Saturday, December 8, 2007

Implementing TCP/IP

TCP/IP Overview

Transmission Control Protocol/Internet Protocol (TCP/IP) is an industry-standard suite of protocols designed for wide area networks (WANs). Microsoft Windows 2000 has extensive support for TCP/IP both as a protocol suite and a set of services for connectivity and management of IP networks. This lesson includes an overview of TCP/IP concepts, terminology, and how the Internet standards are created. You will also learn how Windows 2000 integrates with TCP/IP.

After this lesson, you will be able to

  • Define TCP/IP and describe its advantages on Windows 2000
  • Describe how the TCP/IP protocol suite maps to a four-layer model
  • Describe how Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) transmit data

Estimated lesson time: 45 minutes

Benefits of TCP/IP

All modern operating systems offer TCP/IP support, and most large networks rely on TCP/IP for much of their network traffic. TCP/IP is also the protocol standard for the Internet. In addition, many standard connectivity utilities are available to access and transfer data between dissimilar systems. Several of these standard utilities, such as File Transfer Protocol (FTP) and Telnet, are included with Windows 2000 Server. TCP/IP networks can be easily integrated with the Internet. Because of its popularity, TCP/IP is well developed and offers many utilities that improve usability, performance, and security. Networks that are based on other transport protocols, such as ATM or AppleTalk, can interface with TCP/IP networks through a device known as a gateway. Adding TCP/IP to a Windows 2000 configuration offers the following advantages:

  • It offers a technology for connecting dissimilar systems. TCP/IP is routable and can be connected to different networks through gateways.
  • It allows for a robust, scalable, cross-platform client/server framework. Microsoft TCP/IP offers the WinSock interface, which is ideal for developing client/server applications that can run on WinSock-compliant stacks from other vendors.
  • It provides a method of gaining access to the Internet. By connecting to the Internet, a virtual private network (VPN) or extranet can be established, allowing for inexpensive remote access.

Windows 2000 TCP/IP Communication Protocols

A significant feature of Windows 2000 is the ability to connect to the Internet and to dissimilar systems. Windows 2000 also includes advanced security features that can be implemented when connecting to a system across a network. In order to support all of these features, Windows 2000 TCP/IP has new and enhanced capabilities. These include:

  • IP Security. IP Security (IPSec) is a technology used to encrypt TCP/IP network traffic. IPSec enables secure data transfer between remote clients and private enterprise servers through a virtual private network (VPN).
  • Point-to-Point Tunneling Protocol. The Point-to-Point Tunneling Protocol (PPTP) provides VPN functionality similar to that which IPSec provides. PPTP also supports multiple network protocols such as IP, Internetwork Packet Exchange (IPX), and NetBIOS Enhanced User Interface (NetBEUI).
  • Layer Two Tunneling Protocol. The Layer Two Tunneling Protocol (L2TP) is a combination of Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F). L2F is a transmission protocol that allows dial-up access servers to frame dial-up traffic in Point to Point Protocol (PPP) and transmit it over WAN links to an L2F server (a router).

Finally, Microsoft continues to support legacy systems and protocols to preserve the past investments of its customers and reduce the risk, pressure, and financial burden of managing heterogeneous environments. For this reason Windows 2000 supports

  • AppleTalk
  • Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
  • NetBEUI

TCP/IP Stack Enhancements

Windows 2000 includes several TCP/IP stack enhancements, including:

  • Large window support that improves performance when many packets are in transit for long periods of time.
  • Selective acknowledgments that allow a system to recover from congestion quickly. The sender needs to retransmit only the packets that were not received.
  • The ability to better estimate round-trip time.
  • The ability to better prioritize traffic for demanding applications.

TCP/IP Utilities

TCP/IP utilities in Windows 2000 include:

  • Data transfer utilities. Windows 2000 provides support for several different IP-based data transfer protocols. These include File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), and the Common Internet File System (CIFS).
  • Telnet. UNIX hosts have traditionally been managed using Telnet—a text interface similar to a command prompt that can be accessed across an IP network. Windows 2000 provides both a Telnet client and server.
  • Printing utilities. Windows 2000 can print directly to IP-based printers. Additionally, two TCP/IP utilities provide the ability to print and obtain print status on a TCP/IP printer. Line Printer Remote (LPR) prints a file to a host running the Line Printing Daemon (LPD) service. Line Printer Queue (LPQ) obtains the status of a print queue on a host running the LPD service.
  • Diagnostics utilities. Windows 2000 provides several utilities for diagnosing TCP/IP-related problems including PING, Ipconfig, Nslookup, and Tracert.

Application Layer

The Application layer is at the top of the four-layer conceptual TCP/IP model, and is where software programs gain access to the network. This layer corresponds roughly to the Session, Presentation, and Application Layers of the OSI model. Some TCP/IP utilities and services run at the Application Layer. These utilities and services include:

  • HyperText Transfer Protocol (HTTP). HTTP is the protocol used for the majority of World Wide Web communications. Windows 2000 includes Internet Explorer as an HTTP client, and Internet Information Server (IIS) as an HTTP server.
  • File Transfer Protocol (FTP). FTP is an Internet service that transfers files from one computer to another. Internet Explorer and the command-line utility FTP both act as FTP clients. IIS includes an FTP server.
  • Simple Mail Transfer Protocol (SMTP). SMTP is a protocol that mail servers use to transfer e-mail. IIS can send messages using the SMTP protocol.
  • Telnet. Telnet is a terminal emulation protocol that can be used to log on to remote network hosts. Telnet offers users the capability of running programs remotely and facilitates remote administration. Telnet is available for practically all operating systems and eases integration in heterogeneous networking environments. Windows 2000 includes both a Telnet client and server.
  • Domain Name System (DNS). DNS is a set of protocols and services on a TCP/IP network that allows users of the network to utilize hierarchical user-friendly names when locating hosts instead of having to remember and use their IP addresses. DNS is used extensively on the Internet and in many private enterprises today. When you use a Web browser, Telnet application, FTP utility, or other similar TCP/IP utilities on the Internet, then you are probably using a DNS server. Windows 2000 also includes a DNS server.
  • Simple Network Management Protocol (SNMP). SNMP allows you to manage network nodes such as servers, workstations, routers, bridges, and hubs from a central host. SNMP can also be used to configure remote devices, monitor network performance, detect network faults or inappropriate access, and audit network usage.

Network Application APIs

Microsoft TCP/IP provides two interfaces for network applications to use the services of the TCP/IP protocol stack:

  • WinSock. The Windows 2000 implementation of the widely used Sockets application programming interface (API). The Sockets API is the standard mechanism for accessing datagram and session services over TCP/IP.
  • NetBIOS. A standard API used as an inter-process communication (IPC) mechanism in the Windows environment. Although NetBIOS can be used to provide a standard connection to protocols that support the NetBIOS naming and messaging services, such as TCP/IP and NetBEUI, it is included with Windows 2000 mainly to support legacy applications.

Transport Layer

Transport protocols provide communication sessions between computers and define the type of transport service as either connection-oriented (TCP) or connectionless datagram-oriented (UDP). TCP provides connection-oriented, reliable communications for applications that typically transfer large amounts of data at one time. It is also used for applications that require an acknowledgment for data received. UDP, however, provides connectionless communications and does not guarantee to deliver packets. Applications that use UDP typically transfer small amounts of data at one time. Reliable delivery of data is the responsibility of the application. The Transport Layer in the DOD model corresponds roughly to the Transport Layer in the OSI model.

Internet Layer

Internet protocols encapsulate packets into Internet datagrams and run all of the necessary routing algorithms. The routing functions that the Internet layer performs is necessary to allow hosts to interoperate with other networks. The Internet Layer corresponds roughly to the Network Layer in the OSI model. Five protocols are implemented at this layer:

  • Address Resolution Protocol (ARP), which determines the hardware address of the hosts.
  • Reverse Address Resolution Protocol (RARP), which provides reverse address resolution at the receiving host. (Although Microsoft does not implement the RARP protocol, it is found on other vendors' systems, and is mentioned here for completeness.)
  • Internet Control Message Protocol (ICMP), which sends error messages to IP when problems crop up.
  • Internet Group Management Protocol (IGMP), which informs routers of the availability of members of multicast groups.
  • Internet Protocol (IP), which addresses and routes packets.

Network Interface Layer

At the base of the model is the Network Interface Layer. Each of the local area network (LAN), metropolitan area network (MAN), WAN, and dial-up types, such as Ethernet, Token Ring, Fiber Distributed Data Interface (FDDI), and ARCnet, have different requirements for cables, signaling, and data encoding. The Network Interface Layer specifies the requirements equivalent to the Data Link and Physical Layers of the OSI model. The Network Interface Layer is responsible for sending and receiving frames, which are packets of information transmitted on a network as a single unit. The Network Interface Layer puts frames on the network, and pulls frames off the network.

TCP/IP WAN Technologies

There are two major categories of WAN technologies supported by TCP/IP:

  1. Serial lines, which include dial-up analog, digital lines, and leased lines.

    TCP/IP is typically transported across a serial line using either the Serial Line Internet Protocol (SLIP) or the Point-to-Point Protocol (PPP). Windows 2000 Server supports both protocols with the Routing and Remote Access Service. Because PPP provides greater security, configuration handling, and error detection than SLIP, it is the recommended protocol for serial line communication.

  2. Packet-switched networks, which include X.25, frame relay, and asynchronous transfer mode (ATM).
NOTE
Windows 2000 supports only SLIP client functionality, not SLIP server functionality. The Windows 2000 Routing and Remote Access Service does not accept SLIP client connections.

Transmission Control Protocol

Transmission Control Protocol (TCP) is a reliable, connection-oriented delivery service. TCP data is transmitted in segments, and a session must be established before hosts can exchange data. TCP uses byte-stream communications, which means that the data is treated as a sequence of bytes.

TCP achieves reliability by assigning a sequence number to each segment transmitted. If a segment is broken into smaller pieces, the receiving host knows whether all pieces have been received. An acknowledgment verifies that the other host received the data. For each segment sent, the receiving host must return an acknowledgment (ACK) within a specified period. If the sender does not receive an ACK, then the data is retransmitted. If the segment is received damaged, the receiving host discards it. Because in this case an ACK is not sent, the sender retransmits the segment.

Internet Protocol (IP)

Although TCP separates data into discrete packets and is responsible for guaranteeing their delivery, IP does the actual delivery. At the IP Layer, each incoming or outgoing packet is referred to as a datagram. The IP datagram fields in the following table are added to the header when a packet is passed up from the Network Interface Layer.


Field Function
Source IP Address Identifies the sender of the datagram by the IP address.
Destination IP Address Identifies the destination of the datagram by the IP address.
Protocol Informs IP at the destination host whether to pass the packet up to TCP or UDP.
Checksum A simple mathematical computation that is used to verify that the packet arrived intact.
Time to Live (TTL) Designates the number of seconds a datagram is allowed to spend in transport before it's discarded. This prevents packets from endlessly looping around an internetwork. Each router that forwards the packet decrements the TTL by one. The default TTL in Windows 2000 is 128 seconds.

Basic Concepts of IP Routing

Routing is the process of choosing a path over which to send packets, which is a primary function of IP. A router (commonly referred to as a gateway) is a device that forwards the packets from one physical network to another. When a router receives a packet, the network adapter forwards the datagrams to the IP Layer. IP examines the destination address on the datagram and then compares it to an IP routing table. A decision is then made as to where the packet is to be forwarded. This lesson explains basic IP routing concepts.

After this lesson, you will be able to

  • Update a Windows 2000-based routing table by means of static routes
  • Manage and monitor internal routing
  • Manage and monitor border routing

Estimated lesson time: 40 minutes

Overview of Routing

A router helps LANs and WANs achieve interoperability and connectivity, and can link LANs that have different network topologies, such as Ethernet and Token Ring. Each packet sent over a LAN has a packet header that contains source and destination address fields. Routers match packet headers to a LAN segment and choose the best path for the packet, optimizing network performance. For example, if a packet is sent from Computer A to Computer C, as illustrated in Figure 2.15, the best route uses only one hop. If Router 1 is the default router for Computer A, the packet will be rerouted through Router 2. Computer A will be notified of the better route by which to send packets to Computer C. As each route is found, the packet is sent to the next router, called a hop, until finally delivered to the destination host. If a route is not found, an error message is sent to the source host.

Posted by at No comments:

Windows 2000 Domain Name Service

Working with Zones

Servers refer to their zones (also called DNS database files) to resolve names. The zones contain resource records that comprise the resource information associated with the DNS domain. For example, some resource records map friendly names to Internet Protocol (IP) addresses, and others map IP addresses to friendly names. Some resource records not only include information about servers in the DNS domain, but also serve to define the domain by specifying which servers are authoritative for which zones. In this lesson, you will learn how to configure DNS zones in Windows 2000.

After this lesson, you will be able to

  • Implement a delegated zone for DNS
  • Configure zones for dynamic updates

Estimated lesson time: 20 minutes

Delegating Zones

A DNS database can be partitioned into multiple zones. A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS name space. Zone files are maintained on DNS servers. A single DNS server can be configured to host zero, one, or multiple zones. Each zone is anchored at a specific domain name referred to as the zone's root domain. A zone contains information about all names that end with the zone's root domain name. A DNS server is considered authoritative for a name if it loads the zone containing that name. The first record in any zone file is a start of authority (SOA) resource record. The SOA resource record identifies a primary DNS name server for the zone as the best source of information for the data within that zone and as an entity processing the updates for the zone.

Names within a zone can also be delegated to other zone(s). Delegation is a process of assigning responsibility for a portion of a DNS name space to a separate entity. This separate entity could be another organization, department, or workgroup within your company. In technical terms, delegating means assigning authority over portions of your DNS name space to other zones. The name server record that specifies the delegated zone and the DNS name of the server authoritative for that zone represents such delegation. Delegating across multiple zones was part of the original design goal of DNS. The following are the main reasons for the delegation of a DNS name space:

  • A need to delegate management of a DNS domain to a number of organizations or departments within an organization
  • A need to distribute the load of maintaining one large DNS database among multiple name servers to improve the name resolution performance as well as create a DNS fault-tolerant environment
  • A need to allow for hosts' organizational affiliations by including them in appropriate domains

Understanding DNS Zones and Domains

Domain name servers store information about part of the domain name space called a zone. The name server is authoritative for a particular zone. A single name server can be authoritative for many zones. Understanding the difference between a zone and a domain is sometimes confusing.

A zone is simply a portion of a domain. For example, the domain microsoft.com may contain all of the data for microsoft.com, marketing.microsoft.com, and development.microsoft.com. However, the zone microsoft.com contains only information for microsoft.com and references to the authoritative name servers for the subdomains. The zone microsoft.com can contain the data for subdomains of microsoft.com if they have not been delegated to another server. For example, marketing.microsoft.com may manage its own delegated zone. The parent, microsoft.com, may manage development.microsoft.com. If there are no subdomains, then the zone and domain are essentially the same. In this case the zone contains all data for the domain.

To create a zone delegation

  1. Click Start, point to Programs, point to Administrative Tools, then click DNS.
  2. In the console tree, right-click your subdomain and then click New DelegationThe New Delegation Wizard appears.
  3. Click Next.
  4. In the Delegated Domain Name dialog box, type a delegated domain name, then click Next.
  5. In the Name Servers dialog box, click Add to specify names and IP addresses of DNS servers you want to have host the delegated zone.The New Resource Record dialog box will appear, allowing you to specify DNS servers.
  6. Type the DNS server name, click Add, then click OK.
  7. In the Name Servers dialog box, click Next.
  8. Click Finish to close the New Delegation Wizard.
To allow dynamic updates

  1. Click Start, point to Programs, point to Administrative Tools, then click DNS.

    The DNS administrative console appears.

  2. In the console tree, right-click your zone, then click Properties.

    The Zone Properties dialog box appears, as illustrated in Figure 8.3.

  3. In the Allow Dynamic Updates list box, click Yes.
  4. Click OK to close the Zone Properties dialog box.
  5. Close the DNS administrative console.

Working with Servers

Because DNS servers are of critical importance in most environments, it is important to continually monitor them. In this lesson, you will learn how to manage and monitor your DNS servers. In addition, you will learn how to implement a caching-only server.

After this lesson, you will be able to

  • Configure a caching-only server
  • Manage and monitor DNS servers

Estimated lesson time: 15 minutes

Overview of DNS Servers and Caching

As DNS servers process client queries using recursion or iteration, they discover and acquire a significant store of information about the DNS name space. The server then caches this information. Caching provides a way to speed the performance of DNS resolution for subsequent queries of popular names while substantially reducing DNS-related query traffic on the network.

As DNS servers make recursive queries on behalf of clients, they temporarily cache resource records. Cached resource records contain information obtained from DNS servers that are authoritative for DNS domain names learned while making iterative queries to search and fully answer a recursive query performed on behalf of a client. Later, when other clients place new queries that request resource record information matching cached resource records, the DNS server can use the cached resource record information to answer them.

When information is cached, a Time to Live (TTL) value applies to all cached resource records. As long as the TTL for a cached resource record does not expire, a DNS server can continue to cache and use the resource record again when answering queries by its clients that match these resource records. Caching TTL values used by resource records in most zone configurations are assigned the minimum (default) TTL, which is set in the zone's SOA resource record. By default, the minimum TTL is 3600 seconds (1 hour), but can be adjusted or, if needed, individual caching TTLs can be set at each resource record.

Implementing a Caching-Only Server

Although all DNS name servers cache queries that they have resolved, caching-only servers are DNS name servers that only perform queries, cache the answers, and return the results. They are not authoritative for any domains and the information that they contain is limited to what has been cached while resolving queries. The benefit provided by caching-only servers is that they do not generate zone transfer network traffic because they do not contain any zones. However, there is one disadvantage: When the server is initially started, it has no cached information and must build up this information over time as it services requests.

  • To install a caching-only DNS server

    1. Install the DNS Server service on the computer.

      It is strongly recommended that, when operating the computer as a DNS server, you manually configure TCP/IP and use a static IP address.

    2. Do not configure the DNS server to load any zones.

      A caching-only DNS server can be valuable at a site where DNS functionality is needed locally but it is not administratively desirable to create a separate domain or zone for that location. Caching-only DNS servers do not host any zones and are not authoritative for a particular domain. They are DNS servers that build a local server cache of names learned while performing recursive queries on behalf of their clients. This information is then available from its cache when answering subsequent client queries.

    3. Verify that server root hints are configured or updated correctly.
    • Posted by at No comments:

    Supporting Network Address Translation (NAT)

    Introducing NAT

    NAT enables private IP addresses to be translated into public IP addresses for traffic to and from the Internet. This keeps traffic from passing directly to the internal network, while saving the small office or home office user the time and expense of getting and maintaining a public address range. This lesson provides an overview of NAT.

    After this lesson, you will be able to

    • Describe the purpose of NAT
    • Identify the components of NAT
    • Describe how NAT works

    Estimated lesson time: 45 minutes

    Network Address Translation

    Microsoft Windows 2000 Network Address Translation (NAT) allows computers on a small network, such as a small office or home office, to share a single Internet connection with only a single public IP address. The computer on which NAT is installed can act as a network address translator, a simplified DHCP server, a Domain Name System (DNS) proxy, and a Windows Internet Name Service (WINS) proxy. NAT allows host computers to share one or more publicly registered IP addresses, helping to conserve public address space.

    Understanding Network Address Translation

    With NAT in Windows 2000, you can configure your home network or small office network to share a single connection to the Internet. NAT consists of the following components:

    • Translation component. The Windows 2000 router on which NAT is enabled, hereafter called the NAT computer, acts as a network address translator, translating the IP addresses and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) port numbers of packets that are forwarded between the private network and the Internet.
    • Addressing component. The NAT computer provides IP address configuration information to the other computers on the home network. The addressing component is a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server. You must configure computers on the home network as DHCP clients to receive the IP configuration automatically. The default TCP/IP configuration for computers running Windows 2000, Windows NT, Windows 95, and Windows 98 is as a DHCP client.
    • Name resolution component. The NAT computer becomes the DNS server for the other computers on the home network. When name resolution requests are received by the NAT computer, it forwards the name resolution requests to the Internet-based DNS server for which it is configured, and returns the responses to the home network computer.

    How NAT Works

    A network address translator is an IP router defined in RFC 1631 that can translate IP addresses and TCP/UDP port numbers of packets as they are being forwarded. Consider a small business network with multiple computers connecting to the Internet. A small business would normally have to obtain an ISP-allocated public IP address for each computer on its network. With NAT, however, the small business can use private addressing (as described in RFC 1597) and have the NAT map its private addresses to a single or to multiple public IP addresses as allocated by its ISP. For example, if a small business is using the 10.0.0.0 private network for its intranet and has been granted the public IP address of 198.200.200.1 by its ISP, the NAT maps (using static or dynamic mappings) all private IP addresses being used on network 10.0.0.0 to the public IP address of 198.200.200.1.

    NAT Editors

    In the case where the NAT component must additionally translate and adjust the payload beyond the IP, TCP, and UDP headers, a NAT editor is required. A NAT editor is an installable component that can properly modify otherwise nontranslatable payloads so that they can be forwarded across a NAT. Windows 2000 includes built-in NAT editors for the following protocols:

    • FTP
    • Internet Control Message Protocol (ICMP)
    • Point-to-Point Tunneling Protocol (PPTP)
    • NetBIOS over TCP/IP

    Additionally, the NAT routing protocol includes proxy software for the following protocols:

    • H.323
    • Direct Play
    • Lightweight Directory Access Protocol (LDAP)-based Internet Locator Service (ILS) registration
    • Remote procedure call

    Installing and Configuring NAT

    The main intent of NAT is to save on the diminishing IP address space. A secondary benefit of NAT is providing network connectivity without the need to understand IP routing or IP routing protocols. The NAT can be used without the knowledge or cooperation of an ISP. Contacting the ISP for the addition of static routes is not required. In this lesson, you will learn how to install and configure NAT.

    After this lesson, you will be able to

    • Describe some design issues you should consider before implementing NAT
    • Enable NAT addressing
    • Configure interface IP address ranges
    • Configure interface special ports
    • Configure NAT network applications

    Estimated lesson time: 20 minutes

    Network Address Translation Design Considerations

    A common use for NAT is Internet connectivity from a home or small network. To prevent problems, there are certain design issues you should consider before you implement NAT. For example, when using a NAT, private addresses are normally used on the internal network. As described in Lesson 1, private addresses are intended for internal networks, meaning those not directly connected to the Internet. It is recommended that you use these addresses instead of picking addresses at random to avoid potentially duplicating IP address assignment. Additionally, you should consider routing instead of a NAT because routing is fast and efficient, and IP was designed to be routed. However, routing requires valid IP addresses and considerable knowledge to be implemented.

    IP Addressing Issues

    You should use the following IP addresses from the InterNIC private IP network IDs: 10.0.0.0 with a subnet mask of 255.0.0.0, 172.16.0.0 with a subnet mask of 255.240.0.0, and 192.168.0.0 with a subnet mask of 255.255.0.0. By default, NAT uses the private network ID 192.168.0.0 with the subnet mask of 255.255.255.0 for the private network.

    If you are using public IP networks that have not been allocated by the InterNIC or your ISP, then you may be using the IP network ID of another organization on the Internet. This is known as illegal or overlapping IP addressing. If you are using overlapping public addresses, then you cannot reach the Internet resources of the overlapping addresses. For example, if you use 1.0.0.0 with the subnet mask of 255.0.0.0, then you cannot reach any Internet resources of the organization that is using the 1.0.0.0 network. You can also exclude specific IP addresses from the configured range. Excluded addresses are not allocated to private network hosts.

  • To configure the NAT server

    1. Install and enable Routing and Remote Access.

      In the Routing and Remote Access Server Setup Wizard, choose the options for ICS and to set up a router with the NAT routing protocol. After the wizard is finished, all of the configuration for NAT is complete. You do not need to complete steps 2 through 8. If you have already enabled Routing and Remote Access, then complete steps 2 through 8, as needed.

    2. Configure the IP address of the home network interface.

    3. For the IP address of the LAN adapter that connects to the home network, you need to configure the following:

      • IP address: 192.168.0.1
      • Subnet mask: 255.255.255.0
      • No default gateway

    1. Enable routing on your dial-up port.

      If your connection to the Internet is a permanent connection that appears in Windows 2000 as a LAN interface (such as DDS, T-Carrier, frame relay, permanent ISDN, xDSL, or cable modem), or if you are connecting your computer running Windows 2000 to another router before the connection to the Internet, and the LAN interface is configured with an IP address, subnet mask, and default gateway either statically or through DHCP, skip to step 6.

    2. Create a demand-dial interface to connect to your ISP.

      You must create a demand-dial interface that is enabled for IP routing and uses your dial-up equipment and the credentials that you use to dial your ISP.

    3. Create a default static route that uses the Internet interface.

      For a default static route, you need to select the demand-dial interface (for dial-up connections) or LAN interface (for permanent or intermediate router connections) that is used to connect to the Internet. The destination is 0.0.0.0 and the network mask is 0.0.0.0. For a demand-dial interface, the gateway IP address is not configurable.

    4. Add the NAT routing protocol.

      Instructions for adding the NAT routing protocol are described in the next procedure.

    5. Add your Internet and home network interfaces to the NAT routing protocol.

    6. Enable NAT addressing and name resolution.

  • To add NAT as a routing protocol

    1. Click Start, point to Programs, point to Administrative Tools, then click Routing and Remote Access.

    2. In the console tree, click General under Routing And Remote Access\Server Name\IP Routing.

    3. Right-click General, then click New Routing Protocol.

    4. In the Select Routing Protocol dialog box, click Network Address Translation, then click OmK.

  • To enable NAT addressing

    1. Click Start, point to Programs, point to Administrative Tools, then click Routing And Remote Access.

    2. In the console tree, click NAT.

    3. Right-click NAT, then click Properties.

    4. In the Address Assignment tab, select the Automatically Assign IP Addresses By Using DHCP check box.

    5. If applicable, in IP Address And Mask, configure the range of IP addresses to allocate to DHCP clients on the private network.

    6. If applicable, click Exclude, configure the addresses to exclude from allocation to DHCP clients on the private network, then click OK.
    • Posted by at No comments:

    Implementing Enterprise-Wide Network Security

    Monitoring Security Events

    you learned about various sections of a network security plan. Administrative policies for a security plan include policies for delegation of administrative tasks and monitoring of audit logs to detect suspicious activity. In this lesson, you will learn how to monitor security events in Windows 2000 to prevent attacks and intrusion on your network.

    After this lesson, you will be able to

    • Manage and monitor network traffic
    • Manage and monitor remote access

    Estimated lesson time: 45 minutes

    Monitoring Your Network Security

    The network security technologies you implement, such as Microsoft Proxy Server, can meet your security goals only if you plan and configure them carefully. With thorough preparation, this work can be done very successfully. However, anticipating all possible risks can be very difficult because

    • New risks develop.
    • Systems can break down and the environment in which your systems are placed changes over time.

    By continually reviewing your network security strategies, you can minimize security risks. However, you also need to watch the actual network security activity to spot weaknesses before they are exploited, and to stop attempts to break security before they are effective


    Viewing the Security Log
    1. Attempt to log on to the Windows 2000 computer on which you activated security auditing for failed logon attempts using an invalid user name and password.
    2. After failing to log on, use a valid user name and password to log on to Windows 2000.
    3. Click Start, point to Programs, point to Administrative Tools, then click Event Viewer.

      Event Viewer opens.

    4. Click Security Log in the left pane.

      Notice that the failed logon attempt is shown in the right pane of the Event Viewer, as illustrated in Figure 14.6.

    5. Double-click the Failure Audit item in the event view to open the Event Properties window.

      Notice that the description section tells you the reason for the failure and the user name entered, but not the password entered.

    6. Click OK to close the Event Properties window.

  • System Monitor

    System Monitor is a tool that can be used to track system resources usage. System Monitor can be used to test an application's usage of system resources. Common objects that a user can log are memory, CPU, network, and disk activity. Some additional counters, although not performance related, provide useful information about server security. These include

    • Server\Errors Access Permissions

    • Server\Errors Granted Access

    • Server\Errors Logon

    • IIS Security

  • To monitor security events using System Monitor

    1. Click Start, point to Programs, point to Administrative Tools, then click Performance.

      System Monitor opens in the MMC.

    2. In the right pane, click Add.

      The Add Counters dialog box appears, as illustrated in Figure 14.7.

    3. In the Performance Object drop-down list box, select Server.

    4. Click Select Counters From List.

    5. In the Counters list, select a counter, then click Add.

    6. Click Close to close the Add Counters dialog box.

    • Monitoring Security Overhead

    Security is achieved only at some cost in performance. Measuring the performance overhead of a security strategy is not simply a matter of monitoring a separate process or thread. The features of the Windows 2000 security model and other security services are integrated into several different operating system services. You cannot monitor security features separately from other aspects of the services. Instead, the most common way to measure security overhead is to run tests comparing server performance with and without a security feature. The tests should be run with fixed workloads and a fixed server configuration so that the security feature is the only variable. During the tests, you should measure

    • Processor activity and the processor queue
    • Physical memory used
    • Network traffic
    • Latency and delays

    Implementing Network Security

    As you plan your network, you should implement security technologies that are appropriate for your organization. Addressing these issues early in your Windows 2000 deployment planning ensures that security cannot be breached and that you are ready to provide secure networking facilities when needed. In this lesson, you will learn how to implement security on your network.

    After this lesson, you will be able to

    • Describe sections of a network security plan
    • Identify network security risks
    • Describe Windows 2000 security features
    • Describe how to secure a connection between your network and the Internet

    Estimated lesson time: 35 minutes

    Planning for Network Security

    Even if you are confident that you have implemented a secure network environment, it is important for you to review your security strategies considering the capabilities of Windows 2000. Some of the new network security technologies in Windows 2000 might cause you to rework your security plan. As you develop your network security plan, you should

    • Assess your network security risks.
    • Determine your server size and placement requirements.
    • Prepare your staff.
    • Create and publish security policies and procedures.
    • Use a formal methodology to create a deployment plan for your security technologies.
    • Identify your user groups and their specific needs and security risks.

    Assessing Network Security Risks

    Although the ability to share and obtain information is very beneficial, it also presents security risks, described in Table 14.1.

    Table 14.1 Network Security Risks

    Security Risk Description
    Identity interception The intruder discovers the user name and password of a valid user. This can occur by a variety of methods, both social and technical.
    Masquerade An unauthorized user pretends to be a valid user. For example, a user assumes the Internet Protocol (IP) address of a trusted system and uses it to gain the access rights that are granted to the impersonated device or system.
    Replay attack The intruder records a network exchange between a user and a server and plays it back at a later time to impersonate the user.
    Data interception If data is moved across the network as plaintext, unauthorized persons can monitor and capture the data.
    Manipulation The intruder causes network data to be modified or corrupted. Unencrypted network financial transactions are vulnerable to manipulation. Viruses can corrupt network data.
    Repudiation Network-based business and financial transactions are compromised if the recipient of the transaction cannot be certain who sent the message.
    Macro viruses Application-specific viruses could exploit the macro language of sophisticated documents and spreadsheets.
    Denial of service The intruder floods a server with requests that consume system resources and either crash the server or prevent useful work from being done. Crashing the server sometimes provides opportunities to penetrate the system.
    Malicious mobile code This term refers to malicious code running as an autoexecuted ActiveX control or Java Applet uploaded from the Internet on a Web server.
    Misuse of privileges An administrator of a computing system knowingly or mistakenly uses full privileges over the operating system to obtain private data.
    Trojan horse This is a general term for a malicious program that masquerades as a desirable and harmless utility.
    Social engineering attack Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records.

    Competitors could attempt to gain access to proprietary product information, or unauthorized users could attempt to maliciously modify Web pages or overload computers so that they are unusable. Additionally, employees might access confidential information. It is important to prevent these types of security risks to ensure that your company's business functions proceed undisturbed.

    Network Authentication

    Authentication is the process of identifying users who attempt to connect to a network. Users who are authenticated on the network can utilize network resources based on their access permissions. To provide authentication to network users, you establish user accounts. This is critical for security management. Without authentication, resources such as files are accessible to unauthorized users.
    Posted by at No comments:
    Subscribe to: Posts (Atom)