Endalkachew Admassu

ID=11,509/17
Comp.Eng(Extention)
Date 28/11/2020
Distributed system Assignment 1
_____________________________________________________________________
Question 1 Explain and compare the following Networking Elements
• Hub
• Switch
• Firewall
• Router
• Modem

Answer
1. Hub – A hub is basically a multiport repeater. A hub connects multiple wires
coming from different branches, for example, the connector in star topology which
connects different stations. Hubs cannot filter data, so data packets are sent to all
connected devices. In other words, collision domain of all hosts connected through
Hub remains one. Also, they do not have intelligence to find out best path for data
packets which leads to inefficiencies and wastage.
Notice:- A repeater operates at the physical layer. Its job is to regenerate the signal
over the same network before the signal becomes too weak or corrupted so as to
extend the length to which the signal can be transmitted over the same network. An
important point to be noted about repeaters is that they do not amplify the signal.
When the signal becomes weak, they copy the signal bit by bit and regenerate it at
the original strength. It is a 2 port device.  
Types of Hub 

 Active Hub: - These are the hubs which have their own power supply and can
clean, boost and relay the signal along with the network. It serves both as a
repeater as well as wiring center. These are used to extend the maximum
distance between nodes.
 Passive Hub: - These are the hubs which collect wiring from nodes and
power supply from active hub. These hubs relay signals onto the network
without cleaning and boosting them and can’t be used to extend the distance
between nodes.

1|Page
  Intelligent Hub: - It work like active hubs and include remote management
capabilities. They also provide flexible data rates to network devices. It also
enables an administrator to monitor the traffic passing through the hub and to
configure each port in the hub.
2. Switch   – A switch is a multiport bridge with a buffer and a design that can
boost its efficiency (a large number of ports imply less traffic) and performance. A
switch is a data link layer device.  The switch can perform error checking before
forwarding data, that makes it very efficient as it does not forward packets that have
errors and forward good packets selectively to correct port only.   In other words,
switch divides collision domain of hosts, but  broadcast domain remains same.
Notice: - A bridge operates at data link layer. A bridge is a repeater, with add on
the functionality of filtering content by reading the MAC addresses of source and
destination. It is also used for interconnecting two LANs working on the same
protocol. It has a single input and single output port, thus making it a 2 port device.

4.  Routers  – A router is a device like a switch that routes data packets based on
their IP addresses. Router is mainly a Network Layer device. Routers normally
connect LANs and WANs together and have a dynamically updating routing table
based on which they make decisions on routing the data packets. Router divide
broadcast domains of hosts connected through it.

2|Page
3) Firewall
firewall is a network security system which monitors and takes actions (permit or deny traffic) on
the basis of policies defined explicitly. It can be performed by a single device, group of devices or
by software running on a single device like server
Firewall Methodologies
There are certain methods through which firewall can be implemented. These are as
follows:
1. Static packet filtering – Packet filtering is a firewall technique used to
control access on the basis of source IP address, destination IP address,
source Port number and destination port number. It works on layer 3 and 4 of
OSI model. Also, an ACL doesn’t maintain the state of session. A router with
ACL applied on it is an example of static packet filtering.
Advantages –
 If the administrator has a good knowledge of network, it is easy to
implement.
 It can be configured on almost all routers.
 It has minimal effect on network performance.

3|Page
Disadvantage –
 Large amount of ACLs are difficult to maintain.
 ACLs uses IP address for filtering. If someone spoofs the same source
IP address, then that will be allowed by ACL.
2. Stateful Packet filtering - In stateful packet filtering, the state of the
sessions are maintained i.e when a session is initiated within a trusted
network, it’s source and destination IP address, source and destination ports
and other layer information are recorded. By default, all the traffic from
untrusted network is denied.
The replies of this session will be allowed only when the IP addresses (source and
destination IP address) and port numbers (source and destination) are swapped.
Advantages –
 Dynamic in nature as compared to static packet filtering.
 Not susceptible to IP spoofing.
 Can be implemented on routers.
Disadvantage –
 Might not be able to prevent application layer attack.
 Some applications open dynamic ports on the server side, if the
firewall is analyzing this, it can cause application failure. This is
where application inspection comes into use.
3. Proxy firewalls –These are also known as application layer firewalls. Proxy
firewall acts as an intermediary between the original client and the server. No
direct connection takes place between the original client and the server.
The client, who has to establish a connection directly to the server to communicate
with it, now have to establish a connection with proxy server. The proxy server then
establishes a connection with the server on the behalf of client. Now, the client
sends the data to the proxy server and proxy server forwards it to the server. Proxy
server can operate upto layer 7 (application layer).
Advantage –
 Difficult to attack server as proxy server is the intermediate between
the client and the server.
 Can provide detailed logging.
 Can be implemented on common hardware.
Disadvantage –
 Processor intensive

4|Page
  Memory and disk intensive
 Single point of failure in network security
4. Application inspection –These can analyze the packet up to layer 7 (deep
inspection) but can’t act as a proxy server. These can deeply analyze
conversation between a client and server even when the server is assigning a
dynamic port to the client therefore it doesn’t fail in these cases (which can
occur in stateful firewall).
Advantages –
 Can analyze deeper into the conversation between the server and the
client.
 If there is a protocol anomaly happening from standard, then it can
deny the packets.
5. Transparent firewall –By default, the firewall operates at layer 3 but the
benefit of using transparent firewall is that it can operate at layer 2. It has 2
interfaces which will act like a bridge so can be configured through a single
management IP address. Also, users accessing the network will not even
know about that a firewall exists.
The main advantage of using transparent firewall is that we don’t need to re-address
our networks while putting up a firewall in our network. Also, while operating at
layer 2, it can still perform functions like building stateful database, application
inspection etc.
6. Network Address Translation (NAT) – NAT is implemented on a router or
firewall. NAT is used to translate private IP address into a public IP address
through which we can hide our source IP address.
And if we are using dynamic NAT or PAT, an attacker will not be able to
know that what devices are dynamically assigned which IP address from the
pool. This makes difficult to make a connection from outside world to our
private network.
7. Next-Generation Firewalls –NGFWs are third generation security firewall
that is implemented in either in software or device. It combines basic firewall
properties like static packet filtering, application inspection with advanced
security features like integrated intrusion prevention system. Cisco ASA with
firePOWER services is an example of Next-Generation firewall.

5) Modem: - is short for "Modulator-Demodulator." It is a hardware

component that allows a computer or another device, such as a router or switch, to
connect to the Internet. It converts or "modulates" an analog signal from a telephone
or cable wire to digital data (1s and 0s) that a computer can recognize. Similarly, it
converts digital data from a computer or other device into an analog signal that can
be sent over standard telephone lines.

5|Page
 The first modems were "dial-up," meaning they had to dial a phone number to
connect to an ISP. These modems operated over standard analog phone lines and
used the same frequencies as telephone calls, which limited their maximum data
transfer rate to 56 Kbps. Dial-up modems also required full use of the local
telephone line, meaning voice calls would interrupt the Internet connection.
Modern modems are typically DSL or cable modems, which are considered
"broadband" devices. DSL modems operate over standard telephone lines, but use a
wider frequency range. This allows for higher data transfer rates than dial-up
modems and enables them to not interfere with phone calls. Cable modems send and
receive data over standard cable television lines, which are typically coaxial cables.
Most modern cable modems support DOCSIS (Data Over Cable Service Interface
Specification), which provides an efficient way of transmitting TV, cable Internet,
and digital phone signals over the same cable line.
NOTE: Since a modem converts analog signals to digital and vice versa, it may be
considered an ADC or DAC. Modems are not needed for fiber optic connections
because the signals are transmitted digitally from beginning to end.

Comparison among hub vs switch vs router here:

template Hub Switch Router

Layer Physical layer Data link layer Network layer
To connect a network of Allow connections to
personal computers multiple devices, manage
Function Direct data in a network
together, they can be joined ports, manage VLAN
through a central hub security settings
Data
Transmission electrical signal or bits frame & packet packet
form
multi-port, usually between 4
Port 4/12 ports 2/4/5/8 ports
and 48
First broadcast, then unicast At Initial Level Broadcast
Transmission Frame flooding, unicast,
and/or multicast depends on then Uni-cast and
type multicast or broadcast
the need multicast
Device type Non-intelligent device Intelligent device Intelligent device
Used in(LAN,
LAN LAN LAN, MAN, WAN
MAN, WAN)

6|Page
 Transmission
Half duplex Half/Full duplex Full duplex
mode
1-100Mbps(wireless);
Speed 10Mbps 10/100Mbps, 1Gbps
100Mbps-1Gbps(wired)
Address used for
MAC address MAC address IP address
data transmission

Question 2:- Explain the following

1-NAT 2-DNS 3-VPNs 4-VPN 5-Tunneling

ANSWER
1-Network Address Translation (NAT ) is the process where a
network device, usually a firewall, assigns a public address to a computer (or group
of computers) inside a private network. The main use of NAT is to limit the
number of public IP addresses an organization or company must use, for both
economy and security purposes.

The most common form of network translation involves a large private network
using addresses in a private range (10.0.0.0 to 10.255.255.255, 172.16.0.0 to
172.31.255.255, or 192.168.0 0 to 192.168.255.255). The private addressing
scheme works well for computers that only have to access resources inside the
network, like workstations needing access to file servers and printers. Routers
inside the private network can route traffic between private addresses with no
trouble. However, to access resources outside the network, like the Internet, these
computers have to have a public address in order for responses to their requests to
return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite
complex but happen so rapidly that the end user rarely knows it has occurred. A
workstation inside a network makes a request to a computer on the Internet.
Routers within the network recognize that the request is not for a resource inside
the network, so they send the request to the firewall. The firewall sees the request
from the computer with the internal IP. It then makes the same request to the
Internet using its own public address, and returns the response from the Internet
resource to the computer inside the private network. From the perspective of the
resource on the Internet, it is sending information to the address of the firewall.

7|Page
From the perspective of the workstation, it appears that communication is directly
with the site on the Internet. When NAT is used in this way, all users inside the
private network access the Internet have the same public IP address when they use
the Internet. That means only one public addresses is needed for hundreds or even
thousands of users.
Most modern firewalls are stateful - that is, they are able to set up the
connection between the internal workstation and the Internet resource. They can
keep track of the details of the connection, like ports, packet order, and the IP
addresses involved. This is called keeping track of the state of the connection. In
this way, they are able to keep track of the session composed of communication
between the workstation and the firewall, and the firewall with the Internet. When
the session ends, the firewall discards all of the information about the connection.
There are other uses for Network Address Translation (NAT) beyond
simply allowing workstations with internal IP addresses to access the Internet. In
large networks, some servers may act as Web servers and require access from the
Internet. These servers are assigned public IP addresses on the firewall, allowing
the public to access the servers only through that IP address. However, as an
additional layer of security, the firewall acts as the intermediary between the
outside world and the protected internal network. Additional rules can be added,
including which ports can be accessed at that IP address. Using NAT in this way
allows network engineers to more efficiently route internal network traffic to the
same resources, and allow access to more ports, while restricting access at the
firewall. It also allows detailed logging of communications between the network
and the outside world.
Additionally, NAT can be used to allow selective access to the outside
of the network, too. Workstations or other computers requiring special access
outside the network can be assigned specific external IPs using NAT, allowing
them to communicate with computers and applications that require a unique public
IP address. Again, the firewall acts as the intermediary, and can control the session
in both directions, restricting port access and protocols.
NAT is a very important aspect of firewall security. It conserves the
number of public addresses used within an organization, and it allows for stricter
control of access to resources on both sides of the firewall.

2-Domain Name Server(DNS): - is The Magic that Translates

Website Names into IP Addresses

8|Page
 Every time you visit a website, you are interacting with the largest distributed
database in the world. This massive database is collectively known as the DNS, or
the Domain Name System. Without it, the Internet as we know it would be unable
to function. The work that the DNS does happens so seamlessly and
instantaneously that you are usually completely unaware that it's even happening.
The only time that you'll get an inkling about what the DNS is doing is when
you're presented with an error after trying to visit a website. Learn more about
what the DNS is, how it works and why it's so critical by reading on below.
IP Addresses and Domain Names: In order to understand what the DNS is and
how it works, you need to have a basic understanding of IP addresses and domain
names. An IP address, or Internet Protocol address, is a complex string of numbers
that acts as a binary identifier for devices across the Internet. In short, an IP
address is the address that computers, servers and other devices used to identify
one another online.
A domain name is the information that you enter into a web browser in order
to reach a specific website. When you input a URL like www.example.com/index
into a web browser, its domain name is example.com. Basically, a domain name is
the human-friendly version of an IP address. Businesses vie for easy-to-remember
domain names, since they make it easier for people to remember how to find them
online. If people had to remember complex IP addresses in order to navigate the
Internet, it wouldn't be nearly as useful or enjoyable.
Translating Domain Names into IP Addresses: - Although it's possible to
enter an IP address into a web browser into order to get to a website, it's a lot easier
to enter its domain name instead. However, computers, servers and other devices
are unable to make heads or tails of domain names - they strictly rely on binary
identifiers. The DNS's job, then, is to take domain names and translate them into
the IP addresses that allow machines to communicate with one another. Every
domain name has at least one IP address associated with it.
Top Level Domains, Root Servers and Resolvers: - The DNS is a
remarkable database. It doesn't perform its work alone, though. Things called Top
Level Domains (TLDs) and root servers do a lot of the heavy lifting for the DNS.
A Top Level Domain refers to the part of a domain name that comes after the
period. For instance, the TLD of example.com is COM. While there's an ever-
expanding number of domain names, there's a relatively static number of Top
Level Domains; .com, .edu and .org are just a few key examples.

9|Page
 Specialized computers called root servers store the IP addresses of each Top
Level Domain's registries. Therefore, the first stop that the DNS makes when it
resolves, or translates, a domain name is at its associated root server. From there,
the requested domain name is sent along to a Domain Name Resolver, or DNR.
Domain Name Resolvers, or resolvers, are located within individual Internet
Service Providers and organizations. They respond to requests from root servers to
find the necessary IP addresses. Since the root server already recognizes the
.com, .edu or other part of the equation, it simply has to resolve the remainder of
the request. It usually does this instantly, and the information is forwarded to the
user's PC.
The DNS: A Huge Distributed Database: -Millions of people make changes
to the DNS every day, through new domain names, changes to IP addresses and
other requests. The unique structure of the DNS, though, keeps everything straight.
Duplicate domain names cannot exist within domains, but they can exist across
them - for instance, example.com and example.gov could be two separate locations
online. Otherwise, the highly organized and efficient nature of the DNS ensures
that you never have to worry about arriving at two different places each time you
input a domain name. When you enter a domain name, its IP address will be
resolved and you'll always arrive at the same place. Without the DNS, the Internet
wouldn't be useful, practical or enjoyable.

3-VLANs (virtual LAN):

A VLAN (virtual LAN) is a subnetwork which can group together collections of
devices on separate physical local area networks (LANs). A LAN is a group of
computers and devices that share a communications line or wireless link to a server
within the same geographical area.

VLANs make it easy for network administrators to partition a single switched

network to match the functional and security requirements of their systems without
having to run new cables or make major changes in their current network
infrastructure. VLANs are often set up by larger businesses to re-partition devices
for better traffic management.

10 | P a g e
VLANs are also important because they can help improve the overall performance
of a network by grouping together devices that communicate most frequently.
VLANs also provide security on larger networks by allowing a higher degree of
control over which devices have access to each other. VLANs tend to be flexible
because they are based on logical connections, rather than physical.

One or more network switches may support multiple, independent VLANs,

creating Layer 2 (data link) implementations of subnets. A VLAN is associated
with a broadcast domain. It is usually composed of one or more network switches.

Types of VLANs:

Types of VLANs include Protocol based, static and dynamic VLANs.

A Protocol VLAN- which has traffic handled based on its protocol. A switch will
segregate or forward traffic based on the traffics protocol.  

Static VLAN- also referred to as port-based VLAN, needs a network administrator

to assign the ports on a network switch to a virtual network; while:

Dynamic VLAN- allows a network administrator just to define network membership

based on device characteristics, as opposed to switch port location.

How VLAN works

Ports (interfaces) on switches can be assigned to one or more VLANs,
enabling systems to be divided into logical groups -- based on which department
they are associated with -- and establish rules about how systems in the separate
groups are allowed to communicate with each other. These groups can range from
the simple and practical (computers in one VLAN can see the printer on that
VLAN, but computers outside that VLAN cannot), to the complex and legal (for
example, computers in the retail banking departments cannot interact with
computers in the trading departments).
Each VLAN provides data link access to all hosts connected to switch ports
configured with the same VLAN ID. The VLAN tag is a 12-bit field in

11 | P a g e
the Ethernet header that provides support for up to 4,096 VLANs per switching
domain. VLAN tagging is standardized in IEEE (Institute of Electrical and
Electronics Engineers) 802.1Q and is often called Dot1Q.
When an untagged frame is received from an attached host, the VLAN ID tag
configured on that interface is added to the data link frame header, using the
802.1Q format. The 802.1Q frame is then forwarded toward the destination. Each
switch uses the tag to keep each VLAN's traffic separate from other VLANs,
forwarding it only where the VLAN is configured. Trunk links between switches
handle multiple VLANs, using the tag to keep them segregated. When the frame
reaches the destination switch port, the VLAN tag is removed before the frame is
to be transmitted to the destination device.
Multiple VLANs can be configured on a single port using
a trunk configuration in which each frame sent via the port is tagged with the
VLAN ID, as described above. The neighboring device's interface, which may be
on another switch or on a host that supports 802.1Q tagging, will need to support
trunk mode configuration to transmit and receive tagged frames. Any untagged
Ethernet frames are assigned to a default VLAN, which can be designated in the
switch configuration.
When a VLAN-enabled switch receives an untagged Ethernet frame from an
attached host, it adds the VLAN tag assigned to the ingress interface. The frame is
forwarded to the port of the host with the destination MAC address(media access
control address). Broadcast, unknown unicast and multicast (BUM traffic) is
forwarded to all ports in the VLAN. When a previously unknown host replies to an
unknown unicast frame, the switches learn the location of this host and do not
flood subsequent frames addressed to that host.
The switch-forwarding tables are kept up to date by two mechanisms. First,
old forwarding entries are removed from the forwarding tables periodically, often a
configurable timer. Second, any topology change causes the forwarding table
refresh timer to be reduced, triggering a refresh.
The Spanning Tree Protocol (STP) is used to create loop-free topology among
the switches in each Layer 2 domain. A per-VLAN STP instance can be used,
which enables different Layer 2 topologies or a multi-instance STP (MISTP) can
be used to reduce STP overhead if the topology is the same among multiple
VLANs. STP blocks forwarding on links that might produce forwarding loops,
creating a spanning tree from a selected root switch. This blocking means that

12 | P a g e
some links will not be used for forwarding until a failure in another part of the
network causes STP to make the link part of an active forwarding path.
The figure above shows a switch domain with four switches with two
VLANs. The switches are connected in a ring topology. STP causes one port to go
into blocking state so that a tree topology is formed (i.e., no forwarding loops). The
port on switch D to switch C is blocking, as indicated by the red bar across the
link. The links between the switches and to the router are trunking VLAN 10
(orange) and VLAN 20 (green). The hosts connected to VLAN 10 can
communicate with server O. The hosts connected to VLAN 20 can communicate
with server G. The router has an IPv4 subnet configured on each VLAN to provide
connectivity for any communications between the two VLANs.
Advantages and Disadvantages of VLAN
Advantages to VLAN include reduced broadcast traffic, security, ease of
administration and broadcast domain confinement.
However, a disadvantage of VLANs includes the limitation of 4,096 VLANs
per switching domain creates problems for large hosting providers, which often
need to allocate tens or hundreds of VLANs for each customer. To address this
limitation, other protocols, like VXLAN(Virtual Extensible
LAN), NVGRE (Network Virtualization using Generic Routing
Encapsulation) and Geneve, support larger tags and the ability to tunnel Layer 2
frames within Layer 3 (network) packets.
Finally, data communications between VLANs is performed by routers.
Modern switches often incorporate routing functionality and are called Layer 3
switches.

4-VPN: Get more from the Internet—especially privacy, anonymity and safety
—by using a VPN before you do anything online!
Who doesn't love the Internet? It delivers information, answers, entertainment and
connections to you, on demand, in seconds.
From anywhere and at any time from our desktop computers, laptops, smartphone
and tablets.
It's a life-saver for students of all ages, moms, businesses, organizations...everyone.

13 | P a g e
But the Internet is not perfect. It has some built-in flaws that make you vulnerable
when you're online. You should know that, because hackers, government and other
snoopers and advertisers take full advantage of it.

A VPN changes that for you!

But you can make the Internet safer, more secure and definitely more private with
the help of a VPN...a virtual private network.
You've probably been hearing more and more about VPNs for home use and travel.
That's because it's more important than ever to be smarter and safer while you're on
the Internet.
More than that, don't you want to go on the Internet without being tracked,
monitored, and identified...without your knowledge? In today's world, that freedom
is getting harder to find.

A VPN...described.
Here's a quick, helpful definition...and about all you need to know about a
VPN.

 A VPN is a service that you sign up for online for a small monthly
charge
 Once you have an account, your VPN service should be "on" when
you're online
 A VPN, in action, takes your Internet connection and makes it more
secure, helps you stay anonymous and helps you get around blocks
and access censored sites.
 The key to a VPN is that it lends you a temporary IP address and
hides your true IP address from every website or email you connect
with
It's Virtual...because it's as if you have a private connection directly to any website
or another computer you connect to.
It's Private...because all your website visits and online activity is between you and
the websites you visit.
It's a Network...because you're using a special network of VPN servers that covers
the entire globe.
Already overwhelmed and just want some help choosing the best VPN for you?
Try our VPN Simplifier and simplify the selection process. We've researched it for
you.

14 | P a g e
Your IP address is a potential problem. You may want to hide it.
Your IP address is a behind-the-scenes number your Internet provider assigns your
computer that allows you to go anywhere on the Internet. It's something like the
house number on your home.
That's the good news. The somewhat "bad" news is that your IP address also gives
away your computing location, at home or on the road. That bothers a lot of
computer users.
Why?
Because governments have tracked people down by their IP address, with the help
of the person's Internet Service Provider.
Also, online businesses of all kinds monitor activity coming from IP addresses.
They may not know your name, but they know you like their website.
Online companies and networks can (and do) restrict someone's access to a website
based on where the user is located. Guess how they know where the user is?
Right...the user's IP address.
Finally, hackers can break into networks and sometimes take over devices through
its IP address.
As hard as IT experts, Internet providers and technology companies try, the
Internet is not as safe or private as you wish it should be.
As you can see, we don't have nearly enough privacy, or security, as we'd like.

A virtual private network levels the playing field.

However, when you go online using a VPN account, you tilt the scales in your
favor. A VPN account can instantly and continuously provide...

 More privacy. Your connections cannot be linked to your computer...and

you. You can visit any website and your ISP doesn't know where you've
been.
 More security. VPN connections are super secure. The network is hack
proof and all of your Internet activity is encrypted (coded) and unreadable
in transit.
 More website access. No more blocks or censorship. They can't prevent
from getting to websites based an IP address.

15 | P a g e
 More anonymity. Your true IP address is hidden! You're unidentifiable
online because you're constantly using a different IP address, never your
own. In fact, it typically looks as if you're in a different part of the world
from where you really are.
Here's the best part. Everything else about your Internet experience stays virtually
the same.
But you will have so much more going for you.

Getting a VPN is a snap. Do it NOW.

Remember, you don't need to switch the Internet Provider Service you use at home
or the office to connect to the Internet.
You also don't need to buy any new equipment, like a modem or router, or hire
some squad of geeks to hook you up to anything.

5-Tunneling:

A technique of internetworking called Tunneling is used when source and destination networks of

same type are to be connected through a network of different type. For example, let us consider an
Ethernet to be connected to another Ethernet through a WAN as:

16 | P a g e
The task is sent on an IP packet from host A of Ethernet-1 to the host B of ethernet-2 via a WAN.
Sequence of events:
1. Host A construct a packet which contains the IP address of Host B.
2. It then inserts this IP packet into an Ethernet frame and this frame is addressed to the
multiprotocol router M1
3. Host A then puts this frame on Ethernet.
4. When M1 receives this frame, it removes the IP packet, inserts it in the payload packet of
the WAN network layer packet and addresses the WAN packet to M2. The multiprotocol
router M2 removes the IP packet and send it to host B in an Ethernet frame.
Why is this Technique called Tunneling?
In this particular example, the IP packet does not have to deal with WAN. the host A and B also do
not have to deal with the WAN. The multiprotocol routers M1 and M2 will have to understand
about IP and WAN packets. Therefore, the WAN can be imagined to be equivalent to a big tunnel
extending between multiprotocol routers M1 and M2 and the technique is called Tunneling.

17 | P a g e