Comparing Active Directory to NDS by requirement
Requirement
Scalability without
Complexity
Internet Standards Support
Flexible Security Services
Comprehensive
Development Environment
Table 2. Comparing Active Directory to NDS by role
Role
Security Authentication
and Authorization Services
Centralized Directory
Management
Active Directory
• Partition boundary is a Windows
2000 domain to enable direct
access to all objects in a domain
• Partitions use indexed data store for
fast retrieval
• Designed to hold millions of objects
• Implemented as a native LDAP
server that requires no request
translation
• Consistent interpretation of access
control rights when access is
through LDAP
• Provides LDAP-based access to all
features
• Provides support for popular
security technologies such as
Kerberos and Smart Cards
• Catalog enforces object- and
attribute-level security
• No restrictions on security groups
that span partitions (domains)
• Provides COM-based Active
Directory Services Interface (ADSI)
for simplified development
• JADSI supports access from Java
applications
• Provides LDAP-based access to all
features
Active Directory
• Provides support for popular
security technologies such as
Kerberos and Smart Cards
• Catalog enforces object- and
attribute-level security
• Scales to supports large numbers of
Extranet users
• Provides the scalability required to
consolidate large directories without
administrative complexity
• Built-in LDAP-based change history
interfaces facilitate use as a
metadirectory platform
• Catalog architecture enables fast,
efficient query of large number of
objects
NDS
• Partitions are not indexed
• Novell recommends a maximum of
1,000 objects per partition and that
partitions should not span WAN links
• Administrators must manage partition
sizes and restructure partitions as they
fill up
• Provides LDAP support through server-
based interface that must be installed
on NDS servers individually
• LDAP requests must be translated to
NDS formats
• Limited LDAP-based access to NDS
features
• Lacks support for Kerberos and Smart
Cards
• Catalog does not enforce object- and
attribute-level security within the
catalog database
• Novell recommends that
administrators minimize the use of
groups that span partitions
• No ADSI implementation for use by
applications running on NetWare
• JNDI supports access from Java
applications
• Limited LDAP-based access to NDS
features
NDS
• Lacks support for Kerberos and Smart
Cards
• Catalog does not enforce object- and
attribute-level security within the
catalog database
• Partition size limits complicate
Extranet use
• Partition size restrictions limit use for
directory consolidation
• Provides no formal way to request
change history information; requires
customized synchronization agents
• Catalog architecture forces tradeoffs
between speed and consistency with
underlying partitions
Traffic Analysis
Data transmitted over a network. Traffic is a very general term and typically refers to
overall network usage at a given moment. However, it can refer to specific transactions,
messages, records or users in any kind of data or telephone network. Traffic analysis is
the process of intercepting and examining messages in order to deduce information
from patterns in communication. It can be performed even when the messages
are encrypted and cannot be decrypted. In general, the greater the number of messages
observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic
analysis can be performed in the context of military intelligence or counter-intelligence,
and is a concern in computer security
Traffic analysis tasks may be supported by dedicated computer software programs,
including commercially available programs such as those offered by i2, Visual Analytics,
Memex, Orion Scientific tec. It is difficult to defeat traffic analysis without both encrypting
messages and masking the channel. When no actual messages are being sent, the channel
can be masked [8] by sending dummy traffic, similar to the encrypted traffic, thereby
keeping bandwidth usage constant .[9] "It is very hard to hide information about the size or
timing of messages. The known solutions require Alice to send a continuous stream of
messages at the maximum bandwidth she will ever use...This might be acceptable for
military applications, but it is not for most civilian applications." The military-versus-civilian
problems applies in situations where the user is charged for the volume of information sent.
Even for Internet access, where there is not a per-packet charge, ISPs make statistical
assumption that connections from user sites will not be busy 100% of the time. The user
cannot simply increase the bandwidth of the link, since masking would fill that as well. If
masking, which often can be built into end-to-end encryptors, becomes common practice,
ISPs will have to change their traffic assumptions.

Protocol Analysis
Network protocol analysis is a process for a program or a device to decode network
protocol headers and trailers to understand the data and information inside the packet
encapsulated by the protocol. To conduct protocol analysis, packets must be captured at
real time for line speed analysis or later analysis. Such program or device is called a
Protocol Analyzer. The typical network architecture, a layered approach is used to
designnetwork protocols and communications. The most popular network architecture
reference model is called the OSI model. The protocols at one layer should communicate
with protocols at the same layer. The key function of a protocol analyzer is to decode the
protocol at each layer. Protocol information of multiple layers may be used by protocol
analyzer to identify possible problems in the network communication, which is called Expert
Analysis. This critical function is deployed by many leading protocol analyzer products,
such as Network General Sniffer Pro, for advanced network troubleshooting. Protocol
analyzers may decode multiple layer protocols and packets to re-construct lower level
packets (such as Link, IP or TCP level) into higher level (such as application level) messages
for deep understanding of network traffic and user activities. This technique is used in
protocol analyzers when network traffic monitoring and user surveillance are the primary
goals.