Exam 70-221 -
Designing a Microsoft® Windows® 2000 Network Infrastructure

Overview:




Deployment
cycle:

Design:


Where decisions are made. Requires knowledge of existing network infrastructure
and organizational goals. You will need to choose which services to implement
and how to combine them to increase performance and simplify management. Also
designed at this stage is the management strategy, which specifies how the
network will be managed on a day-to-day basis.

Implement:


Takes place after the network design has been properly tested. The network is
configured as specified in the design, and monitoring is setup to collect data
on its performance.

Manage:

Using
the performance data you have collected bottlenecks are identified and removed
to enable changes needed to maintain the network within design specifications.

Organizational
goals to include in a design:

Important
building blocks:

TCP/IP:

This
is an open, industry-standard, and routable protocol. It is required for many
essential Windows 2000 network services such as DHCP, WINS, DNS, and Active
Directory. TCP/IP should be used in heterogeneous environments and whenever
Internet connectivity is called for as part of the design.

DNS:

Domain
Name Service - resolves fully qualified domain names (FQDN) to IP addresses.
Allows network admins to assign “people-friendly” names to network
resources. Windows 2000 Active Directory is based entirely on the hierarchical
structure of the DNS namespace.

DHCP:

Dynamic
Host Configuration Protocol - used to dynamically assign Internet Protocol (IP)
addresses to clients and reduce administrative overhead in managing and
maintaining a TCP/IP-based network.

WINS:

Windows
Internet Name Service - a NetBIOS name service that resolves NetBIOS names to IP
addresses in a Windows network. Required for Windows 3.11/95/98/NT4 clients that
do not have the Active Directory client installed.

MS
Proxy Server 2.0:
(KB# Q164084)

This
is a combination firewall/proxy server product that provides security by
allowing organizations to control the exchange of data between the Internet and
their private network. Can also be used to improve the performance of Internet
access through its content caching features. It is extremely scalable and
suitable for enterprise type deployment within an organization.

NAT:

Network
Address Translation – a protocol found in Routing and Remote Access Services (RRAS)
in Windows 2000. Used to provide Internet connectivity in simple network
environments where all machines are on a single subnet. Provides some security.

IP
Routing:

Windows
2000 RRAS supports both static and dynamic routing protocols. Connections over
non-persistent links are supported through demand-dial routing.

Remote
Access:

Used
to allow remote users access to a private network. Can include dial-up
connections over the regular telephone system and also Virtual Private Network (VPN)
connections over the Internet.

RADIUS:

Remote
Authentication Dial-In User Service - provides authorization, authentication,
and accounting services for distributed dial-up networks. Used in conjunction
with RRAS and IAS (Internet Authentication Service).

TCP/IP:

IP
addressing and subnetting: (KB# Q186341
& RFCs: 950,
1518,
1519,
1812,
& 1878)

Public
addressing schemes:
(Tutorial)

All
hosts connected to the public Internet require a globally unique IP address. Any
network connected to the Internet must have a minimum of one public IP address
for connectivity. Used when the organization has a large number of hosts
requiring direct Internet access and there is a sufficient pool of registered
addresses to work from. Public addressing schemes are expensive and limit
network growth as once all available addresses have been exhausted, no new
devices can be added to the network unless more IP addresses are purchased.

Private
addressing schemes:
(RFC 1918)

Used
when most hosts do not require direct Internet access and/or when there are
insufficient public addresses available. Special ranges of addresses are used
for private addressing which are not routable on the public Internet (see table
below). This is the most inexpensive route to go and it provides nearly
unlimited network growth.

A
NAT device must be installed to pass traffic from the private network to the
public network and vice versa. The NAT device must have one valid public IP
address and one private IP address assigned to it. (KB# Q243078)

Subnet
limitations:

Analyze
the network bandwidth to ensure it meets design considerations. If the current
subnets are congested with traffic consider increasing the number of subnets.

In
an IP-routed network you must consider the number of hosts in each subnet as
well as the number of subnets. When the network is IP-switched you need to
design for the number of WAN connections only.

Always
allow for future growth when designing subnetting schemes.

Subnets
and Active Directory:

In
Windows 2000, domain controllers in the same subnet are automatically made part
of the same site. When you move domain controllers between sites you are
actually moving them between subnets. When designing your replication topology,
you must consider how your subnets will affect Active Directory replication.

Classless
Interdomain Routing (CIDR):
(RFC 1519
& Tutorial)

CIDR
was created several years ago to help prevent the Internet from running out of
IP addresses. The "Class" system of allocating IP addresses was very
wasteful; organizations demonstrating a need for more that 254 host addresses
were assigned a Class B address block of 65533 host addresses. Even more
wasteful were companies and organizations that were allocated Class A address
blocks, containing over 16 Million host addresses! Only a small percentage of
the allocated Class A and B address space has ever been assigned to a host
computer on the Internet.

It
was determined that IP addresses could be conserved if the original class system
was eliminated. By allocating only the amount of address space that was actually
needed, the address space crisis could be avoided for many years. This was first
proposed in 1992 as a standard called “Supernetting.”

Under
supernetting, the classed subnet masks are extended (or made classless), so that
a network address and subnet mask could, for example, specify multiple Class C
subnets with one address. For example, if 1000 addresses are required,
supernetting four Class C networks together will provide the necessary solution.

When
supernetting an address range, treat all the classes of the addresses being
combined into a subnet as Class A. Then use whatever method is preferable to
determine the appropriate subnet mask.

Other
design considerations:

Automatic
Private IP Addressing (APIPA) is used for TCP/IP address configuration for hosts
on a single subnet without a DHCP server. Allocated from 169.254.x.x/16 as
specified by IANA. (KB# Q220874
& Q255836)

Some
IP traffic such as streamed multimedia is considered “time-sensitive” and
requires that bandwidth is reserved for it. The Quality of Service (QoS -
bandwidth management) mechanisms built into Windows 2000 allow administrators to
prioritize network traffic. (KB# Q233203
& Q233039)

Performance
and availability considerations:

• Authentication,
  logon and encryption traffic are delay and latency sensitive. It may be
  necessary to place necessary services on both sides of a link exhibiting
  latency to prevent a disruption in service.
  
  


• Increasing
  the TCP/IP Receive Windows Size through a registry modification may help
  alleviate problems with network delay. (KB# Q199947)
  
  
  


• If
  packet loss is high, check your network for router congestion.
  
  


• Combine
  IP ranges by supernetting. Proper use of supernetting reduces routing
  issues.
  
  


• Use
  variable length subnetting to divide IP ranges. The subnet mask is adjusted
  in a hierarchical fashion to accommodate a varying number of hosts in each
  subnet. Keep the number of routers in the hierarchy to a minimum. Routers
  that support RIP for IP v2, BGP, and OSPF will support variable length
  subnetting.
  
  


• Route
  cost metrics should be set equally when there is no cost difference between
  them.
  
  


• Higher
  cost metrics should be assigned to demand-dial links that are backups to
  less expensive persistent links.
  
  


• Place
  redundant links and routers between locations where high availability is
  needed. This improves bandwidth performance as well as availability.
  
  

Security
considerations:

Packet
filtering:

Data
and connection security is provided through TCP/IP packet-level filtering (KB# Q259605).
TCP/IP filtering allows you to block inbound traffic to any address that does
not appear on your exceptions list, limit traffic to dedicated servers, and
filter at the application layer. IP packets can be filtered by their protocol
type (except for IPSec, ICMP, IGMP, TCP and UDP) and TCP/UDP port number.

IPSec
Overview: (KB# Q231585,
Q252735,
Q253169,
& RFC 2401)

IPSec
itself is a protocol, not a service. It consists of two separate protocols:
Authentication Headers (AH) and Encapsulated Security Payload (ESP). AH provides
authentication, integrity and anti-replay. It does not
encrypt data, but is used when a secure connection is needed but the data itself
is not sensitive. ESP provides the aforementioned plus confidentiality
(data encryption). It is used to protect sensitive or proprietary information,
but is associated with greater system overhead for encrypting and decrypting
data.

IPSec
can be implemented in a Windows 2000 domain using Active Directory or on a
Windows 2000 machine using its Local Security settings. It is not available for
Windows 95/98 or Windows NT.

Supported
IPSec authentication methods are Kerberos v5 Public Key Certificate Authorities,
Microsoft Certificate Server, and Pre-shared Key. (KB# Q240262)

The
IPSec Policy Agent is a Windows 2000 service that runs within the LSASS.EXE
process and shows up in the Services snap-in in MMC. It is loaded at system
start-up and retrieves an IPSec policy from either Active Directory or the local
registry. After the IPSec Policy has been obtained, it will be applied to *all*
IP traffic sent or received by that system (default behavior - IPSec policy can
be modified to allow "soft associations" KB# Q234580).

Before
two computers can communicate they must negotiate a Security Association (SA).
The SA defines the details of how the computers will use IPSec: which keys, key
lifetimes, which encryption and authentication protocols will be used for
example.

IPSec
Encryption Algorithms:

·        
3DES, 128-bit –
Provides strongest
security but affects performance due to overhead associated with longer key
length.

·        
DES, 56-bit
– Provides performance improvement over 3DES and can be used when a shorter
key length is allowed.

·        
DES, 40-bit
– Provides greatest performance but the least security. Use mainly when
some security is required, but performance is the primary consideration.

IPSec
Authentication Protocols:

·        
MD5, 128 bit – (message
digest 5). Less secure than SHA. Requires less CPU overhead and increases
performance.

·        
SHA, 160 bit – (secure
hash algorithm). Provides stronger security but affects performance. Use for
U.S. government contracts that require the FIPS (Federal Information Processing
Standard). (KB# Q237849)

Diffie-Hellman
Groups:

·        
Group One – Low,
768 bits.

·        
Group Two – Medium,
1024 bits.

IPSec
Key Exchange:

·        
Preshared Keys –
Uses a secret key that has been previously agreed upon by two users. They must
be manually configured and are used on non-Windows 2000 standalone systems and
systems that are not running Kerberos v5.

·        
Public Key
Certificates – Computers
not running Kerberos v5 use them for authentication. It is preferable to use
preshared keys when large numbers of systems are involved.

·        
Kerberos v5 – Default
in Windows 2000. Used for authentication with any clients in a trusted domain
running this protocol.

NetBIOS
over TCP/IP: (KB#
Q179442)

Computers
in specialized roles, such as proxy servers or firewall bastion servers, should
not have NetBIOS over TCP/IP installed. Windows 2000 allows administrators to
disable this feature.

DNS:

Planning
a namespace:

In
Active Directory, the namespace is based on DNS. You will need to plan your
namespace if you choose to use multiple domains.

There
are two types of namespace: Internal (used by Active Directory) and External
(registered with Network Solutions for access from the Internet). When
implementing AD, you can choose to use the same or different internal and
external namespaces.

Using
the same internal and external namespaces has the following two advantages: uses
the same logon names both internally and externally (e.g. jdoe@brainbuzz.com
could serve as both the logon and e-mail ID) and uses the same tree name (e.g.
brainbuzz.com for example is consistent on both the internal network and public
Internet).

Using
the same internal and external namespaces results in a more complex proxy
configuration and administrators must be careful not to publish internal
resources externally. There is duplication of effort in managing resources
(e.g., duplicate zone records). As well, users get a different view of internal
and external resources even though the namespace is the same.

Using
separate namespaces makes it easier to distinguish between internal and external
resources, as there is no overlap or duplication of effort. This makes things
easier to manage and proxy configuration much simpler. Disadvantages of using
separate namespaces are that multiple names must be registered with an Internet
DNS and logon names are different from e-mail IDs.

MS
recommends that you register any domain name you plan to use with AD even if it
will only be for internal use. This is to prevent internal clients from being
unable to distinguish between the internal name and a name that has been
publicly registered by someone else.

Design
and interoperability considerations:

• Number
  of DNS clients per location? The number of clients determines how many DNS
  servers must be installed per location.
  
  


• How
  many locations in your organization? Typically at least one DNS server will
  be installed per location.
  
  


• Are
  there any pre-Windows 2000 DNS servers currently in use? Newer features in
  Windows 2000 DNS may not work with older Windows and UNIX DNS servers.
  
  


• Is
  Active Directory in use or planned in the future? Active Directory
  integrated zones are only available in Windows 2000 DNS servers (they reduce
  management overhead by using AD replication to copy the zone databases to
  all domain controllers).
  
  

 Use
only RFC compliant (ANSI) characters with NT4 and older BIND DNS servers; they
do not support Unicode. (KB# Q255913,
Q250488,
Q241973,
Q241980,
Q151416
& RFC 2181)

In
native mode WINS is not necessary. In mixed-mode DNS requests should be
forwarded to WINS for NetBIOS name resolution. BIND servers see WINS and WINS-R
record types as invalid. If mixing Windows and BIND, specify that WINS records
do not replicate to BIND DNS servers. (KB# Q173161
& Q164176)

For
WINS resolution, use a delegated domain as a placeholder for WINS names. When
there is a private and public DNS namespace, the WINS sub domain should reside
in the private portion. Organizations using the same private and public
namespace should place their WINS sub domain under the root of the organization.

Working
with zones:

Traditional/standard:
(KB# Q227844)

The
primary zone is the only type that has a read/write copy of the database (single
master model). Only one primary zone is allowed, but there is no limit to the
number of secondary zones (read only). If the server hosting the primary zone
fails an administrator must intervene immediately to prevent disruption to
network services. Traditional zones are completely compatible with BIND-based
(UNIX) DNS servers.

Active
Directory Integrated: (KB#
Q198473)

Required
for secure DDNS. All domain controllers hold a read/write copy of the zone
database file (multi-master replication). Since all DNS servers behave as
primaries, the failure of a single server will not affect DNS updates (improves
availability). Treated as primary zones by BIND-based DNS servers. Data from AD
integrated zones can be replicated to other AD integrated zones or traditional
secondary zones.

Reverse
lookup zones can be AD integrated, standard primary or standard secondary. The
rules listed above apply to reverse lookup zones as well.

Exposing
resources to the Internet:

DNS
queries from within your organization can either be forwarded to that
organization’s ISP or to the Internet’s root DNS servers.

Incoming queries from the Internet can be resolved on an organization’s behalf
by their ISP (recommended only if resource names aren’t changed often) or by a
DNS server maintained by the organization in a screened subnet (use when
resource names change frequently).

Place
the primary zone inside the organization’s firewall and place the secondary
zone (read-only database) inside the screened subnet to prevent unauthorized
changes to the DNS database. Do not place an AD integrated zone in the screened
subnet as it could jeopardize the security of your AD information.

The
public DNS server should contain only those records necessary to do its job.
Placing a complete zone database on the machine could expose private information
for servers inside the corporate firewall and will also degrade the machine’s
performance. (KB# Q193837)

Performance
and availability considerations:

With
AD-based DNS servers, simply add more DNS servers as needed to handle traffic.
With traditional DNS zones, add secondary zones or delegated domains to increase
performance. Delegated domains contain a subset of the domain namespace (e.g.,
cramsession.brainbuzz.com is a subset of brainbuzz.com). (KB# Q164054)

Incremental
zone transfers (IXFR) place less of a burden on the network than full zone
transfers (AXFR) – use them whenever possible. Fast zone transfers compress
replication data, but are not supported by older versions of BIND. Schedule
replication to take place during off-peak hours when possible, to avoid network
congestion.

A
caching DNS server simply resolves requests and caches data from resolved
requests until its TTL expires. They can be used to reduce traffic across
low-speed WAN links where resource information changes infrequently and
insufficient bandwidth for zone replication traffic. (KB# Q167234)

Network
Load Balancing redundant DNS zones spread a traffic load across multiple
servers. Use when the amount of time it takes to resolve queries has become
unacceptable, when DNS traffic exceeds the capacity of a WAN link at a remote
location, or when the connection between the two DNS servers supports the extra
replication traffic. (KB# Q240997
& Q248654)

Use
MS Cluster Service to increase availability (local servers only: remote servers
cannot be clustered). Clustered servers should share a cluster drive so that
both nodes have access to the most recent zone database file. Failed servers can
be restored more quickly from a cluster drive, as there is no need to
resynchronize. (KB# Q259267)

Security
considerations:

Secured
updates are only available with AD integrated zones. Use them to prevent
impersonation of servers when using DDNS. Permissions can be assigned to a
group, computer or user account. W2K clients can directly update DNS records but
this should only be done if:

1.      
It does not create a security risk

2.      
The client station has a static IP address, and

3.      
It does not create unacceptable management overhead in terms of managing
permissions.

Having
a DHCP server perform DNS updates is more secure, reduces the headache of
managing permissions, and should be used with non-Windows 2000 clients
(as they cannot automatically update the DNS).

Encrypt
replication data using VPN and IPSec for additional security. Using AD
integrated zones provides further protection, as they will not replicate to
other AD zones that are not registered with Active Directory.

Firewalls
should be configured to permit only DNS queries from the Internet and zone
replication traffic only from the private network.

DHCP:
(RFCs 951,
2131
& 2132)

Design
considerations:

Is
the network switched, routed, or a combination of both? Consider the location of
broadcast domains and the placement of DHCP Relay Agents to forward lease
requests through routers that do not accommodate BOOTP/DHCP forwarding. (KB# Q120932
& RFC 1542)

When
using a single DHCP server, place it on the subnet with the highest population
of clients – the other subnets will use relay agents or BOOTP/DHCP forwarding
on their routers. Use multiple DHCP servers for a geographically dispersed
network, low speed WAN links, or dial-up users.

To
what extent have non-Microsoft hosts been deployed through the organization?
They may cause problems by not recognizing MS-specific vendor options like default
router metric base, which provides a base cost for default gateways to the
client. Diskless workstations (BOOTP clients) are becoming increasingly popular
but are not properly supported by NT4’s DHCP server. BOOTP clients should be
placed in the same broadcast domain as a W2K DHCP server that has been updated
to support RFC 951-compliant
devices. (KB# Q174765)

Performance
and availability considerations: (KB# Q199160)

Increase
DHCP lease length when network traffic is a concern. The longer the lease, the
lower the traffic.

When
working with a small pool of IP addresses, decrease lease length to make
greatest use of your addresses. This has the side effect of increasing network
traffic. Windows 2000 clients can be configured to give up their lease at
shutdown.

Using
distributed scopes with multiple servers in remote locations increases
availability in the event of a server failure. Allocate between 50 – 80
percent of an IP address scope to a server on the local subnet and the remainder
to a remote server. When the server on the local segment goes down, the remote
server can continue allocating addresses.

Implement
vendor classes (KB# Q240247
& Q266675,
RFC 2132)
when there is a need to provide similar DHCP options to like groups of clients.
User classes are used when specific groups of users have different DHCP
configuration options than other groups within the company.

Windows
Clustering increases availability by providing automatic failover if the primary
node goes down and failback when the downed server comes back online. Clustering
is only available to locally placed machines with a persistent high-speed link.
(MS whitepaper)

Network
Load Balancing is not an option with DHCP.

Security
considerations:

Placing
a DHCP server outside of your firewall or inside a screened subnet poses a
security risk since a valid IP address could be allocated to an unauthorized
client (allowing access to network resources). Minimize the security risk by
extending lease times (this reduces the chance of an IP address being captured),
using the smallest possible address range to meet your needs, and manually
reserving/mapping addresses to the MAC addresses of specific clients.

WINS:
(RFCs 1001
& 1002)

Design
considerations:

Is
the network switched, routed, or a combination of both? Consider the location of
broadcast domains and the placement of WINS proxy agent to forward broadcast
traffic across routers. (KB# Q121004
& Q164765)

The
advent of DDNS in Windows 2000 has obviated the need for WINS, except in
networks that are running pre-W2K domain controllers. WINS should be installed
when there is a need to provide NetBIOS name resolution services while reducing
the amount of related NetBIOS broadcast traffic.

Non-WINS
clients are supported by installing WINS proxy agent (recommended), static WINS
entries (next best), or LMHOSTS entries (most work). To avoid changing hundreds
(or thousands) of LMHOSTS files whenever a resource is added or removed, use the
#INCLUDE statement to reference a centrally managed LMHOSTS file.

Performance
and availability considerations:

Replication
across WAN links should be scheduled in off-peak hours. The frequency of
replication can also be controlled.

The
best replication convergence times are provided by a hub and spoke model. Aim
for persistent high-speed connections between replication partners whenever
possible. Push- or pull-only relationships should be avoided (except for slow
WAN links) when planning for WINS replication.

For
remote servers use push/pull WINS replication. Local servers can be clustered
for high availability. (KB# Q226796)

Security
considerations:

When
a WINS server is placed outside a firewall or inside a screened subnet, use pull
only replication from its partner. This replication traffic should be encrypted
using VPN tunnels or IPSec. (KB# Q179442)

MS
Proxy Server 2.0: (Please
see related cramsession,
KB# Q164084,
FAQ
& RFC 1918)

Design
and interoperability considerations:

A
special install wizard has been released to upgrade a Proxy 2 installation so
that it is compatible with Windows 2000. Please see the release
notes.

If
there is a need to reduce private network traffic within an organization then
consider implementing Proxy 2 with its Web object caching. Its firewall
capabilities can also be used to create screened subnets inside a private
network to secure data.

A
proxy server at the edge of the private network isolates it from the public
network and secures confidential data. It can also reduce traffic on the
outbound connection by caching frequently requested Web objects.

An
organization with insufficient public IP addresses can assign one valid public
IP to the proxy server and have it service thousands of clients which are using
private, non-routable addresses instead(acting as a proxy on their behalf).

Internet
Explorer 5.0 is all that is required for HTTP and FTP traffic. Install the WSP
client for any Windows-based Internet application that uses wsock32.dll or
NWLink (32-bit only – see FAQ).
For UNIX and Macintosh clients, SOCKS4 compatible applications are supported
(SOCKS4 supports TCP but not UDP).

Performance
and availability considerations:

When
configuring demand-dial connections be sure to specify the data rate and the
persistence of the connection, especially if there is a charge for keeping the
connection alive. With digital subscriber line (DSL), it is possible to install
DSL and use it with a demand-dial interface for creating a VPN tunnel.

Active
content caching makes the most commonly requested objects available in the cache
automatically. It will go out and retrieve objects on its own during low traffic
periods if needed. Active caching conserves hard drive space but is more CPU
intensive. With passive caching, objects are retrieved when requested by a
client and stored in the cache until their TTL expires. Passive caching uses
less CPU time but more hard drive space than Active caching. (KB# Q164085)

Multiple
servers can be configured as a proxy array for fault-tolerance. If an array
member goes down, the remaining servers pick up the slack. As the Web content
cache is spread amongst the array, the cache is lost only on the machine that
fails. All servers in the proxy array must share the same array name and belong
to the same AD domain and site.

Setting
up multiple proxy servers for Network Load Balancing provides all three machines
with a single IP address used by clients making requests. When one of the proxy
servers fails, the others will share the work between them.

You
can use round robin DNS resolution to provide fault-tolerance for proxy servers
as well. This provides something of a “poor man’s load balancing”.

Proxy
servers can be “chained” so that requests are forwarded from one proxy
server or proxy array to another.

It
is best to setup a machine with multiple interfaces if the resources of the
proxy server permit (centralized administration). If resources are an issue,
establish multiple proxy servers (decentralized administration).

Security
considerations:

When
your proxy server belongs to an Active Directory domain you can assign access
permissions to users and/or groups. In a heterogeneous environment install
Services for UNIX, CSNW, and/or Services for Macintosh to provide access for
non-Windows clients.

Proxy
can also be installed on a stand-alone computer and access granted (or denied)
through its local users and groups. The guest account would only be enabled when
it is desirable to have anonymous access to resources.

When
designing hierarchical screened subnets, the broadest security belongs at the
top of the hierarchy and becomes stronger as you move lower. (e.g. Management
has lax security where as the Research division has very strong security). (KB# Q191146)

Packet
and domain filtering provides the ability to completely restrict traffic by
protocol, IP address, domain, user, group, and computer.

Web
publishing allows for placement of a single Web server behind a firewall. This
increases security, since the proxy server fetches requested pages on behalf of
the client and returns them (acting as a Web server). This hides the identity of
the real Web server and protects it from attack.

NAT:
(KB# Q234815,
Q229965
& RFC 1631)

Design
considerations:

NAT
is only appropriate for non-routed network environments where all users have the
same access privileges but where private addressing for all computers is
required.

A
DHCP server is not required, as NAT will automatically assign IP addresses to
machines capable of acting as a DHCP client. NAT should not be installed on a
machine that is running DHCP, as they both use the same port (or a machine
configured for DDNS). (KB# Q250603)

The
following protocols are not supported by NAT: IPX/SPX (NWLink), SNMP, LDAP,
Kerberos v5 (DCs cannot replicated AD information through NAT), RPC, and IPSec
(header encryption not supported). (KB# Q261203)

Choose
NAT when you want to exchange traffic between two dissimilar network segments
(e.g. Ethernet and ISDN), but the expense and complexity of MS Proxy 2 is not
desired. NAT can also be used to create screened subnets but lacks the
flexibility of MS Proxy 2.

A
DNS proxy is included in NAT to forward name resolution queries to a DNS server
belonging to the organization or one belonging to its ISP.

Performance
and availability considerations:

Dedicate
system to running NAT. This enhances both performance and availability as there
are no other applications running that consume needed resources or can
destabilize the system.

Use
multiple Internet connections whenever possible for redundancy. This prevents a
resource from being unavailable in the event of a one connection failing and
enhances performance by spreading traffic across multiple connections. Also
choose persistent connections whenever possible, as demand-dial connections take
time to establish (lower performance) and can reduce availability (busy
signals).

Security
considerations:

VPN
(PPTP) connections can be used whenever remote users need access to resources on
a private network or whenever remote resources need to be secured on a
user-level basis. Both outbound and inbound connections are supported. (KB# Q255784)

Use
RRAS IP filters on both the Internet and/or private network interfaces to grant
or block access by IP address and/or protocol. (KB# Q256644)

By
default, all computers behind NAT are inaccessible from the Internet. If access
to the private network is given to a single IP address, you must define its port
mappings within RRAS. This is not necessary when using multiple addresses
reserved in an address pool, since all IP ports are open unless specifically
filtered in RRAS.

Routing:

Protocols:

IGMP
is used when existing routers are multicast capable, the IGMP clients are
directly connected to the same subnet, and multicast traffic needs to pass to
and from the public Internet (NetMeeting and Windows Media Player are two apps
that can use multicast).

RRAS
has two modes of support for IGMP: Proxy Mode, which simply forwards multicast
traffic to a multicast capable router/server; and Router Mode, which can listen
for and update the multicast-forwarding table. Router mode cannot propagate
group listening information to other multicast capable routers, however.

RIP
is used when it is desirable to reduce the management overhead caused by
maintaining static routes. It should be used if frequent changes to routing
information occur, demand-dial interfaces are used, the existing routers use
RIP, or there are no more than 14 hops between routers. (KB# Q164363)

Choose
RIP version 2 if your network includes variable
length subnet masks, CIDR,
multicast routing table updates, or password authentication between routers.

Choose
OSPF when dynamic routing is necessary, existing routers are OSPF compliant,
there are over 50 subnets, or there are redundant paths between your subnets
(link state). OSPF
design can be subdivided into three hierarchical levels:

1.      
OSPF Autonomous
System – a collection
of networks that share a common administrative authority. Autonomous Systems
(AS) are subdivided into OSPF areas.

2.      
OSPF Area – a
group of routers that connect to contiguous network segments and are all
connected by area border routers (ABR) into a backbone area.

3.      
OSPF Network – consists
of individual segments that are connected by OSPF routers.

Design
considerations:

For
router placement, consider the following questions

·        
Do you need to
logically segment the network (create subnets) to isolate traffic?

·        
Are dissimilar
network topologies (ATM, ISDN, Token Ring, and Ethernet) being connected?

·        
Does the
organization require the creation of screened subnets (packet filtering) to
secure confidential data?

·        
Are connections
persistent (higher availability and data rate) or demand-dial (you will have to
set persistence for these), which will invariably add to its operating cost?

Routers
placed at the edge of a network (between the Internet and the private network)
can provide firewall type security when packet filtering is enabled.

Static
routing is an option when it is desirable to reduce overhead (generated by
dynamic routing protocols such as RIP and OSPF) or to increase security (by
preventing transmission of routing tables). It should be avoided when it
generates unacceptable management overhead because of the number of resources or
the frequency of changes. Routes for demand-dial interfaces must be manually
added as neither RIP nor OSPF support them. (KB# Q178993
& Q235492)

Auto-static
routing is a combination of static routes and RIP for IP. It allows an
administrator to specify a schedule when a demand-dial connection is established
and static route entries are automatically updated. It reduces the management
overhead associated with static routes, but it can cause availability problems
if auto-static updates are not performed frequently enough. Auto-static routing
does not support OSPF. (KB# Q241545)

Performance
and availability considerations:

To
obtain the best performance use a dedicated computer as a router. If a router is
performing more than one role, its performance will be degraded and possibly its
stability as well (lowered availability).

Persistent
connections enhance availability and eliminate connection times associated with
demand-dial interfaces. Connections should be redundant, maintaining high
availability in the event a connection fails.

Multiple
routers should be installed to provide fault-tolerance in the event of equipment
failure.

Security
considerations:

In
your network design, RIP for IP or OSPF passwords can be implemented to
authenticate routers only if a clear-text password exchange is acceptable and
all routers use the same protocols.

IPSec
Machine Certificates provide a greater degree of security. It should only be
used when all routers support IPSec (servers running IPSec can only communicate
with other servers running IPSec), and there is a Certificate Authority that can
issue machine-based certificates. IPSec provides authentication and protection
against spoofing when using the Authentication Header (ESP) protocol, but does
not encrypt the data itself (choose ESP protocol for that).

VPN
(Virtual Private Network) can be used if there is a need to secure routers
(which support VPN). Choose PPTP with NT4 routers and L2TP with Windows 2000
routers. Third party routers may be compatible with PPTP and L2TP: check their
specifications when planning to use VPN for security.

MS
Point-to-Point Encryption (MPPE) is used by Point-to-Point Tunneling Protocol (PPTP)
to secure confidential data. This method is not as secure as IPSec and only
provides user-level authentication. It is also used in lieu of certificate-based
authentication.

IPSec
tunnels can be used to protect confidential data. Tunnel mode is used strictly
for point-to-point communication whereas transport mode can communicate with
more than one computer at a time. When used with L2TP, machine-based
authentication is possible using certificates.

Remote
Users:

Design
considerations:

VPNs:

A
Virtual Private Network (VPN)
is an extension of the physical network. Rather than restricting the network to
local cabling, VPN uses the Internet as a segment backbone. VPNs are used by
organizations that have a need for members to access private network resources
via the Public Internet. Windows 2000 has two main encryption protocols that are
used with a VPN:

·        
MPPE (Microsoft
Point-to-Point Encryption) is used with PPTP (Point-to-Point Tunneling
Protocol). PPTP was developed by Microsoft and others. It has not been widely
adopted by most of the Internet community. MPPE uses 40-bit, 56-bit, and 128-bit
(North America only) encryption.

·        
IPSec (IP Security
Protocol) - an open protocol suite that relies on L2TP (Layer 2 Tunneling
Protocol) for encrypting user names, passwords, and data. IPSec is used to
negotiate the secure connection utilizing DES (Data Encryption Standard/
56-bit), and 3DES (Triple DES). IPSec is currently supported by Windows 2000
only.

There
are two VPN connection types: compulsory and voluntary. Compulsory tunnels are
initiated by the RAS server, do not require client support for tunneling, and
require user-based client authentication (RADIUS is optional). Voluntary
connections are initiated by the dial-up user and require support on the client
end for the tunneling protocols, but the connections do not need intermediate
RAS server support for tunneling.

Dial-up
Access:

Used
when the security risk from allowing access the private network via a VPN tunnel
from the public Internet is unacceptable. RRAS support the MS R