Transcript Chapter 5

CN2140 Server II
Kemtis Kunanuraksapong
MSIS with Distinction
MCT, MCITP, MCTS, MCDST,
MCP, A+
Agenda
• Chapter 5: Configuring Routing and Remote
Access (RRAS) and Wireless Networking
• Exercise
• Lab
• Quiz
Routing
• The process of transferring data across an
internetwork from one LAN to another
Hub & Switch
• A hub (multi-port repeater) operates at Layer 1
▫ Receives the incoming signal and recreates it for
transmission on all of its ports
• A switch examines the destination and source
address of data frame, and forwards to the
destination port
▫ Most switches operate at Layer 2
Router (Layer 3 Devices)
• Determines routes from a source network to a
destination network, then send packets to that
path
• To join networks together over extended
distances or WANs
▫ The routers choose the fastest or cheapest route
• To connect dissimilar LANs, such as an Ethernet
LAN, to a Fiber Distributed Data Interface
(FDDI) backbone.
Routing Protocols
• Used to automatically transmit information
about the routing topology and which segments
can be reached via which router.
• Windows Server 2003 support both
▫ RIPv2 (Routing Information Protocol)
▫ OSPF (Open Shortest Path First)
• Windows Server 2008 support only RIPv2
Routing Information Protocol (RIP)
• Designed for use only on smaller networks
• Broadcast-based protocol
▫ Broadcasts information about available networks on a
regular basis, as well as when the network topology
changes
• RIP v2
▫ Improve the amount of routing information that was
provided by RIP
▫ Increase the security of the routing protocol
Open Shortest Path First (OSPF)
• Designed for use on significantly larger networks
• Each OSPF router maintains a database of
routes to all destination networks that it knows
of
▫ It routes the traffic using the best (shortest) route
▫ It share database information only with those OSPF
routers that it has been configured to share
information with
Software-based Router
• Windows Server 2008 computer can be used to
route traffic on a small network
▫ Routing and Remote Access server role
 Under Network Policy and Access services
Static Routes
• Manually configured by a router administrator
▫ Static routes do not add any processing overhead
on the router
• Not appropriate for large or complex
environments
Windows Server 2008 Routing Protocols
• Generally, you do not need routing protocol for
small subnets
• Windows Server 2008 includes three routing
protocols that can be added to the Routing and
Remote Access service:
▫ RIPv2
▫ IGMP Router And Proxy
 Used for multicast forwarding.
▫ DHCP Relay Agent
Routing Table
• Provide directions toward destination networks
or hosts (Route)
▫ Each route consists of a destination, network
mask, gateway interface, and metric
• The IP routing table serves as a decision tree
that enables IP to decide the interface and
gateway through which it should send the
outgoing traffic
▫ See Figure 5-5 and Figure 5-6 on Page 106
Routing Table (Cont.)
• 0.0.0.0
▫ Default route
• 224.0.0.0
▫ Entries refer to a separate multicast route
• Metric
▫ Lower metric is chosen for the path
Routing Table (Cont.)
• Four types of routes
▫ Directly attached network routes
 Gateway can be blank
 Same subnet, use arp to resolve to MAC address
▫ Remote network routes
 For subnets that are available across routers and
that are not directly attached to the node
▫ Host routes
 A route to a specific IP address
▫ Default routes
Route Command
• To configure the routing table from the
command line, use the route command-line
utility
• The Route utility syntax is as follows:
route [-f] [-p] [Command [Destination] [mask
Netmask] [Gateway] [metric Metric] [if
Interface]
• See Table 5-1 on Page 108
Demand-Dial Routing
• Routing and Remote Access also includes
support for demand-dial routing (also known as
dial-on-demand routing)
▫ To dial/make a connection automatically
whenever the router receives a packet
▫ Drop the connection when idle for certain amount
of time
▫ You can use dial-up connection
Remote Access
• A Windows Server 2008 computer
▫ Can act as a Network Address Translation
(NAT ) device
 Allows internal network clients to connect to the
Internet using a single shared IP address
▫ Can provide both NAT and VPN services
▫ Can configure a secure site-to-site connection
between two private networks
• Dial-up networking (DUN)
▫ Often use unencrypted traffic
• Virtual Private Network (VPN)
Virtual Private Network (VPN)
• Creates a secure point-to-point connection
• Rely on secure TCP/IP-based protocols called
tunneling protocols
▫ The remote access server authenticates the VPN client
and creates a secured connection
• A VPN is a logical connection between the VPN
client and the VPN server over a public network
▫ In order to secure any data sent over the public
network, VPN data must be encrypted
Virtual Private Network (VPN)
• A VPN connection in Windows Server 2008
consists of the following components:
▫ A VPN server
▫ A VPN client
▫ A VPN connection (the portion of the connection
in which the data is encrypted)
▫ A VPN tunnel (the portion of the connection in
which the data is encapsulated)
Virtual Private Network (VPN)
• Two tunneling protocols available with Remote
and Routing Access:
▫ Point-to-Point Tunneling Protocol (PPTP)
 In Windows Server 2k8, PPTP supports only the
128-bit RC4 encryption algorithm
▫ Layer Two Tunneling Protocol (L2TP)
 L2TP with IPSec to provide a secure, encrypted VPN
solution
 In Windows Server 2k8, L2TP will support the
Advanced Encryption Standard (AES) 256-bit, 192bit, 128-bit, and 3DES encryption algorithms by
default
Network Access Translation (NAT)
• A protocol that enables private networks to connect to
the Internet
▫ Translates private IP addresses to/from public IP addresses
• The NAT process also obscures private networks from
external access by hiding private IP addresses from
public networks
• The only IP address that is visible to the Internet is the
IP address of the computer running NAT
Network Policy Server (NPS)
• After a user submits credentials to create a
remote access connection
• The remote access connection must be
authorized by
▫ Network Policy Server (NPS) RRAS role service
▫ A third-party authentication and authorization
service such as a Remote Authentication Dial-In
User Service (RADIUS) server
Network Policy Server (NPS)
• Remote access authorization consists of two
steps:
▫ Verifying the dial-in properties of the user account
▫ Verifying any NPS Network Policies that have
been applied against the Routing and Remote
Access server
NPS Network Policies
• An NPS Network Policy is a set of permissions or
restrictions that is read by a remote access
authenticating server that applies to remote
access connections
• A rule for evaluating remote connections,
consists of three components:
▫ Conditions
▫ Constraints
▫ Settings
NPS Network Policies
• NPS Network Policies are ordered on each
Remote Access server
▫ Each policy is evaluated in order from top to
bottom
▫ Once the RRAS server finds a match, it will stop
processing additional policies
• See Figure 5-9 on Page 116
NPS Network Policy
• Two NPS Network Policies are preconfigured in
Windows Server 2008
▫ Connections To Microsoft Routing And Remote
Access Server
 Configured to match every remote access connection
to the Routing and Remote Access service
▫ Connections To Other Access Servers
 Configured to match every incoming connection,
regardless of network access server type
 If an incoming connection is being authenticated by
a RADIUS server or some other authentication
mechanism, this policy will take effect
Policy Conditions
• Each NPS Network policy is based on policy
conditions that determine when the policy is
applied
• This policy would then match a connection for a
user who belongs to the global security group
▫ Only membership in global security groups can
serve as a remote policy condition
▫ Universal or domain local security groups cannot
be specified as the condition for a remote access
policy
Policy Settings
• An NPS Network policy profile consists of a set
of settings and properties that can be applied to
a connection
▫ Such as IP Address properties
▫ You can configure an NPS profile by clicking the
Settings tab in the policy Properties page
• See Figure 5-12 on Page 118
Policy Settings
• You can set multilink properties
▫ Enable a remote access connection to use multiple modem
connections for a single connection and determine the
maximum number of ports (modems) that a multilink
connection can use
• You can also set Bandwidth Allocation Protocol (BAP)
policies
▫ Determine BAP usage and specify when extra BAP lines are
dropped
• By default, multilink and BAP are disabled
▫ Multilink and BAP must be enabled for the multilink
properties of the profile to be enforced
Policy Settings
• Four encryption options available in the Encryption tab:
Dial-up
PPTP-based VPN
Encryption Type
L2TP/IPSec VPN
Encryption Type
40-bit key
56-bit DES
Strong Encryption (MPPE 56-Bit) 56-bit key
56-bit DES
Strongest Encryption (MPPE 128-Bit)
168-bit 3DES
Basic Encryption (MPPE 40-Bit)
No Encryption
128-bit key
Authentication Protocols
• Challenge Handshake Authentication Protocol
(CHAP)
▫ A generic authentication method that offers
encryption of authentication data through the MD5
hashing scheme
▫ CHAP provides compatibility with non-Microsoft
clients
▫ The group policy that is applied to accounts using this
authentication method must be configured to store
passwords using reversible encryption
▫ Passwords must be reset after this new policy is
applied
▫ It does not support encryption of connection data
Authentication Protocols
• Extensible Authentication Protocol-Message
Digest 5 Challenge Handshake Authentication
Protocol (EAP-MD5 CHAP)
▫ Supports encryption of authentication data
through the MD5 hashing scheme
▫ It does not support the encryption of connection
data
▫ Provides compatibility with non-Microsoft clients,
such as those running Mac OS X
Authentication Protocols
• MS-CHAP v1
▫ A one-way authentication method that offers
encryption of both authentication data and
connection data
▫ The same cryptographic key is used in all
connections. MS-CHAP v1 supports older
Windows clients, such as Windows 95 and
Windows 98
Authentication Protocols
• MS-CHAP v2
▫ A mutual authentication method that offers
encryption of both authentication data and
connection data
▫ A new cryptographic key is used for each
connection and each transmission direction
▫ MS-CHAP v2 is enabled by default in Windows
2000, Windows XP, Windows Server 2003, and
Windows Server 2008
Authentication Protocols
• EAP-TLS
▫ A certificate-based authentication that is based on
EAP
▫ Typically used in conjunction with smart cards
▫ Supports encryption of both authentication data
and connection data
▫ The remote access server must be a member of a
domain
 Stand-alone servers do not support EAP-TLS
Authentication Protocols
• Shiva Password Authentication Protocol (SPAP)
▫ A weakly encrypted authentication protocol that offers
interoperability with Shiva remote networking products
▫ SPAP does not support the encryption of connection data
• Password Authentication Protocol (PAP)
▫ A generic authentication method that does not encrypt
authentication data
 User credentials are sent over the network in plaintext
▫ PAP does not support the encryption of connection data
• Unauthenticated access
▫ Allows remote access connections to connect without
submitting credentials
Authentication Protocols
• See Table 5-2 on Page 120 for authentication
requirement
Accounting
• By default, all remote access attempts are logged
to text files
▫ C:\Windows\system32\LogFiles directory
• You can also configure logging to a SQL DB for
better reporting and event correlation
802.1X
• 802.1X is port-based
▫ It can allow or deny access on the basis of a
physical port or a logical port
 Wall jack using an Ethernet cable
 Wireless access point using the WiFi cards
802.1X Components
• Supplicant
▫ The device that is seeking access to the network
• Authenticator
▫ The component that requests authentication
credentials from supplicants
▫ Forwards the supplicant’s credentials to the
Authentication Server (AS)
 The port on a switch for a wired connection or a
wireless access point
• Authentication Server (AS)
▫ Verifies the supplicant’s authentication credentials
▫ Required Network Policy Server role or thirdparty RADIUS servers
Assignment
• Summarize the chapter in your own word
▫ At least 75 words
▫ Due BEFORE class start on Thursday
• Lab 5
▫ Due BEFORE class start on Monday