Chain of Survival and EMSC
Download
Report
Transcript Chain of Survival and EMSC
IP Addressing and Services
EXAM OBJECTIVES
Configuring IPv4 and IPV6 Addressing
Configuring Dynamic Host Configuration Protocol (DHCP)
Configuring Network Authentication
Configuring IP Security (IPSec)
Configuring Windows Firewall with Advanced Security
Copyright line.
Configuring IPv4 and IPV6
Addressing
IPv4 addressing uses 32-bits and a subnet mask to identify the
network and host portions of the address.
IPv6 addressing uses 128 bits and the network information is
contained in the left-most 64 bits, host information in the rightmost 64 bits. IPv6 uses hexadecimal notation.
Supernetting uses the Classless Inter-Domain Routing (CIDR)
notation, and this notation is also used in IPv6.
IPv6 address types include local-link, unique local IPv6 unicast,
global unicast, multicast, anycast, and special addressing.
Local-link maps to IPv4 private addressing, global unicast maps
to IPv4 public addressing.
The local loopback address in IPv6 is ::1/128; FF80::/64 is used
for local-link addressing.
IP4 to IP6 transition technologies include dual IP layer
architecture, IPv6 over IP4 tunneling, Intra-Site Automatic
Tunneling Addressing Protocol (ISATAP), 6to4, and Teredo.
Copyright line.
Slide 2
Configuring Dynamic Host
Configuration Protocol (DHCP)
The DHCP server role in Windows Server 2008 includes native
support for IPv6 as DHCPv6.
Scope, reservations, exceptions, and scope options are
configured in IPv6 much the same as they are in IPv4.
A DHCP server should have its scope and configuration data
set, the scope should be activated, and the server should be
authorized in the Active Directory domain in order to bring a new
DHCP server online.
DHCP and Network Access Protection (NAP) are integrated in
Windows Server 2008, providing the ability to deny or limit
access to network resources based on the client computer’s
health status. Health status includes having the latest operating
system updates and antivirus signatures installed.
DHCP can be configured using command line commands. This
is helpful for managing DHCP servers remotely across the
network.
Copyright line.
Slide 3
Configuring Network Authentication
Network authentication is managed through Active Directory and uses Kerberos
as the default authentication protocol. NTLMv2 is supported for backward
compatibility and should be used only if needed.
Network Policy and Access Services is a role that can be installed on the
Windows Server 2008 computer. It includes NPS, RRAS, RADIUS, RADIUS
proxy, and NAP.
WLAN access and authentication follows 802.11, 802.1X, and 802.3 standards.
Associated protocols include EAP-TLS, PEAP-TLS, PEAP-MS-CHAPv2, PPTP,
and SSTP.
Support for SPAP, EAP-MD5-CHAP, and MS-CHAPv1 has been removed in
Windows Server 2008. EAPHost architecture includes new features not
supported in earlier operating systems including support for additional EAP
methods, network discovery, vendor-specific EAP types, and coexistence of
multiple EAP types across vendors.
Routing and remote access supports the use of IPSec through transport and
tunnel modes. Point-to-point tunneling protocol (PPTP), Microsoft Point-to-Point
Encryption (MPPE), Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec), and
Secure Socket Tunneling Protocol (SSTP) are supported for data authentication,
integrity, encryption, and confidentiality.
Copyright line.
Slide 4
Configuring IP Security (IPSec)
IPSec provides peer authentication, data origin authentication,
data integrity, data confidentiality, antireplay, and key
management. Due to increasing needs for network security,
IPSec is being implemented with greater frequency.
The AH and ESP protocols within IPSec provide different types
of security. Data encryption is provided by ESP, not by AH,
making it the preferred protocol.
IPSec is integrated with Windows Firewall with Advanced
Security and is also managed through Group Policy in the Active
Directory context.
IPSec can be configured via command line commands within
the netsh ipsec context.
IPSec can be used to provide server and domain isolation to
ensure secure IP traffic remains secure.
Copyright line.
Slide 5
Configuring Windows Firewall with
Advanced Security
New features include IPSec integration, support for IPv6, integration with Active
Directory user, computer, and group settings, location aware profiles (for mobile
computers), detailed rules, and expanded authenticated bypass capabilities.
Inbound and outbound rules along with connection security rules provide the
network administrator with the ability to create finely tuned rules to protect the
network and the host.
Connection security rules can be configured with requirements, authentication
methods, and profiles to manage and restrict connections on the network.
IPSec settings can be configured to use a variety of authentication methods.
Customized IPSec data protection settings allow you to configure data
protection to use the ESP and AH IPSec protocols. Advanced authentication
methods can also be configured within the IPSec settings of Windows Firewall
with Advanced Security.
Windows Firewall with Advanced Security can be configured using the snap-in
from the Group Policy Management console.
You can use command line options for configuring, managing, and monitoring
Windows Firewall with Advanced Security.
Copyright line.
Slide 6
FAQ
Q: I’m pretty solid with IP addressing in IPv4 but I’m not
really well-versed in IPv6. How much do I need to
know for the exam?
A: You will need to be comfortable with IPv6 in order to
navigate one or more questions on the exam. You
should understand the basics such as the address
format; how networks, hosts, and ranges are
specified; and where you configure IPv6 settings.
Also be clear about the terminology, such as
temporary and nontemporary, specific to IPv6 and be
sure to be familiar with site local, link local, and other
IPv6 formats and naming conventions.
Copyright line.
Slide 7
FAQ
Q: I’ve been reading a bit about Windows Server 2008
online and there’s a lot of discussion about the Core
version. What do I need to know about this?
A: Expect to see questions about using the command
line on the exam. Command line options have always
been available, but the release of the Core version of
Window Server 2008 will certainly bring this to the
forefront. Don’t expect the exam to test you on syntax
necessarily, but do expect to see questions related to
using the command line options for frequently used
features.
Copyright line.
Slide 8
FAQ
Q: DHCP is pretty basic stuff, though the
addition of IPv6 makes it a bit different. What
should I expect in the way of DHCP questions
on the exam?
A: Expect to see questions that test your
understanding of DHCP configuration and
settings as well as questions that test your
understanding and knowledge of new DHCP
features. Since IPv6 is just being rolled into
organizations, you can expect to see some
IPv6-based questions related to DHCP.
Copyright line.
Slide 9
FAQ
Q: There are tons of protocols—sometimes it’s like alphabet
soup—MS-CHAP, MS-CHAP v2, EAP, PEAP, PPP, Kerberos V5,
and the list goes on. I’m having a hard time keep all these
straight and remembering how they’re used (or not) in Windows
Server 2008. Any tips you can share?
A: First, divide protocols into those used to authentication users
locally (Kerberos, etc.) and those used to authentication users
remotely (PPP, EAP, PEAP). It can be helpful to divide the
protocols according to these areas so you can better keep track
of what they do and when they’re used. Also, spend time in the
Routing and Remote Access Server segment of Windows
Server 2008 as well as in the Windows Firewall with Advanced
Security section. The more you see the various protocols being
used in the default screens, the more they should sink in. Most
of the time, the item will be spelled out the first time you see it. If
it’s not, then it’s a pretty common acronym such as AD for Active
Directory or IP, IPSec, or DHCP.
Copyright line.
Slide 10
FAQ
Q: I’m not sure I’m clear on the difference between IPSec settings in the
Windows Firewall with Advanced Security and the IPSec settings in
Active Directory Group Policy. I’ve reread the material in this chapter,
but I am still a bit confused. Can you provide any additional information
that might help?
A: Yes. Group Policy in AD is going to specify how computers, users, and
groups much be configured or must interact with the network. If you
specify IPSec within Group Policy for a set of computers, you are
requiring that all computers to which that policy is applied must use
IPSec to communicate with other computers. Windows Firewall with
Advanced Security, on the other hand, can be configured to require
IPSec for inbound and/or outbound connections. So, the computers to
which the IPSec Group Policy has been applied (we’ll call them the GP
computers for short here) can communicate with other GP computers
or other computers using IPSec all day long and have no interaction
with the IPSec rules in the Windows Firewall on the Windows Server
2008.
Copyright line.
Slide 11
Test Day Tip
Expect to see a question or two on the exam
comparing the features of IPv4 to the features
of IPv6. Often you’ll see several answers that
are possibly correct and you’ll need to have a
solid understanding of the differences
between IPv4 and IPv6 in order to determine
the correct response.
Copyright line.
Slide 12
Test Day Tip
Remember that subnets are assigned to sites
via AD Sites and Services console, whereas
subnetting options are set up in the DHCP
Server role. Also remember that subnets can
easily be moved to different sites within the
AD Sites and Services console simply by
double-clicking the subnet in the Subnets
folder and changing the site association in the
Site selection list on the General tab.
Copyright line.
Slide 13
Exam Warning
Be familiar with IP notation in both IPv4 and
IPv6. You’re likely to see more on IPv6 and
transitioning to IPv6 than on standard IPv4
notation. If you’re not up to speed on IPv6,
you might want to take some time to
thoroughly understand IPv6 and transition
technologies before heading into the exam.
Copyright line.
Slide 14
Exam Warning
Questions about DHCP on the exam will likely
fall into one of three types—DHCP server
questions, DHCP relay agent questions, and
DHCP lease questions.
Copyright line.
Slide 15
Exam Warning
All DHCP traffic uses the User Datagram
Protocol (UDP). Messages from the client to
the server use UDP port 68 as the source
port and port 67 as the destination port.
Messages from the server to the client use
just the reverse—UDP port 67 as the source
and UDP port 68 as the destination. If you
see questions using UDP ports 67 or 68, think
DHCP.
Copyright line.
Slide 16
Test Day Tip
Only Windows-based DHCP servers must be
authorized in an Active Directory domain. If
someone wanted to install a non-Windowsbased DHCP server (such as a Linux-based
DHCP server) on the network, they could
start it up and start handing out IP
configuration data to unsuspecting DHCP
clients. Check your answers on DHCP to
ensure the server specified is (or is not)
Windows-based.
Copyright line.
Slide 17
Exam Warning
Microsoft exams are notorious for extensive
testing on new features. In Windows Server
2008, there are two notable new features
related to DHCP. The first is support for
Dynamic Host Configuration Protocol for
IPv6 (DHCPv6), which is defined by the
IETF’s RFC 3315 specification.
The second important change related to
DHCP is the addition of Network Access
Protection (NAP) enforcement support.
Copyright line.
Slide 18
Test Day Tip
Be sure to familiarize yourself with the command line
options. Even though you won’t have to memorize
every command and all its syntax to pass the exam,
you should expect to see a fair amount of emphasis
on command line usage. Understanding the basics of
how to use the command line window, which is the
user interface for the Windows Server 2008 Core
installation, will help you answer these types of
questions, and they might be the difference between
passing and just squeaking by (or not).
Copyright line.
Slide 19
Test Day Tip
Numerous authentication and communication-based protocols
are no longer supported in Windows Server 2008. For the full
list, refer to the Microsoft Web site. Support has been removed
for:
·
X.25
·
SLIP-based connections (automatically updated to PPPbased connections)
·
ATM
·
NWLinkIPX/SPX/NetBIOS Compatible Transport Protocol
·
Service for Macintosh
·
OSPF
·
SPAP, EAP-MD5-CHAP and MS-CHAPv1 authentication
protocols
Copyright line.
Slide 20
Test Day Tip
Group Policy and Network Policy Server are
two Windows Server 2008 areas with which
you should be familiar. Understand the role of
Group Policy versus the role of Network
Policy Server in securing the network. Be
able to explain in your own words what these
two features do in Windows Server 2008. If
you can describe them in your own words,
there’s a good chance you understand their
functionality and will be able to distinguish
right and wrong answers on the exam.
Copyright line.
Slide 21
Exam Warning
A concept you should be familiar with is
defense-in-depth. This refers to a network
security strategy that uses layers of security
methods to provide security at several
different layers of the network.
Copyright line.
Slide 22
Exam Warning
Microsoft recommends enabling Windows Firewall
with Advanced Security for all three profiles. You may
see an exam question on this topic implying that you
can enable only one profile at a time. You can
configure these profiles by right-clicking Windows
Firewall with Advanced Security in the left pane of
Server Manager, then clicking Properties. You can
also access the properties from the Action menu
item, the Action pane on the right, or the center pane,
when the folder is selected. All three profiles should
be enabled, but only one will be applied based on the
Network Awareness API functionality.
Copyright line.
Slide 23
Exam Warning
Here’s a key take away for working with Windows Firewall with
Advanced Security. When you allow or block unsolicited traffic
by creating a TCP or UDP port rule, that action will be taken any
time Windows Firewall is running. This differs from creating a
rule for a program in which the action is taken only when the
program is running. So, if you create a rule to allow UDP 1443
traffic, that rule will be enabled when the firewall is enabled
(which should be all the time). Contrast that to a program rule
that specifies that it needs UDP 1443 traffic. In that case, the
firewall will allow only UDP 1443 traffic when the program is
running—a much more secure setting and the recommended
method, whenever possible.
Copyright line.
Slide 24
Exam Warning
Whenever you run server-type commands from the
command line, you have must have Administratorequivalent rights. Depending on the server and its
roles, you may need Domain Administrator rights
rather than local Administrator rights. That said, keep
in mind that best practices suggest you log onto a
server using a standard user account and log in using
the Administrator account only by using the Run As
Administrator option. This helps maintain tight
security on your network. If you see questions on the
exam that use the Run As option, chances are good
it’s a correct answer.
Copyright line.
Slide 25