Understanding, Configuring, and Securing TCP/IP Networks Lesson 11

Skills Matrix Technology SkillObjective Domain SkillDomain # Introducing TCP/IPConfigure and troubleshoot network protocols 4.1 Understanding IP Addresses IPv6 IPv4 4.1 Understanding Subnetting and Subnet Masks IPv44.1 Configuring TCP/IP Network Settings Auto vs. manual configuration 4.1

Skills Matrix Technology SkillObjective Domain SkillDomain # Understanding DNSConfigure and troubleshoot network services at the client level DNS 4.2 Understanding DHCPDHCP4.2 Understanding and Configuring Wireless Networking and Security Configure and troubleshoot wireless networking Configure wireless network security WPA WEP 4.5

Skills Matrix Technology SkillObjective Domain SkillDomain # Configuring Wireless Networking in Group Policy Configure policy settings4.5 Understanding and Securing Data with IPsec by Using Windows Firewall Configure network security IPsec 4.6 Using Windows Firewall with Advanced Security to Implement IPsec IPsec Windows Firewall 4.6

Transmission Control Protocol/Internet Protocol (TCP/IP) – Most commonly used protocol for communication on computer networks. It is the network communications protocol that is the basis for the Internet. Understanding TCP/IP Introducing TCP/IP

Computers running Windows Vista are by default TCP/IP hosts, meaning that they have all of the software required for taking part in a TCP/IP network. Understanding TCP/IP (cont.) Introducing TCP/IP

TCP/IP hosts, such as computers running Windows Vista, are identified on TCP/IP networks with an IP address. Other network entities, such as printers or routers, can also be identified with an IP address. Understanding IP Addresses Introducing TCP/IP

IP addresses are 32 bits in length and are expressed in four octets separated from one another with a dot (the “.” character). Each octet is 8 bits long (32 bits for each address divided by 4 octets = 8 bits), which is why they are called octets.  Example IP address: Understanding IP Addresses (cont.) Introducing TCP/IP

Octets are expressed as values between 0 and 255 (with some restrictions). The first octet determines the class of the address. Classes – Divide the IP address space into sections that are used for different purposes Understanding IP Addresses (cont.) Introducing TCP/IP

Understanding IP Addresses (cont.) Introducing TCP/IP IP Address Class First Octet Range Purpose Class A1-126Very large networks Class B Medium to large networks Class C Small networks Class D Multicasting (sending messages to more than one host at a time) Class E Reserved for experimental purposes

TCP/IP hosts that are directly exposed to the Internet must receive their IP addresses from the Internet Corporation for Assigned Names and Numbers (ICANN) or some other authority. These IP addresses are called public-facing IP addresses. Understanding IP Addresses (cont.) Introducing TCP/IP

Almost all organizations today use private networks, in which the IP addresses internal to the organization are hidden from hosts external to the organization. Understanding IP Addresses (cont.) Introducing TCP/IP

Subnetting – Using subnet masks to partition a network into smaller networks called subnets Subnet mask – Used by subnetting to divide an IP address into a network ID and a host ID Network ID – Identifies the subnet Host ID – Identifies the host within that subnet Understanding Subnetting and Subnet Masks Introducing TCP/IP

Subnet masks – Divide IP addresses into network IDs and host IDs and can be used to partition networks into subnets  Example of a subnet mask for the IP address : Understanding Subnetting and Subnet Masks (cont.) Introducing TCP/IP

In Calculator in the View menu, click Scientific. Key the decimal octet. In the upper left just below the text box, select Bin. The number is displayed in binary. Add zeros to the left side until there are eight digits. Converting Octets from Decimal to Binary Introducing TCP/IP

Open Calculator in Scientific view. Select Bin in the upper left. Key the binary value, with the exclusion of leading 0s. Select Dec in the upper left. The value is displayed in decimal. Converting Octets from Binary to Decimal Introducing TCP/IP

Compare the first digit of each octet, and follow these rules.  1 AND 1 = 1  0 AND 0 = 0  0 AND 1 = 0 Do the same for the remaining 7 digits. Combining Octets Using a Logical AND Introducing TCP/IP

Replace each 1 with a 0. Replace each 0 with a 1. Applying a Logical NOT to an Octet Introducing TCP/IP

IP Address Classes Introducing TCP/IP IP Address Class Default Subnet Mask Purpose Class A Very large networks Class B Medium to large networks Class C Small networks

Calculating a Network ID Introducing TCP/IP Decimal Octets Binary Octets IP Address Subnet mask Network ID (IP address AND subnet mask)

Calculating a Host ID Introducing TCP/IP Decimal Octets Binary Octets IP Address NOT subnet mask Host ID (IP address AND NOT subnet mask)

Classless Inter-Domain Routing (CIDR) notation – Common way of expressing a subnetted network address, from which you can derive the IP addresses and subnet mask for the hosts on each network  Example: /26 Understanding Classless Inter- Domain Routing Notation Introducing TCP/IP

Domain Name System (DNS) – Hierarchical naming convention for identifying TCP/IP hosts on a network Fully qualified domain names (FQDNs) – User-friendly names to which IP addresses are mapped in DNS  Example FQDN: client42.northwind.contoso.com Understanding DNS

DNS Hierarchy Introducing TCP/IP LevelExamplesNotes root(.)The root domain is represented by the “.” Character. It is not expressed in FQDNs. Top-level domainnet, org, com, uk, govThere are many other TLDs, most of them country codes. Second-level domainmicrosoft, contosoTypically the second-level domain is a good indication of who owns the FQDN. Additional domain levels NorthwindThere can be any number of additional levels in a FQDN. Host nameclient42, wwwYes, www is a host name. Most FQDNs with www designated as the host resolve to the IP address of one or more web servers.

Both DNS clients and servers can cache DNS name resolutions. DNS caching – After the answer is found to a resolution, clients and servers store it locally for some time in case they need it. In this way, they won’t have to look it up again, which increases performance. DNS Caching Understanding DNS

Dynamic Host Control Protocol (DHCP) – Protocol that DHCP clients, such as computers running Windows Vista, can use to request and lease IP addresses from a DHCP server. The client can also use DHCP to request DHCP options. Understanding DHCP

DHCP client – Machine that uses DHCP to request an IP address lease and other information, called DHCP options DHCP server – Allocates IP addresses from a pool of IP addresses to DHCP clients and optionally offers supporting information to DHCP clients, called DHCP options Understanding DHCP (cont.) Understanding DHCP

DHCP option – Piece of information that DHCP servers can optionally offer to DHCP clients, including default gateway IP addresses and IP addresses for DNS name servers DHCP lease – Entire package that a DHCP client receives from a DHCP server Understanding DHCP (cont.) Understanding DHCP

The process of a DHCP client requesting and receiving a DHCP lease from a DHCP server is completed in the following four steps.  DHCPDISCOVER – The DHCP client broadcasts a request for a DHCP lease.  DHCPOFFER – DHCP servers on the network offer DHCP leases of specific IP addresses to the DHCP client. Understanding DHCP (cont.) Understanding DHCP

Requesting and receiving a DHCP lease (cont.)  DHCPREQUEST – The DHCP client chooses from which DHCP server to obtain a DHCP lease and broadcasts that it has chosen that server in a broadcast message. The other offering DHCP servers receive the DHCPREQUEST message and return the IP addresses they offered to their pools of available IP addresses for lease. Understanding DHCP (cont.) Understanding DHCP

Requesting and receiving a DHCP lease (cont.)  DHCPACK – The chosen DHCP server also receives the DHCPREQUEST message. It sends an acknowledgement to the DHCP client and assigns it any configured DHCP options. The client configures its TCP/IP settings with the IP address and DHCP options supplied by the DHCP server. Understanding DHCP (cont.) Understanding DHCP

Automatic Private IP Addressing (APIPA) – Another scheme for assigning IP addresses automatically. It is a part of Windows operating systems. If you configure a computer to automatically obtain an IP address and no DHCP server is available, you will receive an APIPA address.  APIPA addresses always start with the octets Understanding DHCP (cont.) Understanding DHCP

Configuring IPv4 TCP/IP Network Settings Manually Configuring TCP/IP Network Settings Properties dialog box for an example connection

Configuring IPv4 TCP/IP Network Settings Manually (cont.) Configuring TCP/IP Network Settings Example settings for a Class C private network with 64 subnets

Using DHCP to Configure TCP/IP Settings Automatically Configuring TCP/IP Network Settings Open the Properties dialog box for the connection you want to configure. In the ConnectionName Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. Select Obtain an IP address automatically.

Using DHCP to Configure TCP/IP Settings Automatically (cont.) Configuring TCP/IP Network Settings Select one of the following:  Obtain DNS server addresses automatically  Use the following DNS server addresses

Configuring an Alternate IP Address Configuring TCP/IP Network Settings Example alternate IP address settings for a class A private network

Configuring Windows Vista Wired Network Policy in Group Policy Configuring TCP/IP Network Settings You can configure network settings through Group Policy in the Computer Configuration > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies folder of Group Policy objects (GPOs).

Configuring Vista Wired Network Policy in Group Policy (cont.) Configuring TCP/IP Network Settings The Security tab of the WiredNetworkPolicyName Properties dialog box

Configuring Vista Wired Network Policy in Group Policy (cont.) Configuring TCP/IP Network Settings In the Select a network authentication method drop-down list, select one of the following:  Smart Card or other certificate – Select this option if you want wireless users to authenticate with a smart card.  Protected EAP (PEAP) – Protected Extensible Authentication Protocol. Usernames and passwords fall into this authentication category.

Configuring Vista Wired Network Policy in Group Policy (cont.) Configuring TCP/IP Network Settings In the Authentication Mode drop-down list, select one of the following:  User re-authentication – Authentication uses the computer’s credentials when a user is not logged on. When a user logs on, re- authentication using the user’s credentials is performed.  Computer Authentication – Authentication uses the computer’s credentials.

Configuring Vista Wired Network Policy in Group Policy (cont.) Configuring TCP/IP Network Settings In the Authentication Mode drop-down list, select one of the following (cont.):  User authentication – Authentication uses the computer’s credentials until a new wireless access point is connected to, at which time re- authentication takes place with the user’s credentials.

Configuring Vista Wired Network Policy in Group Policy (cont.) Configuring TCP/IP Network Settings In the Authentication Mode drop-down list, select one of the following (cont.):  Guest authentication – All connections to the network are regulated by the settings for the Guest user account. This is the least restrictive and most flexible authentication and is recommended when you are creating a wireless policy for a network where guests are welcome.

Wireless Networking and Security Understanding and Configuring Wireless Networking and Security Security is very important in wireless networks because anybody with a receiver can potentially log on to the network if security is weak.

Wireless Networking and Security (cont.) Understanding and Configuring Wireless Networking and Security In Vista, networks are differentiated into two broad classes.  Infrastructure networks – Networks that connect to wireless access points on your network  Ad-hoc networks – Networks that you can form on the fly with other wireless users

Wireless Networking and Security (cont.) Understanding and Configuring Wireless Networking and Security Wired Equivalent Policy (WEP) – Least secure technology. It requires a WEP key, which you supply to the wireless devices that connect to the access point. WEP has known vulnerabilities that enable hackers to crack it with retail hardware. WEP is not recommended for enterprise use.

Wireless Networking and Security (cont.) Understanding and Configuring Wireless Networking and Security Wi-Fi Protected Access (WPA) – Designed to eliminate the known security flaws of WEP. Wireless devices and the access point use a pre- shared key (PSK) that can be either a 256-bit number or an alphanumeric password between 8 and 63 characters long.

Wireless Networking and Security (cont.) Understanding and Configuring Wireless Networking and Security Wi-Fi Protected Access 2 (WPA2) – Preferred security technology for enterprise wireless networks. It uses 802.1X-based authentication and Advanced Encryption Standard (AES) encryption.

Wireless Networking and Security (cont.) Understanding and Configuring Wireless Networking and Security There are two versions of WPA2.  WPA2-personal  WPA2-enterprise WPA2-enterprise requires that a user authenticate on the network before wireless connectivity is granted.

Wireless Networking and Security (cont.) Understanding and Configuring Wireless Networking and Security Enterprise Single Sign-on – Enables users to authenticate to the wireless network access point and the domain in a single step. In Enterprise Single Sign-on, 802.1X authentication to the wireless network precedes logon to the domain, and users are only prompted for wireless credential information if needed.

Configuring Wireless Networking in Group Policy Understanding and Configuring Wireless Networking and Security You can configure wireless networking in Group Policy in the Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE ) Policies node in Group Policy objects.

Configuring Wireless Policy for Infrastructure Networks Understanding and Configuring Wireless Networking and Security To configure Windows Vista wireless policy, you must first create a new Vista wireless policy in a GPO. You can only have one Vista policy per GPO, but you can configure policies for multiple wireless networks in the single policy.

Configuring Wireless Policy for Infrastructure Networks (cont.) Understanding and Configuring Wireless Networking and Security Connection tab of the New Profile properties dialog box for an infrastructure wireless network profile

Configuring Wireless Policy for Infrastructure Networks (cont.) Understanding and Configuring Wireless Networking and Security Security tab of the New Profile properties dialog box

Configuring Wireless Policy for Infrastructure Networks (cont.) Understanding and Configuring Wireless Networking and Security Network Permission tab of the WirelessPolicyName Properties dialog box with example settings configured

Understanding and Securing Data with IPSec Understanding and Securing Data with IPsec by Using Windows Firewall Internet Protocol Security (IPsec) – Suite of protocols for securing communication between two TCP/IP hosts.

Understanding and Securing Data with IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall Data integrity – Ensuring that the transmitted data is identical to the data received Encryption – Making the data unreadable by anybody but the intended reader Authentication – When IPsec validates the identity of both hosts in an IPsec session

Understanding and Securing Data with IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The two hosts in an IPsec session must share a common key with which to decrypt the encrypted data. Windows Vista does not exchange the key, but instead exchanges information that each host uses to generate identical keys locally.  The algorithm used to do this is called the Diffie- Hellman algorithm (DH).

Understanding and Securing Data with IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall Authentication methods offered by Windows Vista and commonly used in IPsec include the following:  Kerberos V5  NTLMv2  Certificate  Pre-shared key

Using Windows Firewall to Implement IPSec Understanding and Securing Data with IPsec by Using Windows Firewall You can use the New Connection Security Rule Wizard to help you create connection security rules. The wizard offers five rule types.  Isolation – Uses authentication criteria that you supply to restrict connections and thus isolate computers from other computers, such as those outside your domain

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The wizard offers five rule types (cont.).  Authentication exemption – Used to exempt computers from IPsec connection restrictions rather than subject them to IPsec connection restrictions. It is often used to grant access to infrastructure computers, such as domain controllers and DHCP servers, that computers need to communicate with before authenticating.

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The wizard offers five rule types (cont.).  Server-to-server – Used to authenticate the communications between two specific computers, between two groups of computers, between two subnets, or between a specific computer and a group of computers or a subnet

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The wizard offers five rule types (cont.).  Tunnel – Used for securing communications between two peer computers through tunnel endpoints, such as virtual private networking (VPN)  Custom – Used to create custom IPsec configurations

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall New Connection Security Rule Wizard

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall Endpoints page of the New Security Connection Wizard with example settings

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The Requirements page includes:  Request authentication for inbound and outbound connections  Require authentication for inbound connections and request authentication for outbound connections  Require authentication for inbound and outbound connections  Do not authenticate

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The Authentication Method page includes:  Default  Computer and user (Kerberos V5)  Computer (Kerberos V5)  Computer certificate  Advanced

Using Windows Firewall to Implement IPSec (cont.) Understanding and Securing Data with IPsec by Using Windows Firewall The Profile page includes:  Domain check box  Private check box  Public check box

Summary TCP/IP is the most commonly used network communications protocol in use today. It is used on the Internet and in most other networks, such as enterprise networks. IP addresses are how hosts in a TCP/IP network identify each other. Subnetting enables you to split a network into multiple networks by using a subnet mask. You Learned

Summary You learned how to convert decimal octets into binary octets and vice-versa. You learned how to perform AND and NOT operations on binary octets. Domain Name System is a user-friendly naming convention. DNS names, called fully qualified domain names, are converted into IP addresses by DNS name servers so that TCP/IP hosts can communicate. You Learned (cont.)

Summary Dynamic Host Control Protocol is a protocol by which TCP/IP hosts can automatically obtain IP addresses and supporting information. You learned how to configure IPv4 TCP/IP network settings manually. You learned how to use DHCP to configure IPv4 TCP/IP settings automatically. You Learned (cont.)

Summary You learned how to configure an alternate IP address. You learned how to configure Windows Vista wired network policy through Group Policy. You learned the importance of wireless network security and how to implement it. You learned how to configure Windows Vista wireless policy for infrastructure networks. You Learned (cont.)

Summary IP security protocol in Windows Vista can be implemented using Windows Firewall with Advanced Security. You can configure custom IP security policies to fit a variety of requirements. You learned how to create connection security rules. You Learned (cont.)