410 likes | 528 Views
CN2140 Server II. Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS , MCDST, MCP, A+. Agenda. Chapter 5: Configuring Routing and Remote Access (RRAS) and Wireless Networking Exercise Lab Quiz. Routing.
E N D
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Agenda • Chapter 5: Configuring Routing and Remote Access (RRAS) and Wireless Networking • Exercise • Lab • Quiz
Routing • The process of transferring data across an internetwork from one LAN to another
Hub & Switch • A hub (multi-port repeater) operates at Layer 1 • Receives the incoming signal and recreates it for transmission on all of its ports • A switch examines the destination and source address of data frame, and forwards to the destination port • Most switches operate at Layer 2
Router (Layer 3 Devices) • Determines routes from a source network to a destination network, then send packets to that path • To join networks together over extended distances or WANs • The routers choose the fastest or cheapest route • To connect dissimilar LANs, such as an Ethernet LAN, to a Fiber Distributed Data Interface (FDDI) backbone.
Routing Protocols • Used to automatically transmit information about the routing topology and which segments can be reached via which router. • Windows Server 2003 support both • RIPv2 (Routing Information Protocol) • OSPF (Open Shortest Path First) • Windows Server 2008 support only RIPv2
Routing Information Protocol (RIP) • Designed for use only on smaller networks • Broadcast-based protocol • Broadcasts information about available networks on a regular basis, as well as when the network topology changes • RIP v2 • Improve the amount of routing information that was provided by RIP • Increase the security of the routing protocol
Open Shortest Path First (OSPF) • Designed for use on significantly larger networks • Each OSPF router maintains a database of routes to all destination networks that it knows of • It routes the traffic using the best (shortest) route • It share database information only with those OSPF routers that it has been configured to share information with
Software-based Router • Windows Server 2008 computer can be used to route traffic on a small network • Routing and Remote Access server role • Under Network Policy and Access services
Static Routes • Manually configured by a router administrator • Static routes do not add any processing overhead on the router • Not appropriate for large or complex environments
Windows Server 2008 Routing Protocols • Generally, you do not need routing protocol for small subnets • Windows Server 2008 includes three routing protocols that can be added to the Routing and Remote Access service: • RIPv2 • IGMP Router And Proxy • Used for multicast forwarding. • DHCP Relay Agent
Routing Table • Provide directions toward destination networks or hosts (Route) • Each route consists of a destination, network mask, gateway interface, and metric • The IP routing table serves as a decision tree that enables IP to decide the interface and gateway through which it should send the outgoing traffic • See Figure 5-5 and Figure 5-6 on Page 106
Routing Table (Cont.) • 0.0.0.0 • Default route • 224.0.0.0 • Entries refer to a separate multicast route • Metric • Lower metric is chosen for the path
Routing Table (Cont.) • Four types of routes • Directly attached network routes • Gateway can be blank • Same subnet, use arp to resolve to MAC address • Remote network routes • For subnets that are available across routers and that are not directly attached to the node • Host routes • A route to a specific IP address • Default routes
Route Command • To configure the routing table from the command line, use the route command-line utility • The Route utility syntax is as follows: route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric] [if Interface] • See Table 5-1 on Page 108
Demand-Dial Routing • Routing and Remote Access also includes support for demand-dial routing (also known as dial-on-demand routing) • To dial/make a connection automatically whenever the router receives a packet • Drop the connection when idle for certain amount of time • You can use dial-up connection
Remote Access • A Windows Server 2008 computer • Can act as a Network Address Translation (NAT ) device • Allows internal network clients to connect to the Internet using a single shared IP address • Can provide both NAT and VPN services • Can configure a secure site-to-site connection between two private networks • Dial-up networking (DUN) • Often use unencrypted traffic • Virtual Private Network (VPN)
Virtual Private Network (VPN) • Creates a secure point-to-point connection • Rely on secure TCP/IP-based protocols called tunneling protocols • The remote access server authenticates the VPN client and creates a secured connection • A VPN is a logical connection between the VPN client and the VPN server over a public network • In order to secure any data sent over the public network, VPN data must be encrypted
Virtual Private Network (VPN) • A VPN connection in Windows Server 2008 consists of the following components: • A VPN server • A VPN client • A VPN connection (the portion of the connection in which the data is encrypted) • A VPN tunnel (the portion of the connection in which the data is encapsulated)
Virtual Private Network (VPN) • Two tunneling protocols available with Remote and Routing Access: • Point-to-Point Tunneling Protocol (PPTP) • In Windows Server 2k8, PPTP supports only the 128-bit RC4 encryption algorithm • Layer Two Tunneling Protocol (L2TP) • L2TP with IPSec to provide a secure, encrypted VPN solution • In Windows Server 2k8, L2TP will support the Advanced Encryption Standard (AES) 256-bit, 192-bit, 128-bit, and 3DES encryption algorithms by default
Network Access Translation (NAT) • A protocol that enables private networks to connect to the Internet • Translates private IP addresses to/from public IP addresses • The NAT process also obscures private networks from external access by hiding private IP addresses from public networks • The only IP address that is visible to the Internet is the IP address of the computer running NAT
Network Policy Server (NPS) • After a user submits credentials to create a remote access connection • The remote access connection must be authorized by • Network Policy Server (NPS) RRAS role service • A third-party authentication and authorization service such as a Remote Authentication Dial-In User Service (RADIUS) server
Network Policy Server (NPS) • Remote access authorization consists of two steps: • Verifying the dial-in properties of the user account • Verifying any NPS Network Policies that have been applied against the Routing and Remote Access server
NPS Network Policies • An NPS Network Policy is a set of permissions or restrictions that is read by a remote access authenticating server that applies to remote access connections • A rule for evaluating remote connections, consists of three components: • Conditions • Constraints • Settings
NPS Network Policies • NPS Network Policies are ordered on each Remote Access server • Each policy is evaluated in order from top to bottom • Once the RRAS server finds a match, it will stop processing additional policies • See Figure 5-9 on Page 116
NPS Network Policy • Two NPS Network Policies are preconfigured in Windows Server 2008 • Connections To Microsoft Routing And Remote Access Server • Configured to match every remote access connection to the Routing and Remote Access service • Connections To Other Access Servers • Configured to match every incoming connection, regardless of network access server type • If an incoming connection is being authenticated by a RADIUS server or some other authentication mechanism, this policy will take effect
Policy Conditions • Each NPS Network policy is based on policy conditions that determine when the policy is applied • This policy would then match a connection for a user who belongs to the global security group • Only membership in global security groups can serve as a remote policy condition • Universal or domain local security groups cannot be specified as the condition for a remote access policy
Policy Settings • An NPS Network policy profile consists of a set of settings and properties that can be applied to a connection • Such as IP Address properties • You can configure an NPS profile by clicking the Settings tab in the policy Properties page • See Figure 5-12 on Page 118
Policy Settings • You can set multilink properties • Enable a remote access connection to use multiple modem connections for a single connection and determine the maximum number of ports (modems) that a multilink connection can use • You can also set Bandwidth Allocation Protocol (BAP) policies • Determine BAP usage and specify when extra BAP lines are dropped • By default, multilink and BAP are disabled • Multilink and BAP must be enabled for the multilink properties of the profile to be enforced
Policy Settings • Four encryption options available in the Encryption tab:
Authentication Protocols • Challenge Handshake Authentication Protocol (CHAP) • A generic authentication method that offers encryption of authentication data through the MD5 hashing scheme • CHAP provides compatibility with non-Microsoft clients • The group policy that is applied to accounts using this authentication method must be configured to store passwords using reversible encryption • Passwords must be reset after this new policy is applied • It does not support encryption of connection data
Authentication Protocols • Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) • Supports encryption of authentication data through the MD5 hashing scheme • It does not support the encryption of connection data • Provides compatibility with non-Microsoft clients, such as those running Mac OS X
Authentication Protocols • MS-CHAP v1 • A one-way authentication method that offers encryption of both authentication data and connection data • The same cryptographic key is used in all connections. MS-CHAP v1 supports older Windows clients, such as Windows 95 and Windows 98
Authentication Protocols • MS-CHAP v2 • A mutual authentication method that offers encryption of both authentication data and connection data • A new cryptographic key is used for each connection and each transmission direction • MS-CHAP v2 is enabled by default in Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008
Authentication Protocols • EAP-TLS • A certificate-based authentication that is based on EAP • Typically used in conjunction with smart cards • Supports encryption of both authentication data and connection data • The remote access server must be a member of a domain • Stand-alone servers do not support EAP-TLS
Authentication Protocols • Shiva Password Authentication Protocol (SPAP) • A weakly encrypted authentication protocol that offers interoperability with Shiva remote networking products • SPAP does not support the encryption of connection data • Password Authentication Protocol (PAP) • A generic authentication method that does not encrypt authentication data • User credentials are sent over the network in plaintext • PAP does not support the encryption of connection data • Unauthenticated access • Allows remote access connections to connect without submitting credentials
Authentication Protocols • See Table 5-2 on Page 120 for authentication requirement
Accounting • By default, all remote access attempts are logged to text files • C:\Windows\system32\LogFiles directory • You can also configure logging to a SQL DB for better reporting and event correlation
802.1X • 802.1X is port-based • It can allow or deny access on the basis of a physical port or a logical port • Wall jack using an Ethernet cable • Wireless access point using the WiFi cards
802.1X Components • Supplicant • The device that is seeking access to the network • Authenticator • The component that requests authentication credentials from supplicants • Forwards the supplicant’s credentials to the Authentication Server (AS) • The port on a switch for a wired connection or a wireless access point • Authentication Server (AS) • Verifies the supplicant’s authentication credentials • Required Network Policy Server role or third-party RADIUS servers
Assignment • Summarize the chapter in your own word • At least 75 words • Due BEFOREclass start on Thursday • Lab 5 • Due BEFORE class start on Monday