Monday, 28 March 2011

Remote Access Design Guidelines in Server 2003 Network Infrastructure

You should know the following facts about remote access:

The ability to connect to a remote access server is controlled through remote access policies.
Remote access policies are stored on each remote access server. If you have multiple remote access servers, you must configure each server with the appropriate remote access policies.
If you have multiple remote access servers, you can centralize policies by using a RADIUS solution. IAS (Internet Authentication Server) is Microsoft's RADIUS solution. With RADIUS:

Each remote access server is configured as a RADIUS client.
Remote access policies are configured only on the RADIUS server.
Remote access servers pass authentication requests on to the RADIUS server.

You should know the following facts about remote access policies:

Authorization for access to resources is determined by three steps:

Check the connection for a match in the policy conditions.
Check either the Active Directory user account or the policy for permissions.
Check the profile settings for additional restrictions on the connection.

Incoming connections are compared to the conditions found in a policy.
If the connection does not match the conditions in the first policy, the next policy in order is checked.
When a match is found, that policy will be used for the connection (no other policies will be checked).
If the connection does not match any conditions in any policy, the connection will be refused.
After a matching policy is found, permissions are checked. If the permissions deny the connection, no other policies are checked.
Permissions identified in the user account override permissions set in the policy (unless Control access through Remote Access Policy is selected).
If the permissions grant access, the policy profile is checked for additional conditions.
If all profile conditions match, the connection is granted. If not, it is refused.

VPN Design Guidelines

If you must allow Internet traffic inside your inner firewall and into the private network, implement a VPN solution. Using a VPN server, only clients that can establish a secure connection with the VPN server can access resources on the private network. The following graphic shows one way to configure a firewall to accomodate VPN traffic.

In this example, the DMZ contains an FTP and DSN server available to the public as well as the VPN server. Allow the following traffic to pass through the external firewall, rejecting all other traffic:

FTP traffic sent to 135.41.11.1
DNS traffic sent to 135.41.11.2
VPN traffic sent to 135.41.11.3 (the protocol type allowed depends on whether L2TP or PPTP is used for the tunneling protocol)

Note: With a VPN connection, incoming VPN traffic is encapsulated and is sent to the VPN server, even if the final destination is on the private network. The outer firewall will inspect the incoming VPN traffic and find it addressed to the VPN sever, not to the private network. For this reason, the outer firewall should not allow incoming traffic directed to network 192.168.1.55.

To complete the configuration, configure the following items on the VPN server.

Configure the VPN server with the appropriate VPN tunneling protocol.
Configure addressing on the VPN server for clients. When a VPN connection is initiated, the remote client gets an IP address on the private network so it can communicate with hosts on the private network. You can configure the VPN server to assign IP addresses in one of two ways:

Configure the VPN server to get IP addresses for clients from a DHCP server on the private network. Wehn using DHCP, DHCP traffic does not pass through the external firewall because all communication between private hosts and the VPN server appears as VPN traffic to the firewall.
Configure the VPN server with a range of IP addresses that it can assign.

In this example, the VPN server will pass out IP addresses from the 192.168.1.0 network.

If the private network has more than one subnet, configure static routes on the VPN server. This allows external clients to access all subnets in the private network.

Services Facts

You should know the following facts about auditing:

To audit a domain controller, you can apply a GPO to the Domain Controller OU. That affects all Domain Controllers in the OU.
To view audit logs, look at the local Event Viewer logs.

You should know the following facts about DFS:

DFS roots can be either standalone DFS roots or domain DFS roots. A stand-alone DFS server does not use Active Directory, cannot have root-level replicas, and can have only a single level of DFS links.
Domain DFS roots integrate DFS with Active Directory, adding fault tolerance and site-awareness. Configure sites to ensure that users get data from local copies of replicas.
DFS data is automatically replicated to other servers when replicas are created.

You can deploy SUS in the following ways:

The SUS server approves the updates. Clients contact the SUS server for update approvals then retrieve the updates from the Windows Update server. This requires a great deal of bandwidth.
The SUS server approves and synchronizes the updates. SUS stores the updates locally for clients to retrieve. Reduces bandwidth demands since only the SUS server contacts the Windows Update server.
The SUS servers in various locations would be responsible approving and synchronizing updates and then contacting the Windows Update server.

Use a "master" SUS server to approve and synchronize updates from the Windows Update server. The child SUS servers synchronize updates from the master. If WAN bandwidth between the master and child servers is poor, you may decide against this structure.

DMZ Design Guidelines in Server 2003 Network Infrastructure

A demilitarized zone (DMZ), or screened subnet, protects your private network from attacks coming from the Internet. It consists of two firewalls: the outer firewall screens traffic coming from the Internet, while the inner firewall controls the traffic that is allowed inside the private network. Following are some guidelines for designing your DMZ.

Put publicly accessible services (such as Web and FTP servers) inside the DMZ.
Use firewall filters to control traffic allowed inside or out of the DMZ.
Restrict all traffic except what is required to communicate with services inside the DMZ.
On the outer firewall, allow traffic directed to the public servers (HTTP, FTP, e-mail).
Use a VPN server to secure traffic directed to the private network. Allow VPN traffic in the outer firewall.
Never allow traffic inside the outer firewall that claims it is coming from the private network.
On the inner firewall, allow common Web traffic out.

As you design the firewall settings, you need to carefully consider all necessary traffic and allow the minimum amount of traffic through each firewall. For example, the following graphic shows how firewall settings allow DNS traffic through both the inner and outer firewalls.

Given this design, Internet hosts are allowed to request DNS from the public DNS server. The internal DNS server is also configured to forward requests to the public DNS server inside the DMZ. Packet filters must allow DNS traffic to get to the public DNS server. However, DNS requests from the Internet should not be allowed to pass through the inner firewall to the private DNS server.

Sometimes servers in DMZ need to communicate with servers on the internal network. In this example, a Web server retrieves data from a SQL server to retrieve customer and order data. Notice that the SQL server is protected inside the private network, it is not placed in the DMZ.

To design the necessary firewalls for this example, allow HTTP and HTTPS traffic in the outer firewall. Then allow only SQL traffic coming from the Web server to pass through the inner firewall (do not allow all SQL traffic in the inner firewall).

NAT and Router Design Guidelines

You should know the following facts about NAT design:

Use the following address ranges for internal private IP addresses:

10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16
169.254.4.4 (Comes from APIPA)

NAT supports only IP. It cannot perform address translation for the following:

SNMP (Simple Network Management Protocol)
LDAP (Lightweight Directory Access Protocol)
COM (Component Object Model)
DCOM (Distributed Component Object Model)
Kerberos version 5
RPC (Microsoft Remote Procedure Call)

Domain controllers cannot replicate through a NAT server. This is because Active Directory uses Kerberos version 5.
Windows Server 2003 supports L2TP/IPSec VPN connections with NAT.
To redirect external requests for internal resources (a Web server, for example), you can use address mapping or port mapping.

With address mapping, you associate a registered IP address with a specific private IP address.
With port mapping, you redirect traffic sent to specific ports (such as port 80 for HTTP) to a specific IP address.

You should know the following facts about router placement:

Routers do not pass broadcasts by default. You can reduce broadcast traffic by breaking up the network into smaller pieces with routers.
Routers can be used to subnet a network.
Routers can be used to create a secure, internal network.
Configure packet filters on routers to allow or deny specific types of network traffic.

· Internet Connectivity Solutions

· Use the following table as a guide to selecting an Internet connection method.

Select...	To meet these requirements...
Routing	Small to large networks All hosts must be able to respond to Internet-initiated requests Maximum flexibility in network design and implementation All hosts that require Internet access are running TCP/IP
Internet Connection Sharing (ICS)	Small network (10 or fewer hosts) with a single subnet Automatic address assignment All hosts that require Internet access are running TCP/IP At least one Windows 2000/XP/2003 or Windows 98 system exists on the network (for the shared connection) You do not provide DHCP or DNS services on the private network
Network Address Translation (NAT)	Small- to medium-sized network (approximately 5000 hosts or less) Automatic address assignment Few hosts that need outside-initiated contact All hosts that require Internet access are running TCP/IP
Proxy server/Internet Security and Acceleration Server (ISA)	Small to large networks Hosts that require Internet access are running a variety of protocols The ability to restrict Internet access or contact by user or site Caching of Internet or Web server content

IP Addressing Facts in Designing Network Infrastructure

The following table lists the default IP addressing classes and masks:

Class	Address Range	Default Mask
A	1.0.0.0 to 126.255.255.255	255.0.0.0
B	128.0.0.0 to 191.255.255.255	255.255.0.0
C	192.0.0.0 to 223.255.255.255	255.255.255.0
D	224.0.0.0 to 239.255.255.255	(multicast addresses)
E	240.0.0.0 to 255.255.255.255	(experimental addresses)

You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router.

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

Keep in mind the following facts about IP addresses:

The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts.
The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.

Use the table as a shortcut guide to subnetting. Tip: Look for patterns in the table so you can easily reproduce the table at any time.

Masked Bits	Mask Value	Number of Subnets*	Number of Hosts/Subnet**	*Approximate**** Number of Hosts/Subnet
/20	255.255.240.0	N/A	4096	4000
/21	255.255.248.0	N/A	2048	2000
/22	255.255.252.0	N/A	1024	1000
/23	255.255.254.0	N/A	512	500
/24	255.255.255.0	1	256	250
/25	255.255.255.128	2	128	125
/26	255.255.255.192	4	64	60
/27	255.255.255.224	8	32	30
/28	255.255.255.240	16	16	15

*The number of subnets value is important when you need to subdivide a Class C address range into multiple subnets.
**Remember to subtract two from these numbers to arrive at the total number of addresses that can be assigned to hosts (subtract one for the subnet address and one for the broadcast address.
***Use this number as a quick estimate of the number of possible hosts.

DHCP Design Guidelines

In a network with multiple subnets, a major concern is answering DHCP broadcast requests from all subnets. There are three ways to configure DHCP to allow clients on all subnets to get an IP address from a DHCP server.

Method	Considerations
Place a DHCP server on each subnet	The local DHCP server answers DHCP requests for its local subnet only. This solution could increase costs as you must configure a DHCP server for each subnet.
Enable BootP forwarding	Use this method if you choose to have only one DHCP server on the routed network. Place the DHCP server on the subnet with the most hosts.
Use relay agents	Configure a relay agent on each subnet that does not have a DHCP server to forward DHCP broadcasts to the remote DHCP server.

To provide fault tolerance and improve DHCP performance, you can:

Configure split scopes. In a split scope, two DHCP servers service each subnet.

Configure the full range of addresses in the scope on both DHCP servers.
Exclude different ranges of addresses on each server. With both servers on the same subnet, exclude 50% of the addresses on each server. With one DHCP server on the local network, exclude addresses using the 80/20 (or 75/25) rule (exclude 80% on the remote server).
Add relay agents to allow DHCP broadcasts to travel to remote subnets in case the local DHCP server goes down.

Implement a DHCP cluster. Windows Server 2003 DHCP is cluster-aware. When one server goes down, the other server(s) can take over.

To decrease the time that the DHCP server takes to respond to client requests, consider the following to improve performance:

Create a multihomed DHCP server. By doing so, the DHCP server services multiple subnets without forwarding DHCP requests through the router. A multihomed server will decrease router traffic and decrease the time it takes for clients on the remote subnet to receive their IP addresses.
Upgrade DHCP server components. Upgrading the CPU, RAM, and network cards all affect DCHP performance, but because DHCP is a disk-intensive service, the most important upgrade is to improve disk access.
Add additional DHCP servers. By doing so, you spread the workload between two computers.
Modify lease lengths. Increasing the lease time means clients will not request an address as often. This reduces network traffic due to lease broadcasts, and reduces the workload on the DHCP server.

Members of the Enterprise Admins group can authorize DHCP servers (members of the Domain Admins group can administer, but not authorize, DHCP servers).

Network Topologies Video

Network Topologies

Video For TCP/IP Primer

Video About (Network Operating Systems)

About Network Operating Systems

Video For Wireless Networking Basics

Wireless Networking Basics

Wireless Networking Standards Video

Networking Troubleshooting Video

A+ Certification Topic Network (Sample Test Questions) Video

A+ Certification Topic Network (Sample Test Questions)

TCP/IP Tools Part. 1 Video

TCP/IP Tools Part. 2 Video

TCP/IP Tools

Video For Network Cabling

Network Cabling

Networking Basics Video

Networking Basics

Wednesday, 23 March 2011

Networking Accessories

Bridge

A device that connects two local-area networks (LANs), or two segments of the same LAN. The two LANs being connected can be alike or dissimilar. For example, a bridge can connect an Ethernet with a Token-Ring network. Unlike routers, bridges are protocol -independent. They simply forward packets without analyzing and

re-routing messages. Consequently, they're faster than routers, but also less versatile.

Router

A device that connects two LANs. Routers are similar to bridges, but provide additional functionality, such as the ability to filter messages and forward them to different places based on various criteria. The Internet uses routers extensively to forward packets from one host to another.

Switch

In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs.

Concentrator

A type of multiplexor that combines multiple channels onto a single transmission medium in such a way that all the individual channels can be simultaneously active. For example, ISPs use concentrators to combine their dial-up modem connections onto faster T-1 lines that connect to the Internet. Concentrators are also used in local-area networks (LANs) to combine transmissions from a cluster of

nodes. In this case, the concentrator is often called a hub or MAU.

Gateway

A device which is used to connect networks using different protocols so that information can be passed from one system to the other. Gateways functions at the Network layer of the OSI model. A Gateway many of the times is simply – Hardware-wise PC with Both Media Device Interface (NIC’s) and some sort of Software that does the actual conversion of protocols and data packettes.

Multiplexor

A communications device that multiplexes (combines) several signals for transmission over a single medium. A demultiplexor completes the process by separating multiplexed signals from a transmission line. Frequently a multiplexor and demultiplexor are combined into a single device capable of processing

both outgoing and incoming signals. A multiplexor is sometimes called a mux.

Multi-Port Repeater or Intelligent Hubs

So-called intelligent hubs include additional features that enables an administrator to

monitor the traffic passing through the hub and to configure each port in the hub. Intelligent hubs are also called manageable hubs.