appendix b: review. overview reviewing tcp/ip reviewing routing how dhcp operates in an enterprise...
TRANSCRIPT
Appendix B: Review
Overview
Reviewing TCP/IP
Reviewing Routing
How DHCP Operates in an Enterprise Environment
Reviewing WINS
Reviewing IPSec
Lesson: Reviewing TCP/IP
TCP/IP Features
The Role of TCP/IP in the Windows Server 2003 Network
The TCP/IP Protocol Suite
IPv6 vs. IPv4
TCP/IP Features
Windows Server 2003 supports:
Standard TCP/IP features
Internet Group Management Protocol (IGMP) version 3
Alternate configuration in the absence of a DHCP server
Automatic determination of the interface metric
IP version 6
The Role of TCP/IP in the Windows Server 2003 Network
TCP/IP resolves these enterprise requirements:TCP/IP resolves these enterprise requirements:
A standard, routable enterprise networking protocol
Connection of dissimilar systems
A robust, scalable, cross-platform client/server framework
Internet access
A standard, routable enterprise networking protocol
Connection of dissimilar systems
A robust, scalable, cross-platform client/server framework
Internet access
The TCP/IP Protocol Suite
OSI Model Layers
TCP/IP Architecture
Layers
TCP/IP Protocol Suite
Data-linkData-link
PhysicalPhysical
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
ApplicationApplication
Host-to-host transport
Host-to-host transport
InternetInternet
Network InterfaceNetwork Interface
TelnetTelnet FTPFTP SMTPSMTP DNSDNS RIPRIP SNMPSNMP
TCPTCP UDPUDP
IPIPARP
ICMPIGMP
EthernetEthernet Tokenring
Tokenring
Frame relay
Frame relay ATMATM
IPv6 vs. IPv4
Feature IPv4 IPv6
Address length 32 bits 128 bits
IPSec support Optional Required
QoS support Some Better
Fragmentation Hosts and routers Hosts only
Checksum in header Yes No
Options in header Yes No
Link-layer address resolution neighbor messages
ARP Multicast Discovery
Broadcast usage Yes No
Configuration for DHCP Manual, DHCP Automatic
DNS name queries Uses A records Uses AAAA records
DNS reverse queries Uses IN-ADDR.ARPA Uses IP6.INT
Minimum MTU 576 bytes 1,280 bytes
Lesson: Reviewing Routing
Multimedia: The Role of Routing in a Networking Infrastructure
Reviewing the Routing Table
Reviewing Static and Dynamic Routes
Multimedia: The Role of Routing in a Networking Infrastructure
The objective of this presentation is to explain the role of routing in a network infrastructure
You will learn how to:
Describe how routing fits into the network infrastructure
Explain the difference between local and remote routing
Describe how the Microsoft Routing and Remote Access service fits into the network infrastructure
Reviewing the Routing Table
C:\>route print===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x1000003 ...00 90 27 16 84 10 ...... Intel(R) PRO PCI Adapter======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.200 192.168.1.201 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.248.0 192.168.1.201 192.168.1.201 1 192.168.1.201 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.1.255 255.255.255.255 192.168.1.201 192.168.1.201 1 224.0.0.0 224.0.0.0 192.168.1.201 192.168.1.201 1 255.255.255.255 255.255.255.255 192.168.1.201 192.168.1.201 1Default Gateway: 192.168.1.200===========================================================================Persistent Routes: None C:\>
C:\Documents and Settings\Administrator>route print
IPv4 Route Table===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x10003 ...00 02 b3 10 10 da ...... Intel(R) PRO/100+ Management Adapter0x10004 ...00 02 b3 26 e2 b9 ...... Intel(R) PRO/100+ Management Adapter #2======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 30 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20 192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 30 224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1 255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1===========================================================================Persistent Routes: None C:\>
Reviewing Static and Dynamic Routes
Static routes
Dynamic routes
C:\>route addC:\>route add
Corporate HeadquartersCorporate Headquarters
Branch OfficeBranch Office
Branch OfficeBranch Office
Network X and Network ZNetwork X and Network Z
Router B - Routing TableRouter B - Routing Table
Network X and Network YNetwork X and Network Y
Router B - Routing TableRouter B - Routing TableNetwork Y and Network ZNetwork Y and Network Z
Router A - Routing TableRouter A - Routing Table
XX
ZZ
YY
Lesson: How DHCP Operates in an Enterprise Environment
The DHCP Lease Generation Process
How a DHCP Server Services Remote Segments
How Scopes and Superscopes Function in an Environment
Fault Tolerance in the DHCP Implementation Process
DHCP Interoperability Options
The DHCP Lease Generation Process
DHCP ServersDHCP ServersDHCP ClientDHCP Client
DHCP DiscoverDHCP Discover11
DHCP OfferDHCP Offer 22
DHCP RequestDHCP Request33
DHCP AcknowledgeDHCP Acknowledge 44
How a DHCP Server Services Remote Segments
DHCP Relay AgentDHCP Relay Agent DHCP ServerDHCP Server
RFC-1542 CompliantRFC-1542 CompliantNon–RFC-1542 CompliantNon–RFC-1542 Compliant
DHCP ClientDHCP Client
DHCP ClientDHCP Client
BroadcastBroadcast BroadcastBroadcast
ForwardedForwarded ForwardedForwarded
How Scopes and Superscopes Function in an Environment
192.168.1.1192.168.1.1 192.168.1.254192.168.1.254 192.168. 22.1192.168. 22.1 192.168. 22.254192.168. 22.254
DHCP ServerDHCP Server
SuperscopeASuperscopeA
Scope1192.168.1.1
192.168.1.254
Scope1192.168.1.1
192.168.1.254
Scope2192.168. 22.1
192.168. 22.254
Scope2192.168. 22.1
192.168. 22.254
Fault Tolerance in the DHCP Implementation Process
Failover solution Requirements
DHCP clustered resource
Resource requirements
Disk resource
IP address resource
Name resource
Configuration requirements
Database path
Audit log file path
Database backup path
Multiple DHCP servers
Deploy two DHCP servers in the same network that share a split-scope configuration based on the 80/20 rule
DHCP Interoperability Options
Service Interoperability options
Routing and Remote Access
Allow a remote access server to obtain an IP addressEnable the remote access server to request IP addresses on an as-needed basis
DNS
Enable DNS dynamic updates according to preferences Discard A and PTR records when lease is deletedDynamically update A and PTR records for DHCP clients that do not request updates
WINS Configure a WINS scope option
Active Directory Allow authorization of DHCP server within Active Directory
Practice: Identifying Integration Issues
In this practice, you will learn how to determine a network configuration that meets the needs provided in the scenario
Lesson: Reviewing WINS
Multimedia: How WINS Clients Resolve Names
NetBIOS Node Types
WINS Proxies
Burst Handling
WINS Records
WINS Replication
The WINS Database
Multimedia: How WINS Clients Resolve Names
The objective of this presentation is to explain how WINS clients resolve a NetBIOS name to an IP address
You will learn how to:
Explain the functionality of a WINS server in a routed network
Identify the default node for a WINS client
Explain the process for using a WINS server to resolve a NetBIOS name to an IP address
NetBIOS Node Types
Node type Description Impact
b-nodeUses broadcast NetBIOS name queries for name registration resolution
Slows network performance
p-nodeUses a NetBIOS name server (NBNS) to resolve NetBIOS names
Improves network performance
m-nodeIs a combination of b-node and p-node types. By default, m-node broadcasts. If this is unsuccessful, it queries an NBNS.
Slows network performance
h-node
Is a combination of b-node and p-node types. By default, h-node queries an NBNS. If this is unsuccessful, it uses broadcast to resolve the name.
Improves network performance
The default is h-node for WINS clientsThe default is h-node for WINS clients
WINS Proxies
Subnet A
Subnet B
Host ANetBIOS b-node client
Host ANetBIOS b-node client
Host BWINS proxy
Host BWINS proxy
Host CWINS client
Host CWINS client WINS A
WINS serverWINS A
WINS serverIP RouterIP Router
Burst Handling
Burst handling is the response of a WINS server to a large number of WINS clients that are trying to simultaneously register their local names in WINS
Burst handling is the response of a WINS server to a large number of WINS clients that are trying to simultaneously register their local names in WINS
Request to registerRequest to register11
Registered Registered22
WINS Records
The service that registered the entry, including the hexadecimal type identifier
The IP address that corresponds to the registeredname
Displays “x” to indicate whether the entry isstatic and displays “null” or is blank if the entry is not staticThe WINS server from which the entry originates The registered NetBIOS name, which can be a unique
name, or a group, internet group, or multihomed computer The state of the database entry, which can be active, released, or tombstoned
A unique hexadecimal number that the WINS server assigns during name registration
Shows when the entry will expire How WINS records are usedHow WINS records are used
NetBIOS clients and servers use WINS records to identify the name and services associated with a given computerNetBIOS clients and servers use WINS records to identify the name and services associated with a given computer
WINS Replication
WINS-AWINS-A
WINS-DWINS-D
WINS-CWINS-C
WINS-BWINS-B
Threshold reachedThreshold reached11
NotificationNotification22
RequestRequest33
SendSend44
Push/Pull PartnerPush/Pull Partner
Push PartnerPush Partner
Pull PartnerPull Partner
11
2233
44
The WINS Database
The WINS database:
Stores records
Is governed by four timers
Is dependent on an internal system clock
Requires consistency checking
Lesson: Reviewing IPSec
Understanding Vulnerabilities
Threat Analysis
What Is IPSec?
Microsoft IPSec Features
Advantages and Disadvantages of IPSec
IPSec Security Services
Authentication Methods
How IPSec Is Deployed
Understanding Vulnerabilities
Vulnerability Examples
Weak passwords Passwords that can be easily guessed
Unencrypted data transfer
Data transfer that may allow the exchange and verification of identities while exposing that information to interpretation by an attacker
Weak security on Internet connections
Packets to and from a source or destination address or port may be allowed
Other vulnerabilities
Social engineering Unpatched software Incorrectly configured hardware and
software
Threat Analysis
Threat analysisThreat analysis
1. Identify threats
2. Prioritize threats based on:
Probability of occurrence
Severity of potential damage
3. Divide the number representing damage by the number representing probability to determine the threat level
4. Address threats with the highest threat levels first
1. Identify threats
2. Prioritize threats based on:
Probability of occurrence
Severity of potential damage
3. Divide the number representing damage by the number representing probability to determine the threat level
4. Address threats with the highest threat levels first
What Is IPSec?
Can use security protocols to encrypt or digitally sign traffic
Can use security protocols to encrypt or digitally sign traffic
Can use tunnel mode to secure traffic between two networks
Can use tunnel mode to secure traffic between two networks
Can use transport mode to secure traffic between any two hosts
Can use transport mode to secure traffic between any two hosts
RouterRouter RouterRouter
Tunnel ModeTunnel Mode
Transport ModeTransport Mode
RouterRouter
Microsoft IPSec Features
Implementation DescriptionPolicy-based configuration management
Makes configuration, implementation, and administration easier
IPSec functionality over NAT Automatically detects the presence of a NAT device and uses UDP-ESP encapsulation to allow IPSec traffic to pass through the NAT
IPSec certificate-to-account mapping
Allows you to set restrictions on which computers are allowed to connect
Default traffic exemptionsExempts only Internet Key Exchange (IKE) traffic from IPSec filtering
Command-line management Scripts and automates IPSec configuration
Computer startup securityPermits only the following traffic during computer startup
Persistent policy for enhanced security
Is applied before the local policy or the Active Directory–based policy
Advantages and Disadvantages of IPSec
AdvantagesAdvantages
Flexible security protocols
Transparent to users and applications
Authentication
Confidentiality
Open industry (IETF) standards
Data integrity
Dynamic rekeying
Secure end-to-end links
Easy implementation and centralized management by using policies
Flexible security protocols
Transparent to users and applications
Authentication
Confidentiality
Open industry (IETF) standards
Data integrity
Dynamic rekeying
Secure end-to-end links
Easy implementation and centralized management by using policies
DisadvantagesDisadvantages
Administrative overhead
Increased performance requirement
Supportability
Policy management
Local policy configuration
Administrative overhead
Increased performance requirement
Supportability
Policy management
Local policy configuration
IPSec Security Services
Feature Description
Automatic key management
IKE services dynamically exchange and manage keys between communicating computers
Automatic security negotiation
IKE services dynamically negotiate a common set of security settings using IKE services
Public key infrastructure support
IPSec supports the use of public key certificates for authentication
Preshared key support
IPSec can use a preshared key for authentication
Authentication Methods
Kerberos V5
The default authentication method for IPSec
Public key certificates
Using this authentication method, security credentials can be presented without being compromised in the process
Preshared key authentication
Both parties agree on a shared, secret key that is used for authentication in an IPSec policy
How IPSec Is Deployed
Using policy-based managementUsing policy-based management
Easy management
Easy implementation
Eliminates administrative overhead
Easy management
Easy implementation
Eliminates administrative overhead
Using local policiesUsing local policies
One local policy
Group Policy settings can be stored on individual computers
One local policy
Group Policy settings can be stored on individual computers