and so forth. If you purchase 50 Per Seat licenses for Windows 2000 Server, one for each client, each client computer can connect to any of the three Windows 2000 Servers.

NOTE

If you use Per Seat licensing, you must purchase a CAL for every client that accesses the BackOffice product, including non-Microsoft clients such as Macintosh and UNIX clients.

TIP

Per Seat licensing is often the preferred mode of licensing on networks with a large number of servers. On networks with only one or two servers, Per Server licensing might be a more economical option.

See also client access license (CAL), Per Server licensing

Per Server licensing

A licensing mode in which a client access license (CAL) is assigned to a particular server computer running a particular Microsoft BackOffice server product. Each CAL allows only one connection per client computer to the particular BackOffice product. Per Server licensing can be applied to only the following BackOffice products: Microsoft Windows 2000 Server, Windows NT Server, Microsoft SQL Server, Microsoft SNA Server, and Microsoft Site Server.

Example

Consider a server computer on a network running Windows 2000 Server that has 25 Windows 2000 Server Per Server CALs. A total of 25 client computers can simultaneously connect to the Windows 2000 Server and access its services. If a twenty-sixth client tries to connect, it will be denied access and an entry will be written to the application log.

NOTE

One client computer can connect to multiple shares on the server, but this is counted as only one connection for licensing purposes.

TIP

Per Server licensing is the preferred mode of licensing on small networks. However, you must purchase licenses equal to the maximum number of simultaneous connections you anticipate on each server for a particular BackOffice product. If you are not sure whether to use Per Seat or Per Server licensing, choose Per Server licensing. As more servers are added to your network, you can perform a one-time, one-way conversion of Per Server to Per Seat licenses as required. However, you cannot convert Per Seat licenses to Per Server licenses.

See also client access license (CAL), Per Seat licensing

persistent connection

Generally, any network connection that is opened and then is kept open in case it is needed again.

Example

The Windows Internet Name Service (WINS) for Microsoft Windows 2000 Server uses persistent connections between WINS replication partners. Windows 2000 Server WINS replication partners maintain persistent connections among themselves so that replication can be initiated at any time without the network traffic overhead associated with establishing new connections. This means that WINS databases are updated immediately and shared network resources are always available.

In the earlier version of WINS for Windows NT Server, however, replication partners had to open a new connection between each other every time WINS replication was initiated. As a result, most administrators of large networks configured WINS replication to occur at certain time intervals or after a certain number of updates to the WINS database had accumulated. Because of delays in updating WINS databases on WINS servers, clients sometimes could not access shared network resources.

persistent index

An index created by Microsoft Indexing Service. Persistent indexes are stored on disk and are more efficient and compressed than word lists, which are stored in volatile RAM. All persistent indexes are ultimately merged into a single, highly efficient persistent index called the master index. The process by which this occurs is known as a master merge.

Personal Communications Services (PCS)

A general term for digital cellular phone technologies that are used for personal wireless mobile communication. Personal Communications Services (PCS) technologies were developed in the early 1990s because the existing Advanced Mobile Phone Service (AMPS) technologies were running out of available bandwidth in the electromagnetic frequency spectrum. PCS systems are end-to-end digital in nature and are more secure than analog cellular systems. PCS networks can be used for voice, fax, and data applications such as e-mail and file transfers. PCS systems are generally circuit-switched, although some are being migrated to packet-switched networks.

Some of the standards and technologies that developed from the PCS initiatives include the following:

• Time Division Multiple Access (TDMA) digital cellular systems based on the TDMA IS-136 standard. TDMA divides frequency bands into time slots and then multiplexes user conversations within these slots. TDMA operates in both the 800-MHz and 1900-MHz frequency bands, but only frequencies at 1900 MHz are specifically referred to as PCS, while those in the 800-MHz range are referred to as cellular.

• Code Division Multiple Access (CDMA) digital cellular systems based on the CDMA IS-95 standard, which was developed by QUALCOMM. CDMA uses spread-spectrum transmission technologies and assigns codes to individual users transmitting within the same broad frequency spectrum. CDMA operates at both the 800-MHz and 1900-MHz frequencies, but only frequencies at 1900 MHz are specifically referred to as PCS, while those in the 800-MHz range are referred to as cellular.

• Global System for Mobile Communications (GSM) digital cellular systems based on the GSM 1900 standard. GSM is based on TDMA technologies and divides frequency bands into time slots. GSM has the advantage of supporting roaming between Europe and North America. GSM operates in the 1900-MHz frequency range (or the 1800-MHz range in Europe).

PCS systems and services can also be classified as follows:

• Narrowband PCS: Uses the 900-MHz portion of the electromagnetic spectrum, specifically the frequency bands 901–902, 930–931, and 940–941 MHz. Narrowband PCS is used for wireless telephony, wireless data transmission, voice message paging and text-based paging, and other services.

• Broadband PCS: A newer technology that uses the 2-GHz portion of the electromagnetic spectrum, specifically the frequency band from 1850 to 1990 MHz, with the exception of a 20-MHz band reserved for unlicensed voice and data services. Broadband PCS with its greater bandwidth allocation is used or intended for wireless telephony, high-speed wireless data transmission, portable facsimile transmission, wireless Personal Digital Assistants (PDAs), and wireless video telephony services.

Personal Digital Assistant (PDA)

A handheld computer that is programmed for functions such as keeping track of appointments, sending and receiving e-mail, browsing the Internet, composing memos, performing spreadsheet calculations, managing contacts, banking, and viewing stock quotes.

Personal Digital Assistants (PDAs) typically have a small, grayscale liquid crystal display (LCD) with either a small keyboard or a pen-based user interface for entering data. Information can be exchanged with a desktop or laptop PC by using a docking cradle, serial port, or infrared (IR) communication port, depending on the model. A PDA’s processing power is similar to that of a 386 processor, and its memory is limited to a few megabytes (but is sometimes expandable). Many PDAs also support standard or even wireless modems for sending and receiving e-mail or accessing specialized Internet content.

Some PDAs run a proprietary operating system. For example, 3Com’s Palm Pilot runs Palm OS; about 7500 developers produce software for this platform. One of the earliest PDAs was the Apple Newton. Other PDAs run Microsoft Windows CE, a version of the Windows operating system for devices with a small screen and a nonstandard user interface. Microsoft offers Windows CE versions of many of its popular applications, including Microsoft Word, Excel, Outlook, PowerPoint, and Internet Explorer.

PDA management is becoming an increasingly important job for network administrators. It’s often a good idea to standardize the type of PDA that is used in a company to reduce the headache and overhead of administering multiple PDA-to-PC software interfaces.

personal folders

A hierarchy of folders in Microsoft Outlook and other Microsoft Windows messaging clients that users can create and modify and that stores users’ messages and attachments. Personal folders, which can be stored on the client machine or on a network share, have the extension .pst.

NOTE

In many situations, it is advantageous not to use personal folders. Using personal folders can make messages less accessible. For example, Microsoft Exchange Server stores users’ messages in the information store on the Exchange server. This allows users to access their messages from any messaging client that can access the Exchange server. If messages are moved to personal folders, those messages can be read only from clients that can access the personal folders file. It is possible to use a combination approach, in which messages that need to be accessible from different clients can be left on the server and messages that are rarely accessed can be moved to personal folders. Here are some reasons why you might want to use personal folders:

• For backing up folders and their messages

• For archiving old messages

• For reducing the space taken up by messages on the server (a disk space limit for messages is typically set on the server)

• For moving some messages to the disk of a laptop computer to work off-site

Users can password protect their personal folders, but if they forget the password they cannot reset it.

Personalization and Membership servers

Related components of Microsoft Site Server that enable Web site administrators to personalize content for site visitors and provide secure content based on site membership. Features of the Personalization and Membership servers include the following:

• Personalized content suited to individual visitors’ needs. Site administrators can build rules governing personalized content and store user profiles in the Membership Directory.

• Members-only areas on a site with controlled access for users. Site administrators can register users, protect and share their data, verify users’ identities, and control access to sites. User information is stored in a Lightweight Directory Access Protocol (LDAP) directory based on Microsoft SQL Server.

• Direct mail for delivering personalized content to site visitors through scheduled e-mail based on their site usage patterns.

How It Works

Membership Authentication on the Personalization and Membership servers builds on Microsoft Windows NT security by letting administrators store user accounts and group permissions in the Site Server Membership Directory. Access to Web content is controlled by granting users and groups permissions on Web content using the same Windows Explorer method that Windows NT and Internet Information Services (IIS) administrators use.

By storing user and group accounts in the Membership Directory, you can enable sites to scale beyond the capabilities of the Windows NT Security Account Manager. In other words, instead of managing tens of thousands of accounts using the Windows NT domain model, you can use Personalization and Membership servers to manage millions of user accounts. This is particularly important if a cookie account and a user profile must be created for every user visiting the site.

Tools are also included for creating registration pages to handle creating new user accounts in the Membership Directory, adding users to groups, and upgrading cookie users to secured accounts. You can manage membership by using Microsoft Management Console (MMC) or through Web-based Administration (WebAdmin).

TIP

When you plan an implementation of Site Server, you must decide whether to use Windows NT Authentication or Membership Authentication. You cannot reverse your decision later without rebuilding the Membership Directory, which essentially means redoing all your initial implementation work. Use Windows NT Authentication for Windows NT–based intranets in which user accounts already exist for network users. Use Membership Authentication for Internet sites and for intranet sites in which Windows NT accounts do not yet exist. Membership Server is also suitable for any type of site in which users must self-register and thus create and manage their own profiles, which eases the burden on the Site Server administrator. For example, the information that intranet users create in the Membership Directory can form the basis of your corporate information directories with little administrative overhead.

Personal Web Server (PWS)

See Microsoft Personal Web Server (PWS)

PGP

See Pretty Good Privacy (PGP)

physical address

See MAC address

physical layer

Layer 1 (or the PHY layer) of the Open Systems Interconnection (OSI) reference model. The physical layer is the bottom layer of the seven-layer OSI networking architecture model. It establishes the physical interface and mechanisms for placing a raw stream of bits onto the wire. It defines the voltage, current, modulation, bit synchronization, connection activation and deactivation, and various electrical characteristics for the transmission media (such as unshielded or shielded twisted-pair cabling, coaxial cabling, and fiber-optic cabling). Protocols at the PHY layer include IEEE 802.3, RS-232C, and X.21. Repeaters, transceivers, network interface cards (NICs), and cabling operate at the PHY level.

See also Open Systems Interconnection (OSI) reference model, protocol

ping

Stands for Packet Internet Groper, a TCP/IP utility that verifies the integrity of a network connection with a host on a TCP/IP network. The ping command is one of the first commands to use to troubleshoot communication problems on a TCP/IP network.

How It Works

At the command prompt, type ping followed by either the IP address or the fully qualified domain name (if the Domain Name System is implemented) of the host for which you want to test networking connectivity. One or multiple Internet Control Message Protocol (ICMP) echo packets are sent to the host, and if connectivity is working, an equal number of echo replies are received. The replies show the packet size in bytes, response time in milliseconds, and Time to Live (TTL) of the echo reply. The TTL is decremented for each hop along the way and indicates the number of routers (hops) passed through along the network path.

The usual procedure for using ping to troubleshoot a TCP/IP network follows:

• Verify that TCP/IP is installed and running by pinging the local loopback address using ping 127.0.0.1.

• Ping your own IP address and host name.

• Ping the IP address of the default gateway for your local network.

• Ping the IP address of a host on a remote network.

If these steps produce the expected results, TCP/IP is installed and running on your network.

TIP

For advanced syntax features, simply type ping instead of ping /?.

If you can ping a host’s IP address but not its fully qualified domain name (FQDN), you probably have a name resolution problem. Check your Domain Name System (DNS) configuration and make sure that the DNS server is running, or check your Hosts file if it is implemented.

PKCS

Stands for Public Key Cryptography Standards, a set of standards developed by an industry consortium headed by RSA Laboratories and including Microsoft that specifies how a public key cryptography system should be implemented and operated. The following table shows the standards that are important to public key cryptography.

Public Key Cryptography Standards

On the Web

•

RSA Security home page : http://www.rsasecurity.com

See also PKCS #7, PKCS #12

PKCS #7

Also called the Cryptographic Message Syntax Standard, a cryptographic standard from RSA Security for the exchange of digital certificates in public key cryptography. PKCS #7 specifies the syntax of digital certificates and other encrypted information—specifically, the method by which data is encrypted and digitally signed, as well as the algorithms involved.

How It Works

You can use PKCS #7 to encrypt two types of data:

• Base data: Data that has not been encrypted and contains no cryptographic enhancements such as hashes or digital signatures.

• Enhanced data: Data that is encrypted or contains cryptographic enhancements or both. Enhanced content encapsulates one form of content within another.

A variety of content types are defined by the PKCS #7 standard, including the following:

• Data: String of bytes or octets.

• Signed data: Data along with an encrypted message digest. A message digest is the value produced when a hashing algorithm is applied to data. (The terms “digest” and “hash” are synonymous.) The message digest is used by the recipient to confirm that the original message was not tampered with during transit and to validate the identity of the sender.

• Enveloped data: Encrypted data plus the public key that can decrypt the data. You use this method to keep the contents of the message secret from all but trusted recipients.

• Signed-and-enveloped data: Encrypted content with its public key and doubly encrypted message digest.

• Digested data: Data plus a message digest.

• Encrypted data alone: The public key for decrypting the data must be transmitted by some other mechanism in this case.

When you use PKCS #7 to sign data, it usually includes the signing certificates, a list of relevant certificate revocation lists, and any other certificates in the certification path. If you use PKCS #7 to encrypt data, it usually includes references to the issuer and the serial number of the certificate that is associated with the public key that can be used to decrypt the encrypted data.

PKCS #7 supports additional features, such as the following:

• Recursion, in which a digital envelope is enclosed in a digital envelope, which is enclosed in another digital envelope, and so on

• Time-stamping of encrypted messages and digital signatures

• Counter-signatures and user-defined attributes

See also PKCS

PKCS #12

A cryptographic standard for the exchange of digital certificates in public key cryptography. PKCS #12 is an industry-standard format for the transfer, backup, and restoration of digital certificates and their associated public or private keys. PKCS #12 is the export format that is usually used to export a digital certificate with its private key, because exposing a user’s private key using a less secure method of export poses a security risk. PKCS #12 is used to export certificates to other computers, to removable media for backup purposes, or to smart cards to enable smart card authentication schemes.

See also PKCS

PKI

See public key infrastructure (PKI)

Plain Old Telephone Service (POTS)

The basic analog telecommunications service provided by a local telco. Plain Old Telephone Service (POTS) was the only type of telephone service until the 1970s.

How It Works

Starting from your home or customer premises, two-pair copper twisted-pair wire runs to your local telco’s central office (CO). This copper wire connection forms what is known as the local loop. The CO has switches that connect you to another local subscriber, to another CO, or to a long-distance provider, depending on whether your call is local or long distance. POTS is an inexpensive circuit-switched telecommunications service, but it supports data transfer speeds up to only 56 Kbps. It typically takes 15 to 30 seconds to establish connections for data transfer using modems.

plenum cabling

Also known as CMP cabling, a grade of cabling that is resistant to combustion and is used for horizontal cable runs in building plenums and vertical rises such as elevator shafts. A plenum is a horizontal space within a building that houses building components and allows the movement of air. False ceilings are not considered plenums. Plenum cabling is less flexible and costlier than polyvinyl chloride (PVC) cabling. The external insulating jacket of plenum cabling is usually a fluoropolymer such as Teflon FEP.

Plug and Play

A design philosophy and set of specifications for PC architectures that enables computer hardware, peripherals, device drivers, and operating systems to be easily reconfigured with minimal user understanding and intervention. Plug and Play frees users from having to manually configure devices and device drivers when they add or remove peripherals from computer systems. For example, to configure a non–Plug and Play sound card, a user typically has to manually change jumpers or dual inline package (DIP) switches on the sound card itself, a task that is often difficult for the inexperienced user. With Plug and Play, you simply plug in the device and follow a series of prompts (if any are necessary) to configure the appropriate drivers for your device.

How It Works

A true Plug and Play system consists of the following three elements:

• A Plug and Play operating system such as Microsoft Windows 95, Windows 98, or Windows 2000.

• A Plug and Play system BIOS that supports Advanced Power Management 1.1 (Windows 95) or Advanced Configuration for Power Management (Windows 98), automatic configuration of boot and motherboard devices, hot docking, and other features.

• Plug and Play system buses such as PCI or universal serial bus (USB) and Plug and Play peripheral devices (internal or external) and their associated drivers. Plug and Play peripheral devices include USB, IEEE 1394, SCSI, PCMCIA, and PCI devices. ISA, EISA, and VESA devices are not fully Plug and Play. Other Plug and Play devices include IDE controllers, ECP parallel ports, and video adapters.

If a system does not support all three of these features, it is not truly Plug and Play, although it might have some limited Plug and Play support. In a completely Plug and Play system, these features work together to automatically enumerate (identify) new devices installed on or connected to the system, determine their resource requirements, establish a system configuration that can support these requirements without device conflicts, program the devices as necessary and load their device drivers, and notify the user of the changes to the system’s configuration.

The Windows 95 and Windows 98 components that work together to support Plug and Play include the following:

• Configuration Manager: Manages the device configuration process by communicating with the BIOS, motherboard, and peripheral devices.

• The hardware tree: Contains the current system configuration information. The hardware tree is dynamically constructed by Configuration Manager upon each reboot and uses information in the registry to configure the system’s devices. You can display information stored in the hardware tree by using the Device Manager tab of the System Properties dialog box (double-click the System icon in Control Panel).

• Bus and port enumerators: Build the hardware tree by enumerating attached devices. Different enumerators are used for each type of system and peripheral bus.

• Resource arbitrators: Allocate system resources such as interrupt requests (IRQs) and input/output (I/O) ports to devices and resolve conflicts between devices.

• Setup and Device Installer: Creates the configuration database during initial system setup and can assist in installing non–Plug and Play devices by using the Add New Hardware Wizard.

When you add a new hardware device to a Plug and Play system, the Add New Hardware Wizard starts and installs the necessary drivers for the hardware. The wizard selects suitable hardware resources for the device, which might include an IRQ line, I/O address, direct memory access (DMA) channel, and memory range. If the system cannot properly detect the hardware, you can manually run the Add New Hardware Wizard to configure the hardware.

TIP

Be sure that the new device is attached to the computer and is turned on before you run the Add New Hardware Wizard.

P-node

A NetBIOS name resolution method used for name registration and resolution. P-node is one of the types of NetBIOS over TCP/IP nodes defined in Request for Comments (RFC) numbers 1001 and 1002, and is supported by computers running Microsoft Windows NT and Windows 2000.

How It Works

Name resolution is the process of converting the name of a host on the network into a network address (such as an IP address). Name resolution must be performed to establish communication over a network. P-node is one of four basic methods supported by Windows NT for resolving NetBIOS host names (that is, computer names) into IP addresses.

If a computer running Windows NT is configured as a P-node machine, it does not use broadcasts to resolve the names of the hosts. Instead, it tries to query a NetBIOS name server to resolve names of other hosts on the network. The advantage of doing this is that name resolution can function across large internetworks consisting of IP subnets connected with routers. Routers normally block broadcasts but will forward packets directed toward a specific name server.

A server running the Windows Internet Naming Service (WINS) is a typical example of a NetBIOS name server. If the WINS server is unavailable to the client issuing the query, the requested name cannot be resolved into its associated IP address. Furthermore, each client must be configured with the IP address of the WINS server in order for P-node name resolution to work. For this reason, M-node or H-node methods are usually preferred; they can use both broadcasts and directed traffic to resolve NetBIOS names of hosts.

See also B-node, H-node, M-node, NetBIOS name resolution

pointer (PTR) record

A resource record in a zone file that contains a record associating an IP address with a host name in the in-addr.arpa domain. Pointer (PTR) records are used for reverse name lookups and provide host name to IP address mappings. Here is an example of a PTR record:

 1.141.205.202.in-addr.arpa      IN  PTR     server9.microsoft.com. 

In this PTR record, the IP address 202.205.141.1 is mapped to the host Server9 within the microsoft.com domain. Note that the IP address of the host appears in the reverse order in the in-addr.arpa domain.

NOTE

With the DNS service installed on Microsoft Windows NT or Windows 2000, you can automatically create an associated PTR record for each host when you create its host record.

See also Domain Name System (DNS)

point of presence (POP)

The local access point for an Internet service provider (ISP). A point of presence (POP) consists of the high-speed telecommunications equipment and technologies that enable users to connect to the Internet via their ISP. The POP might include call aggregators, modem banks, routers, and high-speed Asynchronous Transfer Mode (ATM) switches. A POP has one or more unique IP addresses plus a pool of assignable IP addresses for its permanent and dial-up clients. The actual POP for an ISP might be located within the telecommunications facility of a telco or a long-distance carrier. The ISP rents or leases space in the facility to install the routers and access servers that provide Internet connectivity for clients and for the equipment that provides the ISP with a high-speed T1 or T3 connection to the Internet’s backbone.

point-to-multipoint

A form of communication that provides a path from one fixed point to a number of other points.

How It Works

A point-to-multipoint (or simply multipoint) wide area network (WAN) consists of more than two end nodes connected using a packet-switching telecommunications network. A number of layer 2, or data-link layer, protocols support multipoint WANs, including frame relay, Switched Multimegabit Data Services (SMDS), Asynchronous Transfer Mode (ATM), and X.25 packet-switched networks.

A public or private frame relay network can be used to connect multiple networks into a multipoint WAN configuration, as shown in the following diagram. Each end node is configured with a unique data-link address, which allows any node on the WAN to communicate with any other node.

NOTE

The various data-link layer protocols can also be used for point-to-point WAN connections, but other layer 2 protocols such as the Point-to-Point Protocol (PPP) are simpler to implement for point-to-point WAN communication.

Graphic P-9. Point-to-multipoint.

See also point-to-point

point-to-point

A form of communication that provides a direct path from one fixed point to another.

How It Works

A point-to-point wide area network (WAN) consists of two end nodes connected by a leased line. In a typical configuration, a router on the network is connected using a serial transmission interface such as V.35 to a Channel Service Unit (CSU) at the local customer premises. The CSU provides the interface between the router and the telco’s leased line. An identical setup is configured at the remote customer premises. Because there are only two end nodes in a point-to-point WAN link, addressing need not be provided for the end nodes at the data-link layer.

Point-to-point WAN connections typically use High-level Data Link Control (HDLC), Point-to-Point Protocol (PPP), or one of their derivatives—such as Point-to-Point Tunneling Protocol (PPTP)—as the layer 2, or data-link layer, protocol for encapsulating local network traffic into frames for transmission over the WAN link.

NOTE

The term “point-to-point” is also used more generally. For example, the configuration of a terminal connected to a minicomputer using two short-haul asynchronous modems is referred to as a point-to-point connection.

Graphic P-10. Point-to-point.

TIP

PPP is usually used in heterogeneous networking environments in which the routing and access equipment comes from different vendors, while HDLC tends to be used in homogeneous networking environments in which the routers and access equipment run only Cisco’s Internetwork Operating System (IOS) software.

See also point-to-multipoint

Point-to-Point Protocol (PPP)

An industry standard data-link layer protocol for wide area network (WAN) transmission that was developed in the early 1990s. Point-to-Point Protocol (PPP) allows Remote Access Service (RAS) products and devices from different vendors to interoperate for WAN communication.

How It Works

PPP supports the transmission of network packets over a serial point-to-point link by specifying framing mechanisms for encapsulating network protocols such as Internet Protocol (IP), Internetwork Packet Exchange (IPX), or NetBEUI into PPP frames. PPP encapsulation is based on the High-level Data Link Control (HDLC) derived from the mainframe environment. These PPP frames can be transmitted over serial transmission lines such as Plain Old Telephone Service (POTS), Integrated Services Digital Network (ISDN), and packet-switched networks such as X.25. PPP includes an extensible Link Control Protocol (LCP) for establishing, tearing down, and testing data-link WAN connections, as well as a number of Network Control Protocols (NCPs) for establishing and configuring network communication using each network protocol. PPP also supports a number of authentication schemes, such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

A typical dial-up session using PPP is completely automated and requires no real-time user input. It has four stages:

• Link establishment: PPP uses LCP to establish and maintain a PPP link over a serial transmission line. LCP frames are sent over the data link to test its integrity and establish the link.

• User authentication: PPP uses one of several authentication protocols, including PAP, CHAP, and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

• Callback: PPP Callback Control (Microsoft’s implementation of PPP) uses Callback Control Protocol (CBCP) if it is configured.

• Configuration: NCPs are used to establish network connections, perform compression and encryption, lease IP addresses using Dynamic Host Configuration Protocol (DHCP), and so on. NCP frames are sent over the link to establish a network connection between the PPP server and the remote PPP client.

NOTE

PPP is superior to the older Serial Line Internet Protocol (SLIP) in that it offers error correction and dynamic negotiation without user intervention, supports multiple network protocols simultaneously, and is faster. PPP is the basis for the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP), which can be used to create virtual private networks (VPNs). PPP is supported by Microsoft Windows 2000, Windows NT, Windows 95, and Windows 98 and is the default setting for Network and Dial-up Connections, RAS, and connectivity to the Internet.

TIP

If you can connect to a remote PPP server but you can’t ping the remote server, try turning off IP header compression. Windows 98 also allows you to record all PPP communication in a ppplog.txt log file for troubleshooting purposes. Open the property sheet of your dial-up networking icon, select the Server Types tab, and select the Record A Log File For This Connection option.

Point-to-Point Tunneling Protocol (PPTP)

A data-link layer protocol for wide area networks (WANs) based on the Point-to-Point Protocol (PPP) and developed by Microsoft that enables network traffic to be encapsulated and routed over an unsecured public network such as the Internet. Point-to-Point Tunneling Protocol (PPTP) allows the creation of virtual private networks (VPNs), which tunnel TCP/IP traffic through the Internet. Remote users can securely access corporate local area network (LAN) resources using the Internet instead of having to use direct modem connections over the Public Switched Telephone Network (PSTN) or dedicated leased-line connections.

How It Works

PPTP is an extension of PPP and is based on PPP negotiation, authentication, and encryption schemes. PPTP encapsulates Internet Protocol (IP), Internetwork Packet Exchange (IPX), or NetBEUI packets into PPP frames, creating a “tunnel” for secure communication across a LAN or WAN link. The PPTP tunnel is responsible for authentication and data encryption and makes it safe to transmit data over unsecured networks.

PPTP supports two types of tunneling:

• Voluntary tunneling: Initiated by the PPTP client (such as Microsoft Windows 95, Windows 98, Windows NT, or Windows 2000). This type of tunneling does not require support from an Internet service provider (ISP) or network devices such as bridges.

• Compulsory tunneling: Initiated by a PPTP server at an ISP. This type of tunneling must be supported by network access servers (NAS’s) or routers.

No matter which type of tunneling you use, you must use a PPTP server. Corporations can set up dedicated PPTP-enabled servers on their networks using Windows NT Server.

NOTE

Microsoft’s Remote Access Service (RAS) for Windows NT supports PPTP through both dedicated and dial-up Internet connections. To enable Windows NT Server to act as a PPTP server, click Network in Control Panel, click the Advanced button on the TCP/IP property sheet, and select Enable PPTP Filtering.

TIP

Because PPTP supports multiple network protocols, including IP, IPX, and NetBEUI, two computers can establish a tunnel over the Internet only if they are running the same network protocol. To troubleshoot PPTP over a TCP/IP connection, use ping to determine whether you are connected to your PPTP server. Also be sure that you have trusted credentials in the domain of the PPTP server, and be sure that you don’t have an active Winsock Proxy client that might be redirecting PPTP packets to a proxy server instead of to your VPN.

polyvinyl chloride (PVC) cabling

A grade of network cabling that uses polyvinyl chloride (PVC) plastic for its outer protective insulating jacket. Polyvinyl chloride cabling is cheap and flexible but gives off dangerous gases during combustion. Building codes usually require that plenum cabling be used instead of polyvinyl chloride cabling for horizontal runs from wiring closets to wall plates. Polyvinyl chloride cabling is usually used to connect wall plates to computers. Both coaxial and twisted-pair cabling are generally available in either polyvinyl chloride or plenum-grade jackets.

POP

See point of presence (POP)

POP3

See Post Office Protocol version 3 (POP3)

port

In TCP/IP networking, an endpoint of a logical connection between two hosts on an internetwork. Ports are identified by port numbers. A port identifies a unique process for which a server can provide a service or the client can access a service. Ports can be Transmission Control Protocol (TCP) ports or User Datagram Protocol (UDP) ports, depending on the type of service supported.

In general networking terminology, a port is a connector for attaching cables or peripherals to a computer—for example, a parallel port for connecting a printer to a computer or a serial port for connecting a serial mouse or modem to a computer. Connectors on networking components, such hubs or routers, are also sometimes called ports, although a better term for a connector on a router is a “router interface.”

portal

A Web site that provides a collection of services for Internet users, such as the following:

• A directory of interesting or useful sites

• A search engine for finding sites on the Internet

• Public information services such as weather, white pages, yellow pages, maps, and stock quotes

• Opportunities to purchase goods and services on line

• Information and frequently asked questions (FAQ) for new users of the Internet

• Registration services for receiving free newsletters via e-mail

• Chat areas for discussing various topics and for building online communities

• Games

Some of the leading Internet portals are listed below.

On the Web

•

Microsoft Network (MSN) : http://www.msn.com

•

Yahoo! : http://www.yahoo.com

•

America Online (AOL) : http://www.aol.com

•

Lycos : http://www.lycos.com

•

Netscape Netcenter : http://www.netscape.com

port number

A 16-bit integer assigned to a port on a TCP/IP host that enables the host to communicate with another host on the network. Ports can have numbers between 0 and 65,536 and are divided into two types:

• Well-known port numbers, which are fixed numbers between 0 and 1023 and are assigned by the Internet Assigned Numbers Authority (IANA). Some of these numbers are currently unassigned or reserved for future use.

• Dynamically assigned port numbers, which the operating system assigns as needed when a TCP/IP application or service requests a port. These numbers are between 1024 and 65,536 and can be released and reassigned as needed.

NOTE

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are different, but TCP and UDP ports use the same assigned port numbers for a given TCP/IP application or service whenever possible.

See also well-known port numbers

POSIX

An acronym for Portable Operating System Interface for UNIX, one of several standards developed by the Institute of Electrical and Electronics Engineers (IEEE) for cross-platform implementations of UNIX. POSIX is a standard operating system interface and environment that supports portability of applications at the source code level. POSIX arose because different vendors were producing different “flavors” of UNIX; code written for one platform would not run on another platform unless it was modified appropriately. The solution was to develop a standard in which code could be portable between all UNIX flavors, so that a POSIX call in one program would work on any other POSIX-compliant system.

Because of vendor-specific enhancements most UNIX systems are not 100 percent POSIX-compliant. The POSIX.1 standard defines the portability of C language code by specifying a standard application programming interface (API). Microsoft Windows NT and Windows 2000 are fully compliant with the POSIX.1 standard, which means that the POSIX subsystem of Windows NT or Windows 2000 can run native C language code written to the POSIX.1 standard. Windows NT does not support other POSIX standards.

POSIX Standards

POST

See power-on self test (POST)

postoffice

The central message store in a legacy Microsoft Mail system.

How It Works

The postoffice consists of a series of message storage directories on the Microsoft Mail file server. The postoffice stores information such as user ID, password, user preferences, message folders, mail messages, and attachments. The postoffice is a passive file system; no active software runs on it. The International Telecommunication Union (ITU) refers to this component of a mail system as the “message store.”

Post Office Protocol version 3 (POP3)

An Internet standard protocol for storing and retrieving messages from Simple Mail Transfer Protocol (SMTP) hosts.

How It Works

SMTP provides the underlying transport mechanism for sending e-mail messages over the Internet, but it does not provide any facility for storing messages and retrieving them. SMTP hosts must be continuously connected to one another, but most users do not have a dedicated connection to the Internet.

Post Office Protocol version 3 (POP3) provides mechanisms for storing messages sent to each user and received by SMTP in a receptacle called a mailbox. A POP3 server stores messages for each user until the user connects to download and read them using a POP3 client such as Microsoft Outlook 98, Microsoft Outlook Express, or Microsoft Mail and News.

To retrieve a message from a POP3 server, a POP3 client establishes a Transmission Control Protocol (TCP) session using TCP port 110, identifies itself to the server, and then issues a series of POP3 commands:

• stat: Asks the server for the number of messages waiting to be retrieved

• list: Determines the size of each message to be retrieved

• retr: Retrieves individual messages

• Quit: Ends the POP3 session

NOTE

After a POP3 client reads a message in its mailbox on a POP3 server, the message is deleted. Primarily because of this, POP3 is being supplanted by Internet Mail Access Protocol version 4 (IMAP4), which offers better support for mobile users. POP3 is supported by Microsoft Exchange Server.

TIP

To troubleshoot problems with remote POP3 servers, use Telnet to connect to port 110 and examine the results as you try issuing various POP3 commands such as the ones just described.

potential browser

A computer on a Microsoft Windows NT network that can assume the role of a master browser or a backup browser if required to do so. If a new backup browser is needed, the master browser can appoint a potential browser as a backup browser. If a new master browser is needed, an election takes place to determine which potential browser should assume the role. If a computer running Windows joins a Windows NT network and its MaintainServerList parameter is set to either Auto or Enabled, it informs the master browser that it is a potential browser. The MaintainServerList parameter is configured differently depending on the version of Windows involved:

• Windows NT uses the following registry key:

   Hkey_Local_Machine     System         CurrentControlSet             Services                 Browser                     Parameters 

• Windows 95 and Windows 98 use the Browse Master property in File and Printer Sharing for Microsoft Networks.

• Windows 3. x uses MaintainServerList in the system.ini file.

TIP

You should disable MaintainServerList on machines running Windows 3. x , Windows 95, and Windows 98 because these operating systems are used on client machines that can occasionally be rebooted, causing spurious elections to occur.

See also Computer Browser service

POTS

See Plain Old Telephone Service (POTS)

power-on self test (POST)

A special set of ROM routines that run whenever a PC is booted. The power-on self test (POST) is designed to test whether system components are functioning properly before attempting to boot the operating system, and checks such things as the RAM, keyboard, and disk drives. If a problem is detected during the POST, the system typically emits a series of beeps and displays a corresponding error message giving some indication of the problem. Specific problems are indicated by different numbers of beeps, but the interpretation of these varies depending on the BIOS used.

TIP

On newer Pentium II or III systems that use the popular AMI WinBIOS, use the following table to interpret the number of beeps in order to troubleshoot the problem.

POST Beep Codes for AMI WinBIOS

Power Users group

A built-in group in Microsoft Windows NT and Windows 2000. The Power Users group is a local group that exists only on member servers and workstations. The initial membership of this group is empty. Generally speaking, a power user is a person who is familiar with the advanced features of a program’s user interface. In Windows NT, a power user is a user who has certain rights.

The Power Users group has preassigned rights including the following:

• Log on locally

• Access this computer from the network

• Change the system time

• Shut down the system

Power users also have the right to share and manage local disk resources and printers and to create and modify local user accounts on the local machine.

See also built-in group

PPP

See Point-to-Point Protocol (PPP)

PPP Multilink

A protocol for combining multiple physical WAN links into a single logical pathway to increase bandwidth. Microsoft’s Remote Access Service (RAS) for Windows NT and Window 2000 supports combining Plain Old Telephone Service (POTS) and Integrated Services Digital Network (ISDN) lines using PPP Multilink, as does Windows 98.

TIP

PPP Multilink must be enabled on both the dial-up networking client and the RAS server in order to work.

PPTP

See Point-to-Point Tunneling Protocol (PPTP)

premise cabling

The entire wiring system in a building, including cabling, power lines, wiring closets, distribution centers, wall plates, and fixtures. Premise cabling should be installed according to the Electronic Industries Alliance and Telecommunications Industry Association (EIA/TIA) wiring standards and must comply with all state and municipal building codes and requirements.

How It Works

In computer networking, the premise wiring system is a hierarchical system based on the star topology, starting with the equipment room (main cross-connect) that houses the main telecommunications equipment for the particular building, including servers, Private Branch Exchanges (PBXs), and routers. The equipment room contains the facilities for telecommunications signals to enter and leave the building. It can be one room or several rooms on different floors, depending on the building layout and administrative considerations.

From the equipment room, a vertical backbone cable runs up the building riser or elevator shaft, connecting the equipment room with wiring closets (intermediate cross-connects) on each floor. Additional backbone cabling runs horizontally to secondary wiring closets (horizontal cross-connects) if necessary. No further cross-connects should be used; in other words, the hierarchy should be no more than three cross-connects deep.

The wiring closets contain cabinets or racks with patch panels, hubs, switches, and other equipment. Horizontal wiring runs from the patch panels through wall and ceiling spaces to wall plates and distribution boxes to form local area network (LAN) drops in the work areas where computers are set up. Patch cables or drop cables connect computers in the work area to the wall plates and distribution boxes.

See also cabling

presentation layer

Layer 6 of the seven-layer Open Systems Interconnection (OSI) reference model. The presentation layer structures data that is passed down from the application layer into a format suitable for network transmission. This layer is responsible for data encryption, data compression, character set conversion, interpretation of graphics commands, and so on. The network redirector also functions at this layer.

NOTE

Most real-world protocol suites, such as TCP/IP, do not use separate presentation layer protocols. The presentation layer is mostly an abstraction in real-world networking.

Pretty Good Privacy (PGP)

A digital signature and encryption scheme for secure exchange of e-mail and attached documents. You can use Pretty Good Privacy (PGP) to encrypt e-mail messages so that no one but the intended recipient can read them and to digitally sign messages so that the recipient can be sure of the identity of the sender and that the message has not been tampered with during transit.

How It Works

PGP uses the RSA or Diffie-Hellman public key cryptography algorithm and supports 128-bit keys. When you send a digital signature, a hashing algorithm generates a hash from the username and other information, which is then encrypted using the sender’s private key. The hashing algorithm is MD5 when you use RSA and SHA-1 when you use Diffie-Hellman. As in a typical public key cryptography system, the recipient uses the sender’s public key to decrypt the signature and verify the sender’s identity. The sender’s public key is retrieved by the recipient from a public PGP key management server such as the one maintained by Network Associates.

PGP is popular in the Internet community but does not scale well for corporate enterprise applications because its key management facilities are implemented as a distributed “web of trust” rather than the usual hierarchical certificate authority (CA) scheme.

On the Web

•

Network Associates home page : http://www.nai.com

PRI-ISDN

See Primary Rate Interface ISDN (PRI-ISDN)

primary domain controller (PDC)

A Microsoft Windows NT domain controller that contains the master copy of the Security Account Manager (SAM) database. A Windows NT domain has only one PDC, which periodically undergoes directory synchronization to copy its directory database to back up domain controllers in the domain. The primary domain controller (PDC) must be the first computer installed in a domain and defines the domain.

NOTE

If a PDC needs to be taken offline for maintenance or repair or if it unexpectedly goes down, a backup domain controller (BDC) can be promoted to the role of PDC. This is necessary because BDCs contain read-only copies of the domain directory database, so user accounts cannot be modified and passwords cannot be changed unless there is a PDC on the network.

See also backup domain controller (BDC), domain controller

primary enterprise controller (PEC)

A computer running Microsoft Message Queue (MSMQ) Server that functions as a primary site controller (PSC) for one site and contains information about the enterprise configuration and the certification keys in its MSMQ Information Store (MQIS) database. The primary enterprise controller (PEC) also functions as an MSMQ Routing Server.

Administrators can install only one PEC on an MSMQ network. You must install the PEC before you install any primary site controllers.

primary group

In Microsoft Windows NT, the global group that is specified as primary for a particular user account. Users can be members of many different global groups within their domain, but only one of these global groups can be the primary group.

Primary groups are used when users running Windows NT Services for Macintosh or POSIX applications log on to the computer. The user’s primary group is the group that the owner of a particular resource works with most.

primary name server

A name server that maintains its own local Domain Name System (DNS) database of resource records. A primary name server has a master copy of resource records for each zone over which it has authority. These records are stored locally on the name server in the form of a text file called the zone file. All changes to the resource records for a zone must be made on the primary name server.

Secondary name servers obtain their resource records from master name servers, which can be either primary name servers or other secondary name servers. The usual configuration when name servers are used within a TCP/IP internetwork for name resolution is one primary and one secondary name server, with the primary configured as the master name server for the secondary (which is sometimes called the slave name server). If Microsoft Windows NT is used for the DNS servers, the tool for configuring name servers is DNS Manager, a Windows NT administrative tool. In Windows 2000 the analogous tool is the DNS console.

See also Domain Name System (DNS)

primary partition

A partition on which you can install a bootable operating system and its associated file system. Primary partitions cannot be subdivided into further segments, as extended partitions can. The partition table on a drive’s master boot record can contain entries for up to four primary partitions or three primary and one extended partition. Only one primary partition at a time can be the active partition (contain the currently running operating system files). In Microsoft Windows NT, the active partition is also known as the system partition. Primary partitions are used in multiboot systems to isolate the files of each operating system from one another.

See also extended partition

Primary Rate Interface ISDN (PRI-ISDN)

A standard form of communication on Integrated Services Digital Network (ISDN) communication systems. Primary Rate Interface ISDN (PRI-ISDN) connections consist of 24 digital channels divided between 23 B channels and a single D channel. The B channels carry the voice or data between the customer premises and the telco’s central office (CO), while the D channel is used for establishing connections and signaling. PRI-ISDN is often referred to as 23B+D because of the channels that it uses.

The bandwidth of each B channel and of the single D channel is 64 Kbps, so the total bandwidth of PRI-ISDN is 1.544 Mbps, which is identical to that of a T1 circuit. By using the bonding protocol, the 23 B channels can be combined to form a single 1.472-Mbps data channel. The European version of PRI-ISDN uses 31 B channels and one D channel, providing the bandwidth of an E1 circuit.

See also Basic Rate Interface ISDN (BRI-ISDN), Integrated Services Digital Network (ISDN)

primary ring

The main ring used in the Fiber Distributed Data Interface (FDDI), which uses a dual ring topology. The primary ring is the only ring used unless it has a fault, in which case the network reconfigures itself to use the secondary ring with the data traveling in the opposite direction. The dual ring configuration provides FDDI with fault tolerance.

TIP

Run the FDDI primary ring and secondary ring along different physical paths to make the network more redundant. An accident or disaster affecting one of the rings will not affect the other.

See also Fiber Distributed Data Interface (FDDI), secondary ring

primary site controller (PSC)

A computer running Microsoft Message Queue (MSMQ) Server that functions as the site controller for the first MSMQ site you create. The primary site controller (PSC) maintains a database of information concerning the computers and queues in the site. Each site usually has its own PSC, and you can install only one PSC for a given site.

For load balancing and failure recovery purposes, you can install one or more backup site controllers (BSCs) in each MSMQ site. BSCs contain a read-only copy of the PSC or primary enterprise controller (PEC) database. MSMQ sites do not require BSCs, but it is usually a good idea to install one or more of them in each MSMQ site. You must install a PSC or PEC before you can install any BSCs.

printing pool

A way of connecting one printer to multiple print devices. In Microsoft Windows terminology, a print device is the physical hardware that does the printing, while a printer is a software interface on a computer that enables jobs to be sent to a print device. Normally, a printer is configured for each individual print device. Using a printing pool, you identify several print devices as a single printer to the operating system. When a client sends a print job to a printing pool, the printer sends the job to the first available print device managed by the printer. Clients can thus print jobs without having to check to see which print device is free.

Printing pools are used in networks with high printing volume and also to provide a form of fault tolerance. Printing pools also simplify the administration of large numbers of print devices. You can create printing pools on print servers running Windows NT and Windows 2000.

NOTE

The print devices in a printing pool must be the same make and model or at least be similar devices that use the same printer driver. Print devices that are pooled can be a mix of local and network interface print devices. Place pooled print devices in close physical proximity to one another so that users do not have to search for the device that printed their job.

TIP

If you don’t have identical print devices and thus cannot create a printing pool, you can take other measures to meet the needs of increased printing volume:

• Share an existing printer that is currently not shared for network use.

• Configure priorities between printers to enable critical documents to be printed before noncritical ones.

• Institute company policies on how to use printers properly, and audit printer usage.

See also printing terminology

printing terminology

In Microsoft Windows, the following are printing-related terms:

• Print device: A hardware device that produces printed output, such as a LaserJet, ink-jet, or dot-matrix print device. Most people loosely refer to these devices as “printers,” but the term “printer” has a specific meaning in the Windows operating system, as described below.

• Printer: A software interface installed on a Windows computer that allows users and applications to print to a print device. Microsoft uses the term “print device” to refer to the actual hardware device; “printer” refers to the software interface that controls that device. To create a printer, you use the Add Printer Wizard in the Printers folder.

• Print server: A computer with which a print device is associated. A print server receives print jobs from clients and sends them to the print device.

• Printer driver: A series of files that convert printing commands into machine-specific language for sending them to a print device. Each model and make of print device has its own specific printer driver.

NOTE

Print devices can be further subdivided into two types:

• Local print device: A print device that is locally attached to the parallel or serial port on the print server. If a local print device is being used only on the local machine, its software interface is called a “local printer.” If a local print device is shared, clients can access it over the network and its software interface is called a “network printer” from the perspective of the clients.

• Network-interface print device: A print device that has its own built-in network interface card (NIC) and can be plugged into the network anywhere that a local area network (LAN) drop is free. A network-interface print device is not connected directly to the print server; it is managed remotely by the print server.

TIP

Keep network-interface print devices on the same network or subnet as their print server to minimize the extra network traffic. Be sure that your print server has sufficient RAM for processing documents and sufficient disk space for spooling print jobs. Dedicating a computer to the role of print server is usually recommended, especially if that computer will manage several print devices.

Print Operators group

A built-in group in Microsoft Windows NT and Windows 2000. The Print Operators group is a local group on computers that run Windows NT and a domain local group on a Windows 2000 domain controller. Print operators are users who can administer network printers. The initial membership of this group is empty. The Print Operators group has the following preassigned rights:

• Log on locally

• Shut down the system

Print operators also have the right to set up and configure network printers.

See also built-in group

print permissions

A set of permissions assigned to users and groups to control access to the printers on a Microsoft Windows NT print server. Suitable print permissions are an important part of network administration, especially in enterprise-level networks with different administrative levels. There are four levels of print permissions, as described in the following table.

Print Permissions

NOTE

On a Windows 2000 print server, the full control permission is called “manage printers.” Also, instead of using a no access permission, you permit or deny the manage printers, manage documents, or print permissions. You can, in addition, click the Advanced button on the Printer Properties property page to configure more granular customized sets of printer permissions.

TIP

In Windows 2000, you can remotely administer printers using a Web browser by accessing the Uniform Resource Locator (URL) http://Print_Server_Name/printers. Administrators can configure printer permissions and settings, check the status of printers, and create real-time reports on printer usage.

print server

A server that manages a printer on a network. The printer can be directly connected to a port on the print server (a local printer), or it can have its own built-in network interface card (NIC) and be connected directly to the network (a network printer). Clients that want to print jobs send them to the print server, which queues or spools the jobs and then sends them to the printer. Microsoft Windows NT Server is a good operating system for running a print server on your network.

Instead of dedicating a computer to managing a printer on a network, you can use a stand-alone print server device. These devices generally have a small footprint—some are even pocket-sized—and can be used to attach a printer anywhere in the network. Typically, an RJ-45 port on the device can be plugged directly into an Ethernet hub or into a wall plate in a work area, while an IEEE 1284 port on the device is connected to the printer. Stand-alone print server devices generally have built-in support for a variety of protocols (such as TCP/IP, IPX/SPX, NetBEUI, and Data Link Control) and platforms (such as Windows 2000, Novell NetWare, and UNIX) and support a wide variety of makes and models of printers.

Other features of stand-alone print server devices can include the following:

• Support for two or four parallel printer connections

• Support for Line Printer Daemon/Line Printer Remote (LPD/LPR) or Dynamic Host Configuration Protocol (DHCP)

• Support for Token Ring or AppleTalk networking architectures

print sharer

Any hardware device that enables two or more computers to directly share one or more attached printers without using a network. Print sharers include the following:

• Manual switch boxes, on which a user turns a rotary switch to select which computer controls the printer. The manual switch boxes are usually in a 2-to-1, 4-to-1, or 6-to-1 configuration. A special switch called an X-switch can allow either of two computers to print to either of two printers.

• Electronic print-sharing switches, on which users also use knobs or toggle switches to select a computer or printer. These switches have solid-state circuitry inside that does the switching, unlike manual switch boxes, which have simple metallic contacts.

• Port-contention or FIFO (first in, first out) switches, which automatically monitor all input ports. When a signal enters an input port from a computer, the switch automatically assigns that port to the output printer port.

• Code-operated switches, which examine the input (computer) data ports for an ASCII string indicating which output (printer) port to switch the incoming printer data to.

• Scanning switches, which function like port-contention switches except that they sequentially scan the input ports instead of monitoring them all continuously.

NOTE

If more than two computers need to share a printer, the best solution is to connect the computers to a local area network (LAN) and use a print server to set up a shared network printer. The print sharing devices listed previously are intended primarily for non-networked computers that must be directly connected to printers. In a small peer-to-peer networking setting, you can use a machine running Microsoft Windows 95 or Windows 98 that has File and Printer Sharing installed on it to share an attached printer with other workstations. In larger networks, Windows 2000 Server is a better choice.

TIP

Don’t use manual switch boxes with laser printers. The switching mechanism can cause voltage spikes that can seriously damage the printer.

Private Branch Exchange (PBX)

A telephone switch at the customer premises that supports multiple independent telephone extensions. Private Branch Exchanges (PBXs), which are installed by a telco, save businesses the cost of supplying an individual local loop connection for each employee because employees can share external trunk line connections. The PBX provides connectivity between the client’s private telephone system that it supports, and the telco’s public trunk lines. In Europe, a PBX is known as a Private Automatic Branch Exchange (PABX).

How It Works

PBXs were originally switch consoles controlled by human operators, who would plug and unplug patch cords to establish connections for customers. The modern electronic PBX (also known simply as a switch) is a solid-state device that essentially establishes a private switching system that mimics the functions of a telco’s much larger central office (CO) switching facility. PBXs allow businesses to have better control of their own telecommunications equipment, and they reduce costs by more effectively routing local telephone traffic.

Typically, a PBX is leased and installed in the main equipment room of a building or campus by a telco or other service provider. It handles all calls initiated and received in the building. If an outgoing call is directed to another line on the PBX, the PBX routes the call directly to its destination instead of forwarding it to the local CO. Outgoing calls directed to destinations outside the PBX are routed to the CO for handling.

A modern digital PBX can handle data, fax, and other forms of traffic in addition to voice traffic. Telephones and other devices are connected by individual circuits directly to the PBX unit, while trunk lines coming in from the outside terminate at a multitrunk channel band (MCB) unit. The MCB interfaces with the main distribution frame (MDF), which provides the individual circuits that connect the outside world to the PBX unit. The more circuits that the MDF creates from the trunk lines, the more simultaneous outgoing calls can be initiated and received by users of the PBX system. Add-ons for the PBX unit can include call management systems (CMS’s), which provide call notification and control services; call accounting services; and modem pools for remote dial-up access.

Graphic P-11. Private Branch Exchange (PBX).

PBX switches come in various sizes. The smallest is a 3-by-8 switch that supports three business lines and eight extension lines. This configuration permits eight phones to be connected, but only three of them can make or receive calls at a time.

PBXs support a number of features, including the following:

• Direct Inward Dialing (DID): A form of call routing that allows outside users to dial directly to any of the extensions

• Direct Outward Dialing (DOD): A form of call routing that allows extensions to dial directly to any outside phone number

• Station-to-Station Dialing (SSD): Allows any extension to call any other extension without using a business line

Most modern PBXs support digital phone extensions and T1 or multirate Integrated Services Digital Network (ISDN) for their telco connection. PBX boards can also be installed in servers to support computer-telephony integration (CTI). Many products and configurations are available.

NOTE

An alternative to installing a PBX at the customer premises is to lease a Centrex service from the telco’s CO. This service offers similar features to a PBX but from a remote location, and it is managed remotely by the telco.

private information store

One of the two databases in the information store on a computer running Microsoft Exchange Server. The private information store stores content for mailboxes homed on the server. It consists of a number of files stored in the \mdbdata directory on the Exchange server. These files include the following:

• Priv.edb: The actual database file

• Edbxxxx.log: Transaction files used to track changes to the database

• Edb.chk: A checkpoint file to keep track of transactions in edbxxxx.log that are uncommitted

• Res1.log and Res2.log: Reserved log files used in low disk space conditions

• Temp.edb: A temporary file used for storing transactions that are in progress

process isolation

A feature of Component Services (Microsoft Transaction Server) and Internet Information Services (IIS) that allows multiple critical Web applications to be hosted on a single IIS server. Running each application as an isolated process in its own memory space leads to greater reliability because the failure of one unstable application will not affect any other running applications and cannot crash the IIS server.

Profile Manager

A component of the Internet Explorer Administration Kit (IEAK) that is used to manage users’ desktop settings remotely from a central station. Profile Manager integrates with Microsoft’s System Policy Editor and can be used to

• Manage system policies for implementing system and user restrictions

• Create or import .adm files, which are templates for policy files

• Centrally maintain both 16-bit and 32-bit Microsoft Windows policies

• Enable or disable individual restrictions

NOTE

In Windows 2000, the functionality of the Profile Manager is incorporated into the Group Policy snap-in.

Project 802

An ongoing project of the Institute of Electrical and Electronics Engineers (IEEE) for defining local area network (LAN) and wide area network (WAN) standards and technologies. The 802 specifications define the operation of the physical network components—cabling, network adapters, and connectivity devices such as hubs and switches.

Project 802 has a number of subsections, including the following:

• 802.1: Internetworking standards

• 802.2: The logical link control (LLC) layer of the Open Systems Interconnection (OSI) reference model data-link layer

• 802.3: Ethernet (Carrier Sense Multiple Access with Collision Detection)

• 802.4: Token Bus LAN

• 802.5: Token Ring LAN

• 802.6: Metropolitan area network (MAN)

• 802.7: Broadband technologies

• 802.8: Fiber-optic technologies

• 802.9: Integrated voice/data networks

• 802.10: Network security standards and technologies

• 802.11: Wireless networking technologies and standards

• 802.12: Demand priority access technologies

• 802.14: Cable television access

The Project 802 standards are constantly evolving, and new subcategories are being created to standardize new networking technologies.

promiscuous mode

A mode of operation of a network interface card (NIC) in which the NIC accepts all frames on the wire, including those not specifically directed to it. A NIC operating in promiscuous mode reads every frame it receives, whether the frames are broadcast, multicast, or directed. In some networks, this can be a security problem because nodes that act “promiscuously” can be configured not only to read frames but also to store them and even retransmit them. Sensitive information can thus be intercepted on the network and retransmitted to remote stations. This problem can occur in both Ethernet and Token Ring networks when NICs are configured to act promiscuously.

NOTE

Network driver interface specification (NDIS), as of version 4, supports a capturing mode called local only, which uses fewer CPU resources than promiscuous mode but supports capturing of all frames for Microsoft Network Monitor.

property sheet

In Microsoft Windows NT, Windows 95, Windows 98, and Windows 2000, a feature for configuring system and user software settings. You can access the property sheet for an object by right-clicking the object and choosing the Properties command from the context menu. The following screen capture shows the property sheet for a file called test.txt. Property sheets contain various controls such as text boxes, check boxes, option buttons, command buttons, scrolling list boxes, drop-down list boxes, and tabs. Property sheets make Windows easy to use compared to those operating systems such as MS-DOS that use command prompt.

Graphic P-12. Property sheet.

protocol

A set of rules for sending information over a network. Protocols can include rules concerning any or all of the following functions:

• Data transmission mechanisms

• Communication session initialization and termination

• Addressing and routing

• Authentication and verification

• Encryption and compression

• Error correction

Protocols are usually classified according to the layer they correspond to in the Open Systems Interconnection (OSI) reference model for networking. Types of protocols include the following:

• Data-link protocols: Govern the framing of data, physical addressing of network nodes, and media access control methods. For local area networks (LANs), these primarily include Ethernet, Token Ring, and Fiber Distributed Data Interface (FDDI). For wide area networks (WANs), they include Point-to-Point Protocol (PPP), High-level Data Link Control (HDLC), frame relay, Asynchronous Transfer Mode (ATM), and X.25.

• Network protocols: Handle link services and are responsible for addressing, routing, and error checking. Examples include NetBEUI, Internetwork Packet Exchange (IPX), NWLink, and Internet Protocol (IP).

• Transport protocols: Enable the establishment of sessions and ensure reliable flow of data. Examples include NetBEUI, Sequenced Packet Exchange (SPX), NWLink, and Transmission Control Protocol (TCP).

• Application layer protocols: Enable applications to access network services. Examples include Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet, Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), Network News Transfer Protocol (NNTP), X.400, X.500, Server Message Block (SMB), and Network File System (NFS).

Some protocols have been developed by specific vendors and then accepted as de facto standards by the industry, while others were initially formulated by independent standards bodies and then accepted and implemented by vendors. The most widely implemented protocols are those relating to TCP/IP and the Internet.

protocol converter

A general term for a device that enables communication between networks or transmission systems that use different protocols. Protocol converters are often used in mainframe computing environments; they enable one device to emulate the communication functions of another device. For this reason, a protocol converter is sometimes known as an emulator, and it can be either hardware-based or software-based.

How It Works

One type of protocol converter allows you to communicate asynchronously using a PC to a mainframe host over a synchronous communication link. You can thus use a PC as the front end to the host instead of using expensive synchronous terminals. The PC typically emulates a 3270 terminal for remote connections or a 5250 terminal for local connections.

For example, you can turn a PC into a 5250 terminal by installing a 5250 emulator card. Use twinax cabling to connect the port on the card directly to the AS/400 or System 390 mainframe. The 5250 emulator software running on the PC typically supports multiple concurrent 5250 sessions.

To support this synchronous/asynchronous conversion, the emulation hardware/software must perform several conversions:

• Connect the twinax or coax synchronous connection from the host to an asynchronous RS-232 connection for the PC. For a remote connection, the converter might include X.21 or V.35 serial interfaces as well.

Graphic P-13. Protocol converter.

• Take the Synchronous Data Link Control (SDLC) data stream from the host and convert it to an asynchronous format.

• Perform synchronous EBCDIC to asynchronous ASCII conversion and translate standard input/output into appropriate screen/keyboard mappings.

NOTE

You can also use protocol converters to connect ASCII printers to AS/400 or System/3x mainframe hosts. A protocol converter for this purpose is sometimes called a printer emulation card.

protocol file

A text file that provides resolution of protocol names into their respective RFC-defined protocol numbers on a TCP/IP network. The entries in the protocol file are friendly names for TCP/IP protocol numbers and can be used for well-known service (WKS) records in Domain Name System (DNS) servers and other Windows Sockets applications.

How It Works

The protocol file is in the following location on computers running Microsoft Windows:

• Windows NT and Windows 2000: %SystemRoot%\system32\drivers\etc\protocol

• Windows 95 and Windows 98: \Windows\protocol

Each line in the protocol file contains the standard name for a protocol followed by the assigned number as defined in Request for Comments (RFC) 1060, an alias, and an optional comment prefixed with a pound sign (#). The following example comes from the sample protocol file included with Windows 95 and Windows 98:

 ip       0     IP       # Internet protocol icmp     1     ICMP     # Internet control message protocol ggp      3     GGP      # Gateway-gateway protocol tcp      6     TCP      # Transmission control protocol 

See also hosts file, lmhosts file, networks file, services file

protocol suite

A collection of protocols that work together as a group. Examples of protocol suites include the following:

• NetWare’s Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) and related protocols, such as NetWare Core Protocol (NCP) and Service Advertising Protocol (SAP)

• The Internet’s TCP/IP protocol suite, which consists of Internet Protocol (IP), Transmission Control Protocol (TCP), and related protocols such as Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), and Hypertext Transfer Protocol (HTTP)

• AppleTalk and its related protocols, such as AppleShare, EtherTalk, and LocalTalk

Provider Architecture for Differentiated Services and Traffic Engineering (PASTE)

A draft standard from the Internet Engineering Task Force (IETF) that defines ways that Internet service providers (ISPs) can deliver different traffic types to their clients and bill them accordingly. Provider Architecture for Differentiated Services and Traffic Engineering (PASTE) can be implemented without adding overhead to an ISP’s routers, whose tables are often burdened by the rapidly expanding address space of the Internet.

How It Works

Existing technologies such as Cisco Systems’ tag switching require that routers maintain state information for every virtual circuit they detect. PASTE eases this requirement by aggregating traffic flows that share a common path into a trunk. Routers need only maintain tables of trunks instead of tables for virtual circuits, which greatly reduces router overhead. Packets can then join or leave a trunk at any router. PASTE uses the Multiprotocol Label Switching (MPLS) protocol and the Resource Reservation Protocol (RSVP) to provide these differentiated services.

provisioning

The configuration of options on telecommunications equipment at the customer premises. For example, an analog telephone line can be provisioned with only a few options, such as caller ID and call waiting. An Integrated Services Digital Network (ISDN) line can be provisioned with many more options, and the configuration of the ISDN equipment at the customer premises must match that at the telco’s central office (CO) for communication to function properly. For example, the service profile identifier (SPID), which is a phone number with additional digits prefixed and appended to it, must be configured properly on the customer’s ISDN equipment for the telco’s ISDN switching equipment to recognize the type of equipment that is attached, recognize whether one or more devices is attached, and enable calls to be routed appropriately to the equipment.

proxy cache server

A type of proxy server that caches Web pages that users request on the Internet. You can use a proxy cache server like a regular proxy server at the border of a private corporate network in order to cache the Web pages returned from the Internet when users in the private network request them. When users request these pages again, the pages are returned instantly from the cache; a new request need not be sent over the Internet. This speeds up browsing for frequently accessed Web sites and reduces the amount of bandwidth used on the corporate Internet link.

Proxy cache servers can also be used at Internet service providers (ISPs) and at strategic locations on the Internet’s high-speed backbone to provide relief to heavily accessed Web servers and to reduce overall backbone traffic.

NOTE

Microsoft Proxy Server supports two kinds of caching for the Web proxy service:

• Passive caching: Web pages that clients request are cached for later retrieval if requested.

• Active caching: Proxy Server tries to anticipate which Web pages clients will request, and when the server has idle time and the network is sufficiently quiet, Proxy Server requests the pages and stores them in the cache.

proxy server

A computer that can act on the behalf of other computers to request content from the Internet or an intranet.

How It Works

Proxy servers act as secure gateways to the Internet for client computers. They are transparent to client computers—a user interacting with the Internet through a proxy server is not aware that a proxy server is handling the requests unless the user tries to access a resource that the proxy server is configured to disallow. Similarly, the Web server receiving the requests from the proxy server interprets these requests as though they came directly from client computers.

Proxy servers can be used to secure private networks connected to unsecured public networks such as the Internet. They have greater functionality than packet-filtering routers because they operate at a higher level of the protocol stack and afford greater control over monitoring and managing network access. A proxy server functioning as a security agent for a private network is generally called a firewall.

Two types of proxy servers are used in network firewall environments: circuit-level gateways and application-level gateways. Circuit-level gateways establish virtual circuits between machines on the internal private network and the proxy server on the border of the private network. The proxy server controls all connections between the internal private network and the external public network. If a client on the private network wants to access the Internet, for example, the Hypertext Transfer Protocol (HTTP) request packet generated by the client’s Web browser traverses the virtual circuit to the proxy server; the proxy server then changes the source IP address of the packet to that of the external (public) network interface of the proxy server and forwards the packet onto the Internet. When a remote HTTP server on the Internet sends a response, the proxy server routes this response back through the virtual circuit to the client that made the request.

An application-level gateway can implement security policies for analyzing packets that reach the external (public) interface of the proxy server from distrusted public networks. These security policies can examine packet addresses and other header information, permit or deny packets on the basis of their contents, and modify the address, header, or contents of packets that they monitor in order to hide key information about the internal network’s applications and services. Application-level gateways provide proxy services only for specifically configured applications and protocols such as HTTP, File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Telnet. For each type of application for which you want to regulate access through the firewall, you must install and configure a related proxy service on the proxy server. Applications and protocols for which a proxy service is not installed cannot be accessed through the firewall.

NOTE

Instead of using a proxy server, you can provide modems for and run telephone lines directly to each user who needs Internet access, but this option is costly. You can also configure a physically separate network with several computers that have shared Internet access, but this is cumbersome for users. Advantages of using a proxy server include the following:

• It provides a single, secure gateway to manage.

• It can provide different types of access to the Internet as appropriate for each group of users.

• It can monitor and track Internet usage for each user.

• Many users can share a single high-speed Internet connection.

Microsoft Proxy Server is an example of a proxy server and firewall product that provides a secure gateway for your network to the Internet.

PSC

See primary site controller (PSC)

P-series protocols

A group of protocols that are part of the X.400 messaging standards. Five P-series protocols relate to messaging systems that support X.400, such as Microsoft Exchange Server:

• P1 Protocol: Specifies the layout of messages transferred from one Message Transfer Agent (MTA) to another. This protocol specifies that X.400 messages consist of two parts: a P1 header, which acts as an envelope and must contain a globally unique recipient address for message routing and control purposes, and a P2 message, which is the actual content of the message.

• P2 Protocol: Defines the format for transmitting the content of an X.400 message. This format includes a P2 header (which is not used because the P1 header provides the necessary routing information for the message) and a P2 body, which is the actual content of the message and consists of one or more body parts of various types (such as text, images, voice, or telex).

• P3 Protocol: Specifies how a user agent (UA) communicates directly with an MTA for sending or receiving a message. This protocol is not used as often as the P7 Protocol for the same reason that Post Office Protocol version 3 (POP3) is used instead of Simple Mail Transfer Protocol (SMTP) to receive Internet mail.

• P7 Protocol: Specifies how a UA communicates with a message store (MS) in order to selectively retrieve messages from the store and delete unwanted messages without downloading them.

• P22 Protocol: A 1988 revision of the P2 Protocol that clarifies and extends certain features of P2.

See also X.400

PSTN

See Public Switched Telephone Network (PSTN)

PTR

See pointer (PTR) record

public folder

A type of recipient in Microsoft Exchange Server that can store messages and documents for sharing with other users in an Exchange organization. Public folders can contain simple messages, attachments, multimedia clips, binaries, and any other type of file. They can also contain custom forms that facilitate contributing and viewing information.

NOTE

To create public folders in an Exchange organization, you should use the client program Microsoft Outlook. Public folders created with Outlook can later be configured using the Exchange Administrator program, which you cannot use to create public folders.

public folder replica

A copy of a public folder’s contents stored on another Microsoft Exchange Server. All replicas of a public folder are equivalent—there is no master replica for a public folder.

TIP

When planning where to host public folders in your Exchange organization, consider the following:

• The volume of information that will be stored and how much it will increase over time

• How long information should be retained before it is deleted

• How many users will access the information and how frequently they will access it

public information store

One of the two databases within the information store on a Microsoft Exchange Server computer. The public information store stores content for public folder replicas on the server. The public information store consists of a number of files in the \mdbdata directory on the Exchange server. These files include the following:

• Pub.edb: Actual database file

• Edbxxxxx.log: Contains transaction files for tracking changes to the database

• Edb.chk: A checkpoint file to keep track of transactions in edbxxxxx.log that are uncommitted

• Res1.log and Res2.log: Reserved log files used in low disk space conditions

• Temp.edb: A temporary file used for storing transactions that are in progress

public key cryptography

Also known as asymmetric cryptography, a popular encryption method developed by Martin Hellman and Whitfield Diffie in 1976 that is used for securing transmission of data over distrusted networks such as the Internet.

How It Works

Traditional cryptography involves a private or secret key that was shared by the individuals involved in the transmission. The key is a mathematical entity that the sender can use to encrypt a message and the receiver can use to decrypt it. This traditional form of cryptography is known as secret key cryptography or symmetric cryptography. The main problem with this form of cryptography is the question of how the owner of the key can securely transmit the key. In other words, the main problem is one of key management—how to create, store, and transmit the key to those who will need it to decrypt messages sent to them.

Public key cryptography solves this problem by creating a set of two different keys for anyone needing to transmit encrypted information. A precise mathematical relationship exists between the two keys, which together are called a key pair. Both keys are produced at the same time using a mathematical algorithm such as RSA. As a result, when either one of the two keys is used to encrypt a message, the other can be used to decrypt it.

The two keys in a key pair are as follows:

• The private key: Held privately by the owner of the key pair and kept secret from anyone else. The responsibility for safe storage of the private key rests entirely with the key pair owner, who has no need to transmit the private key to others.

• The public key: Made available by the key pair owner to anyone who requests it. Because the public and private keys are related mathematically, in principle someone could take another person’s public key, perform complex mathematical calculations on it, and extract the corresponding private key. The solution is to use keys sufficiently long and with a sufficiently complex mathematical relationship so that it is all but impossible to extract the private key from the public one.

Once a key pair is generated for someone, that person can use it to encrypt messages and to digitally sign messages so that the recipient can be sure of the identity of the sender.

Of course, the whole public key cryptography system is ultimately founded on trust. All persons who are issued key pairs must trust the third-party authority who provided the key pairs. This trusted authority is called a certificate authority (CA). Someone who wants to obtain a key pair from a CA must contact the CA and present proof of identity. This could involve a face-to-face meeting, examination of a driver’s license with photograph, or some other method of establishing a user’s identity.

NOTE

Network administrators can use Microsoft Certificate Server, which is included in the Microsoft Windows NT 4 Option Pack, to establish their own CAs. Users can then transmit encrypted and digitally signed e-mail messages by using Microsoft Exchange Server or establish secure Web sites that use the Secure Sockets Layer (SSL) protocol with Internet Information Services (IIS).

See also digital certificate, digital signature, encryption, Secure Sockets Layer (SSL)

public key infrastructure (PKI)

A set of services that support the use of public key cryptography in a corporate or public setting. A public key infrastructure (PKI) enables key pairs to be generated, securely stored, and securely transmitted to users so that users can send encrypted transmissions and digital signatures over distrusted public networks such as the Internet. An effective, trustworthy public key infrastructure is essential for secure e-mail and World Wide Web (WWW) transactions, e-commerce, and virtual private networks (VPNs).

How It Works

Generally, a public key infrastructure consists of the following coordinated services:

• A trusted certificate authority (CA) that can verify user identities and issue users digital certificates and public/private key pairs. Sometimes the verification of user identities is performed by a separate registration authority (RA), but this service can also be integrated with the CA.

• A certificate store in which users can access the public keys of other users for encrypting messages or validating digital signatures. This store is usually based on the X.500 directory recommendations.

• A digital certificate and key management system for generating, storing, and securely transmitting certificates and key pairs to users who request them.

Public key infrastructures can have different scopes. For example, a corporate enterprise can use Microsoft Certificate Server to establish a PKI for all its users and for those of partner companies such as suppliers and wholesalers. The PKI system can then be used to secure transactions between users that are sent over the Internet. PKIs can also be established on a national or global scale to support secure e-commerce transactions over the Internet involving users and vendors who are geographically and politically separated. PKIs on this scale consist of a hierarchy of CAs managed by different governments or companies and linked to a trusted root CA (such as the U.S. government). The current leader in worldwide PKI implementation is probably VeriSign, Inc., which is both a vendor of CA software and a CA.

In order for a public key infrastructure to work, it must be implemented in a hierarchical fashion with authorities, super-authorities, and root authorities, similar to the Internet’s Domain Name System (DNS). Standards bodies and cryptography vendors such as PKIx of the Internet Engineering Task Force (IETF), Pretty Good Privacy (PGP), Simple Public Key Infrastructure (SPKI), and Public Key Cryptographic Standards (PKCS) have proposed a global public key infrastructure, but there is no universal standard that has been agreed upon for a public key infrastructure, and implementations of the existing standards are often not interoperable.

On the Web

•

VeriSign, Inc. : http://www.verisign.com

Public Switched Telephone Network (PSTN)

The public telephone network managed by the local telco and long-distance carriers. The Public Switched Telephone Network (PSTN) consists of a digital backbone of switched circuits together with the analog local loop wiring still found in many residences. The PSTN is also known as the Plain Old Telephone Service (POTS), although that term specifically relates to the older, nondigital portion of the PSTN. The PSTN provides the most popular basis for creating wide area networks (WANs) through both leased lines and dial-up lines between local and remote networks. PSTN is often used in wide area networking because of its ubiquitous nature—local loop connections exist almost everywhere in the world.

publishing

In Active Directory of Microsoft Windows 2000, the process of making directory objects accessible to users on the network. Objects created in Active Directory are automatically published on the network. For example, when you create a new user object (information about that user, such as the user’s phone number and e-mail address) users on the network can look up that information using Active Directory.

If an object that doesn’t reside in Active Directory (such as a shared folder or shared printer) is published, Active Directory points to its location on the network. Most objects are automatically published in Active Directory if they reside on computers running Windows 2000, but you might have to manually publish the location of other objects, such as shared folders and printers on downlevel computers running Windows NT.

TIP

When you consider whether to publish an object in Active Directory, think about whether the information will be changed frequently. Published information should be relatively static. Information should be published when it will be useful to a large segment of the enterprise community. Structured information is more useful to publish than individual items such as files, which should be published instead in file systems accessed through share points. Applications can publish their connection points and application data in Active Directory.

pulse code modulation (PCM)

A common method of converting analog signals into digital signals.

How It Works

Pulse code modulation (PCM) devices receive analog signals with continually varying voltages and quantize these signals into discrete voltages sampled at regular time intervals, typically 8000 times per second, with each sample being 8 bits in size. This provides a total transmission rate of 64 Kbps, as in Integrated Services Digital Network (ISDN) digital telephone communication. The result of this quantization process is a series of discrete voltages over time. The voltage levels correspond to powers of 2 and represent a series of binary numbers so that the output of a PCM device is essentially a binary number.

A typical PCM device consists of a sample-and-hold circuit that samples the analog voltage signal and holds it long enough so that an analog-to-digital converter can convert it into digital (binary) format. A single device plus its associated software that can perform both the analog-to-digital conversion and its reverse is known as a codec or coder/decoder.

PVC

See permanent virtual circuit (PVC)

PVC cabling

See polyvinyl chloride (PVC) cabling

PWS

See Microsoft Personal Web Server (PWS)

Microsoft Encyclopedia of Networking

ISBN: 0735613788
EAN: 2147483647

Year: 2000
Pages: 37

Authors: Mitch Tulloch, Ingrid Tulloch

BUY ON AMAZON