1 / 41

CN2140 Server II

CN2140 Server II. Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS , MCDST, MCP, A+. Agenda. Chapter 5: Configuring Routing and Remote Access (RRAS) and Wireless Networking Exercise Lab Quiz. Routing.

lotta
Télécharger la présentation

CN2140 Server II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

  2. Agenda • Chapter 5: Configuring Routing and Remote Access (RRAS) and Wireless Networking • Exercise • Lab • Quiz

  3. Routing • The process of transferring data across an internetwork from one LAN to another

  4. Hub & Switch • A hub (multi-port repeater) operates at Layer 1 • Receives the incoming signal and recreates it for transmission on all of its ports • A switch examines the destination and source address of data frame, and forwards to the destination port • Most switches operate at Layer 2

  5. Router (Layer 3 Devices) • Determines routes from a source network to a destination network, then send packets to that path • To join networks together over extended distances or WANs • The routers choose the fastest or cheapest route • To connect dissimilar LANs, such as an Ethernet LAN, to a Fiber Distributed Data Interface (FDDI) backbone.

  6. Routing Protocols • Used to automatically transmit information about the routing topology and which segments can be reached via which router. • Windows Server 2003 support both • RIPv2 (Routing Information Protocol) • OSPF (Open Shortest Path First) • Windows Server 2008 support only RIPv2

  7. Routing Information Protocol (RIP) • Designed for use only on smaller networks • Broadcast-based protocol • Broadcasts information about available networks on a regular basis, as well as when the network topology changes • RIP v2 • Improve the amount of routing information that was provided by RIP • Increase the security of the routing protocol

  8. Open Shortest Path First (OSPF) • Designed for use on significantly larger networks • Each OSPF router maintains a database of routes to all destination networks that it knows of • It routes the traffic using the best (shortest) route • It share database information only with those OSPF routers that it has been configured to share information with

  9. Software-based Router • Windows Server 2008 computer can be used to route traffic on a small network • Routing and Remote Access server role • Under Network Policy and Access services

  10. Static Routes • Manually configured by a router administrator • Static routes do not add any processing overhead on the router • Not appropriate for large or complex environments

  11. Windows Server 2008 Routing Protocols • Generally, you do not need routing protocol for small subnets • Windows Server 2008 includes three routing protocols that can be added to the Routing and Remote Access service: • RIPv2 • IGMP Router And Proxy • Used for multicast forwarding. • DHCP Relay Agent

  12. Routing Table • Provide directions toward destination networks or hosts (Route) • Each route consists of a destination, network mask, gateway interface, and metric • The IP routing table serves as a decision tree that enables IP to decide the interface and gateway through which it should send the outgoing traffic • See Figure 5-5 and Figure 5-6 on Page 106

  13. Routing Table (Cont.) • 0.0.0.0 • Default route • 224.0.0.0 • Entries refer to a separate multicast route • Metric • Lower metric is chosen for the path

  14. Routing Table (Cont.) • Four types of routes • Directly attached network routes • Gateway can be blank • Same subnet, use arp to resolve to MAC address • Remote network routes • For subnets that are available across routers and that are not directly attached to the node • Host routes • A route to a specific IP address • Default routes

  15. Route Command • To configure the routing table from the command line, use the route command-line utility • The Route utility syntax is as follows: route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric] [if Interface] • See Table 5-1 on Page 108

  16. Demand-Dial Routing • Routing and Remote Access also includes support for demand-dial routing (also known as dial-on-demand routing) • To dial/make a connection automatically whenever the router receives a packet • Drop the connection when idle for certain amount of time • You can use dial-up connection

  17. Remote Access • A Windows Server 2008 computer • Can act as a Network Address Translation (NAT ) device • Allows internal network clients to connect to the Internet using a single shared IP address • Can provide both NAT and VPN services • Can configure a secure site-to-site connection between two private networks • Dial-up networking (DUN) • Often use unencrypted traffic • Virtual Private Network (VPN)

  18. Virtual Private Network (VPN) • Creates a secure point-to-point connection • Rely on secure TCP/IP-based protocols called tunneling protocols • The remote access server authenticates the VPN client and creates a secured connection • A VPN is a logical connection between the VPN client and the VPN server over a public network • In order to secure any data sent over the public network, VPN data must be encrypted

  19. Virtual Private Network (VPN) • A VPN connection in Windows Server 2008 consists of the following components: • A VPN server • A VPN client • A VPN connection (the portion of the connection in which the data is encrypted) • A VPN tunnel (the portion of the connection in which the data is encapsulated)

  20. Virtual Private Network (VPN) • Two tunneling protocols available with Remote and Routing Access: • Point-to-Point Tunneling Protocol (PPTP) • In Windows Server 2k8, PPTP supports only the 128-bit RC4 encryption algorithm • Layer Two Tunneling Protocol (L2TP) • L2TP with IPSec to provide a secure, encrypted VPN solution • In Windows Server 2k8, L2TP will support the Advanced Encryption Standard (AES) 256-bit, 192-bit, 128-bit, and 3DES encryption algorithms by default

  21. Network Access Translation (NAT) • A protocol that enables private networks to connect to the Internet • Translates private IP addresses to/from public IP addresses • The NAT process also obscures private networks from external access by hiding private IP addresses from public networks • The only IP address that is visible to the Internet is the IP address of the computer running NAT

  22. Network Policy Server (NPS) • After a user submits credentials to create a remote access connection • The remote access connection must be authorized by • Network Policy Server (NPS) RRAS role service • A third-party authentication and authorization service such as a Remote Authentication Dial-In User Service (RADIUS) server

  23. Network Policy Server (NPS) • Remote access authorization consists of two steps: • Verifying the dial-in properties of the user account • Verifying any NPS Network Policies that have been applied against the Routing and Remote Access server

  24. NPS Network Policies • An NPS Network Policy is a set of permissions or restrictions that is read by a remote access authenticating server that applies to remote access connections • A rule for evaluating remote connections, consists of three components: • Conditions • Constraints • Settings

  25. NPS Network Policies • NPS Network Policies are ordered on each Remote Access server • Each policy is evaluated in order from top to bottom • Once the RRAS server finds a match, it will stop processing additional policies • See Figure 5-9 on Page 116

  26. NPS Network Policy • Two NPS Network Policies are preconfigured in Windows Server 2008 • Connections To Microsoft Routing And Remote Access Server • Configured to match every remote access connection to the Routing and Remote Access service • Connections To Other Access Servers • Configured to match every incoming connection, regardless of network access server type • If an incoming connection is being authenticated by a RADIUS server or some other authentication mechanism, this policy will take effect

  27. Policy Conditions • Each NPS Network policy is based on policy conditions that determine when the policy is applied • This policy would then match a connection for a user who belongs to the global security group • Only membership in global security groups can serve as a remote policy condition • Universal or domain local security groups cannot be specified as the condition for a remote access policy

  28. Policy Settings • An NPS Network policy profile consists of a set of settings and properties that can be applied to a connection • Such as IP Address properties • You can configure an NPS profile by clicking the Settings tab in the policy Properties page • See Figure 5-12 on Page 118

  29. Policy Settings • You can set multilink properties • Enable a remote access connection to use multiple modem connections for a single connection and determine the maximum number of ports (modems) that a multilink connection can use • You can also set Bandwidth Allocation Protocol (BAP) policies • Determine BAP usage and specify when extra BAP lines are dropped • By default, multilink and BAP are disabled • Multilink and BAP must be enabled for the multilink properties of the profile to be enforced

  30. Policy Settings • Four encryption options available in the Encryption tab:

  31. Authentication Protocols • Challenge Handshake Authentication Protocol (CHAP) • A generic authentication method that offers encryption of authentication data through the MD5 hashing scheme • CHAP provides compatibility with non-Microsoft clients • The group policy that is applied to accounts using this authentication method must be configured to store passwords using reversible encryption • Passwords must be reset after this new policy is applied • It does not support encryption of connection data

  32. Authentication Protocols • Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) • Supports encryption of authentication data through the MD5 hashing scheme • It does not support the encryption of connection data • Provides compatibility with non-Microsoft clients, such as those running Mac OS X

  33. Authentication Protocols • MS-CHAP v1 • A one-way authentication method that offers encryption of both authentication data and connection data • The same cryptographic key is used in all connections. MS-CHAP v1 supports older Windows clients, such as Windows 95 and Windows 98

  34. Authentication Protocols • MS-CHAP v2 • A mutual authentication method that offers encryption of both authentication data and connection data • A new cryptographic key is used for each connection and each transmission direction • MS-CHAP v2 is enabled by default in Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008

  35. Authentication Protocols • EAP-TLS • A certificate-based authentication that is based on EAP • Typically used in conjunction with smart cards • Supports encryption of both authentication data and connection data • The remote access server must be a member of a domain • Stand-alone servers do not support EAP-TLS

  36. Authentication Protocols • Shiva Password Authentication Protocol (SPAP) • A weakly encrypted authentication protocol that offers interoperability with Shiva remote networking products • SPAP does not support the encryption of connection data • Password Authentication Protocol (PAP) • A generic authentication method that does not encrypt authentication data • User credentials are sent over the network in plaintext • PAP does not support the encryption of connection data • Unauthenticated access • Allows remote access connections to connect without submitting credentials

  37. Authentication Protocols • See Table 5-2 on Page 120 for authentication requirement

  38. Accounting • By default, all remote access attempts are logged to text files • C:\Windows\system32\LogFiles directory • You can also configure logging to a SQL DB for better reporting and event correlation

  39. 802.1X • 802.1X is port-based • It can allow or deny access on the basis of a physical port or a logical port • Wall jack using an Ethernet cable • Wireless access point using the WiFi cards

  40. 802.1X Components • Supplicant • The device that is seeking access to the network • Authenticator • The component that requests authentication credentials from supplicants • Forwards the supplicant’s credentials to the Authentication Server (AS) • The port on a switch for a wired connection or a wireless access point • Authentication Server (AS) • Verifies the supplicant’s authentication credentials • Required Network Policy Server role or third-party RADIUS servers

  41. Assignment • Summarize the chapter in your own word • At least 75 words • Due BEFOREclass start on Thursday • Lab 5 • Due BEFORE class start on Monday

More Related