appendix b: review. overview reviewing tcp/ip reviewing routing how dhcp operates in an enterprise...

Appendix B: Review

Overview

Reviewing TCP/IP

Reviewing Routing

How DHCP Operates in an Enterprise Environment

Reviewing WINS

Reviewing IPSec

Lesson: Reviewing TCP/IP

TCP/IP Features

The Role of TCP/IP in the Windows Server 2003 Network

The TCP/IP Protocol Suite

IPv6 vs. IPv4

TCP/IP Features

Windows Server 2003 supports:

Standard TCP/IP features

Internet Group Management Protocol (IGMP) version 3

Alternate configuration in the absence of a DHCP server

Automatic determination of the interface metric

IP version 6

The Role of TCP/IP in the Windows Server 2003 Network

TCP/IP resolves these enterprise requirements:TCP/IP resolves these enterprise requirements:

A standard, routable enterprise networking protocol

Connection of dissimilar systems

A robust, scalable, cross-platform client/server framework

Internet access

A standard, routable enterprise networking protocol

Connection of dissimilar systems

A robust, scalable, cross-platform client/server framework

Internet access

The TCP/IP Protocol Suite

OSI Model Layers

TCP/IP Architecture

Layers

TCP/IP Protocol Suite

Data-linkData-link

PhysicalPhysical

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

ApplicationApplication

Host-to-host transport

Host-to-host transport

InternetInternet

Network InterfaceNetwork Interface

TelnetTelnet FTPFTP SMTPSMTP DNSDNS RIPRIP SNMPSNMP

TCPTCP UDPUDP

IPIPARP

ICMPIGMP

EthernetEthernet Tokenring

Tokenring

Frame relay

Frame relay ATMATM

IPv6 vs. IPv4

Feature IPv4 IPv6

Address length 32 bits 128 bits

IPSec support Optional Required

QoS support Some Better

Fragmentation Hosts and routers Hosts only

Checksum in header Yes No

Options in header Yes No

Link-layer address resolution neighbor messages

ARP Multicast Discovery

Broadcast usage Yes No

Configuration for DHCP Manual, DHCP Automatic

DNS name queries Uses A records Uses AAAA records

DNS reverse queries Uses IN-ADDR.ARPA Uses IP6.INT

Minimum MTU 576 bytes 1,280 bytes

Lesson: Reviewing Routing

Multimedia: The Role of Routing in a Networking Infrastructure

Reviewing the Routing Table

Reviewing Static and Dynamic Routes

Multimedia: The Role of Routing in a Networking Infrastructure

The objective of this presentation is to explain the role of routing in a network infrastructure

You will learn how to:

Describe how routing fits into the network infrastructure

Explain the difference between local and remote routing

Describe how the Microsoft Routing and Remote Access service fits into the network infrastructure

Reviewing the Routing Table

C:\>route print===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x1000003 ...00 90 27 16 84 10 ...... Intel(R) PRO PCI Adapter======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.200 192.168.1.201 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.248.0 192.168.1.201 192.168.1.201 1 192.168.1.201 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.1.255 255.255.255.255 192.168.1.201 192.168.1.201 1 224.0.0.0 224.0.0.0 192.168.1.201 192.168.1.201 1 255.255.255.255 255.255.255.255 192.168.1.201 192.168.1.201 1Default Gateway: 192.168.1.200===========================================================================Persistent Routes: None C:\>

C:\Documents and Settings\Administrator>route print

IPv4 Route Table===========================================================================Interface List0x1 ........................... MS TCP Loopback interface0x10003 ...00 02 b3 10 10 da ...... Intel(R) PRO/100+ Management Adapter0x10004 ...00 02 b3 26 e2 b9 ...... Intel(R) PRO/100+ Management Adapter #2======================================================================================================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 10.0.0.0 255.255.255.0 10.0.0.1 10.0.0.1 30 10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20 192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20 224.0.0.0 240.0.0.0 10.0.0.1 10.0.0.1 30 224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20 255.255.255.255 255.255.255.255 10.0.0.1 10.0.0.1 1 255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1===========================================================================Persistent Routes: None C:\>

Reviewing Static and Dynamic Routes

Static routes

Dynamic routes

C:\>route addC:\>route add

Corporate HeadquartersCorporate Headquarters

Branch OfficeBranch Office

Branch OfficeBranch Office

Network X and Network ZNetwork X and Network Z

Router B - Routing TableRouter B - Routing Table

Network X and Network YNetwork X and Network Y

Router B - Routing TableRouter B - Routing TableNetwork Y and Network ZNetwork Y and Network Z

Router A - Routing TableRouter A - Routing Table

XX

ZZ

YY

Lesson: How DHCP Operates in an Enterprise Environment

The DHCP Lease Generation Process

How a DHCP Server Services Remote Segments

How Scopes and Superscopes Function in an Environment

Fault Tolerance in the DHCP Implementation Process

DHCP Interoperability Options

The DHCP Lease Generation Process

DHCP ServersDHCP ServersDHCP ClientDHCP Client

DHCP DiscoverDHCP Discover11

DHCP OfferDHCP Offer 22

DHCP RequestDHCP Request33

DHCP AcknowledgeDHCP Acknowledge 44

How a DHCP Server Services Remote Segments

DHCP Relay AgentDHCP Relay Agent DHCP ServerDHCP Server

RFC-1542 CompliantRFC-1542 CompliantNon–RFC-1542 CompliantNon–RFC-1542 Compliant

DHCP ClientDHCP Client

DHCP ClientDHCP Client

BroadcastBroadcast BroadcastBroadcast

ForwardedForwarded ForwardedForwarded

How Scopes and Superscopes Function in an Environment

192.168.1.1192.168.1.1 192.168.1.254192.168.1.254 192.168. 22.1192.168. 22.1 192.168. 22.254192.168. 22.254

DHCP ServerDHCP Server

SuperscopeASuperscopeA

Scope1192.168.1.1

192.168.1.254

Scope1192.168.1.1

192.168.1.254

Scope2192.168. 22.1

192.168. 22.254

Scope2192.168. 22.1

192.168. 22.254

Fault Tolerance in the DHCP Implementation Process

Failover solution Requirements

DHCP clustered resource

Resource requirements

Disk resource

IP address resource

Name resource

Configuration requirements

Database path

Audit log file path

Database backup path

Multiple DHCP servers

Deploy two DHCP servers in the same network that share a split-scope configuration based on the 80/20 rule

DHCP Interoperability Options

Service Interoperability options

Routing and Remote Access

Allow a remote access server to obtain an IP addressEnable the remote access server to request IP addresses on an as-needed basis

DNS

Enable DNS dynamic updates according to preferences Discard A and PTR records when lease is deletedDynamically update A and PTR records for DHCP clients that do not request updates

WINS Configure a WINS scope option

Active Directory Allow authorization of DHCP server within Active Directory

Practice: Identifying Integration Issues

In this practice, you will learn how to determine a network configuration that meets the needs provided in the scenario

Lesson: Reviewing WINS

Multimedia: How WINS Clients Resolve Names

NetBIOS Node Types

WINS Proxies

Burst Handling

WINS Records

WINS Replication

The WINS Database

Multimedia: How WINS Clients Resolve Names

The objective of this presentation is to explain how WINS clients resolve a NetBIOS name to an IP address

You will learn how to:

Explain the functionality of a WINS server in a routed network

Identify the default node for a WINS client

Explain the process for using a WINS server to resolve a NetBIOS name to an IP address

NetBIOS Node Types

Node type Description Impact

b-nodeUses broadcast NetBIOS name queries for name registration resolution

Slows network performance

p-nodeUses a NetBIOS name server (NBNS) to resolve NetBIOS names

Improves network performance

m-nodeIs a combination of b-node and p-node types. By default, m-node broadcasts. If this is unsuccessful, it queries an NBNS.

Slows network performance

h-node

Is a combination of b-node and p-node types. By default, h-node queries an NBNS. If this is unsuccessful, it uses broadcast to resolve the name.

Improves network performance

The default is h-node for WINS clientsThe default is h-node for WINS clients

WINS Proxies

Subnet A

Subnet B

Host ANetBIOS b-node client

Host ANetBIOS b-node client

Host BWINS proxy

Host BWINS proxy

Host CWINS client

Host CWINS client WINS A

WINS serverWINS A

WINS serverIP RouterIP Router

Burst Handling

Burst handling is the response of a WINS server to a large number of WINS clients that are trying to simultaneously register their local names in WINS

Burst handling is the response of a WINS server to a large number of WINS clients that are trying to simultaneously register their local names in WINS

Request to registerRequest to register11

Registered Registered22

WINS Records

The service that registered the entry, including the hexadecimal type identifier

The IP address that corresponds to the registeredname

Displays “x” to indicate whether the entry isstatic and displays “null” or is blank if the entry is not staticThe WINS server from which the entry originates The registered NetBIOS name, which can be a unique

name, or a group, internet group, or multihomed computer The state of the database entry, which can be active, released, or tombstoned

A unique hexadecimal number that the WINS server assigns during name registration

Shows when the entry will expire How WINS records are usedHow WINS records are used

NetBIOS clients and servers use WINS records to identify the name and services associated with a given computerNetBIOS clients and servers use WINS records to identify the name and services associated with a given computer

WINS Replication

WINS-AWINS-A

WINS-DWINS-D

WINS-CWINS-C

WINS-BWINS-B

Threshold reachedThreshold reached11

NotificationNotification22

RequestRequest33

SendSend44

Push/Pull PartnerPush/Pull Partner

Push PartnerPush Partner

Pull PartnerPull Partner

11

2233

44

The WINS Database

The WINS database:

Stores records

Is governed by four timers

Is dependent on an internal system clock

Requires consistency checking

Lesson: Reviewing IPSec

Understanding Vulnerabilities

Threat Analysis

What Is IPSec?

Microsoft IPSec Features

Advantages and Disadvantages of IPSec

IPSec Security Services

Authentication Methods

How IPSec Is Deployed

Understanding Vulnerabilities

Vulnerability Examples

Weak passwords Passwords that can be easily guessed

Unencrypted data transfer

Data transfer that may allow the exchange and verification of identities while exposing that information to interpretation by an attacker

Weak security on Internet connections

Packets to and from a source or destination address or port may be allowed

Other vulnerabilities

Social engineering Unpatched software Incorrectly configured hardware and

software

Threat Analysis

Threat analysisThreat analysis

1. Identify threats

2. Prioritize threats based on:

Probability of occurrence

Severity of potential damage

3. Divide the number representing damage by the number representing probability to determine the threat level

4. Address threats with the highest threat levels first

1. Identify threats

2. Prioritize threats based on:

Probability of occurrence

Severity of potential damage

3. Divide the number representing damage by the number representing probability to determine the threat level

4. Address threats with the highest threat levels first

What Is IPSec?

Can use security protocols to encrypt or digitally sign traffic

Can use security protocols to encrypt or digitally sign traffic

Can use tunnel mode to secure traffic between two networks

Can use tunnel mode to secure traffic between two networks

Can use transport mode to secure traffic between any two hosts

Can use transport mode to secure traffic between any two hosts

RouterRouter RouterRouter

Tunnel ModeTunnel Mode

Transport ModeTransport Mode

RouterRouter

Microsoft IPSec Features

Implementation DescriptionPolicy-based configuration management

Makes configuration, implementation, and administration easier

IPSec functionality over NAT Automatically detects the presence of a NAT device and uses UDP-ESP encapsulation to allow IPSec traffic to pass through the NAT

IPSec certificate-to-account mapping

Allows you to set restrictions on which computers are allowed to connect

Default traffic exemptionsExempts only Internet Key Exchange (IKE) traffic from IPSec filtering

Command-line management Scripts and automates IPSec configuration

Computer startup securityPermits only the following traffic during computer startup

Persistent policy for enhanced security

Is applied before the local policy or the Active Directory–based policy

Advantages and Disadvantages of IPSec

AdvantagesAdvantages

Flexible security protocols

Transparent to users and applications

Authentication

Confidentiality

Open industry (IETF) standards

Data integrity

Dynamic rekeying

Secure end-to-end links

Easy implementation and centralized management by using policies

Flexible security protocols

Transparent to users and applications

Authentication

Confidentiality

Open industry (IETF) standards

Data integrity

Dynamic rekeying

Secure end-to-end links

Easy implementation and centralized management by using policies

DisadvantagesDisadvantages

Administrative overhead

Increased performance requirement

Supportability

Policy management

Local policy configuration

Administrative overhead

Increased performance requirement

Supportability

Policy management

Local policy configuration

IPSec Security Services

Feature Description

Automatic key management

IKE services dynamically exchange and manage keys between communicating computers

Automatic security negotiation

IKE services dynamically negotiate a common set of security settings using IKE services

Public key infrastructure support

IPSec supports the use of public key certificates for authentication

Preshared key support

IPSec can use a preshared key for authentication

Authentication Methods

Kerberos V5

The default authentication method for IPSec

Public key certificates

Using this authentication method, security credentials can be presented without being compromised in the process

Preshared key authentication

Both parties agree on a shared, secret key that is used for authentication in an IPSec policy

How IPSec Is Deployed

Using policy-based managementUsing policy-based management

Easy management

Easy implementation

Eliminates administrative overhead

Easy management

Easy implementation

Eliminates administrative overhead

Using local policiesUsing local policies

One local policy

Group Policy settings can be stored on individual computers

One local policy

Group Policy settings can be stored on individual computers

appendix b: review. overview reviewing tcp/ip reviewing routing how dhcp operates in an enterprise...

Documents

tcpip tcpip

network tcpip

role of tcpip

network infrastructure

role of routing

ipv4 slide

ipsec slide

remote routing