Presentation on theme: "Windows Server 2008 R2 Overview Part 2 Technical."— Presentation transcript:
Windows Server 2008 R2 Overview Part 2 Technical
2 Doug Spindlers Background 24 years in IT as a Technology Consultant MCT, MCITP, MCTS President of Pacific IT Professionals A professional association for IT Professionals Join today at www.pacitpros.orgwww.pacitpros.org Technology Instructor Author Speaker Lecturer IT Pro Hero
3 Why IT Pros will want to deploy Win 7 and Server 2008R2 NOW! No I do not work for Microsoft. This is NOT a marketing presentation.
4 Customer top security concerns Security Network Performance Reliability Ease of use for users
5 IT Pro got to haves Bitlocker – whole drive encryption User Access Control (UAC) Secure Socket Tunneling Protocol Terminal Services RemoteApp Application virtualization - SoftGrid Granular password policy Re-startable AD without a reboot
6 Enhancements to Network Security Network Level Network Access Protection Server Isolation Domain Isolation GPO managed Quality of Server - QoS Host based firewall Firewall and IPSEC integration
7 Labs Unmanaged guests NAP Protects network & gets clients up to date
8 Labs Unmanaged guests Server Isolation Isolates high-valued servers and data from the rest of the network.
9 Labs Unmanaged guests Domain Isolation Isolates high-valued servers and clients from the rest of the network.
10 Policy-based QoS Enables Management of Hosts Bandwidth
11 Enhancements to Network Security Operating system New network stack – New code Impervious to existing attacks New attack code is require Windows Firewall with Advanced Security – Protects hosts
12 Conclusion New code in the network stack = Your Network is more secure
13 Windows history Network stack used in XP and Server 2003 (and prior) was written for Windows 95 Pentium I – 100MHz 10 Mb/sec network Modems Only minor enhancements and fixes since Stack is inefficient – Lots of latency Code (by todays standards) is inefficient
14 Network Performance Enhancements TCP Chimney TCP-A (I/OAT) Receive Window Auto-Tuning SMB2 Protocol Receive side scaling (RSS) Compound TCP – cTCP Congestion Control Policy-based Quality of Service (QoS) Black-Hole Router detection (BHRD) Dead Gateway Detection
16 Network Performance Enhancements Receive Window Auto-Tuning Dynamic allocated packet receive buffer More in flight data – up to 16MB If too much data, use QoS. Max 16MB window @ 100ms ~ 1.34Gbps
17 Win 7 Performance – Auto Tuning Testing between Windows 2K3 server to Win 7 client Average latency is 180 ms round trip Applications tested - TTCP, FTP, Xcopy TTCP - 3259 KB/sec (26.07 Mbps*) 869% increase FTP - 633 KB/sec (5.06 Mbps) 85% increase Xcopy - 604 KB/sec (4.83 Mbps) 109% increase
18 Network Performance Enhancements Receive Window Auto-Tuning ServerClient The application layer passes a block of data down to the Transport Layer (TCP). The transport layer then sends the data to the client. Transport layer breaks the data up into blocks equal to the maximum segment size (MSS) for the link. For Ethernet this is 1460 bytes. Data
19 Network Performance Enhancements Receive Window Auto-Tuning Lets assume the advertised Window Size of the Client is 8760 bytes and the MSS is 1460 bytes. Outstanding Packets = Window Size / MSS Outstanding Packets = 8760 / 1460 Outstanding Packets = 6 The sender (Server in this case) can only have 6 outstanding packets on the network at one time. It must stop sending until it receives an acknowledgement for some or all of the packets before sending more.
20 ServerClient Once the transport layer has sent the 6 th packet, it must stop until it receives an acknowledgement for one or more of the transmitted packets. Data 123456 Network Performance Enhancements Receive Window Auto-Tuning
21 Server Client The client receives packets 1 and 2. Once it receives packet number 2 it sends an Acknowledgement back to the server indicated that it successfully received the packets. Data 3456 Acknowledge 1 and 2 Network Performance Enhancements Receive Window Auto-Tuning
22 Cost of the delays in XP and Server 2003? Only way to get Gig out of Gig is to maintain a sending a gig sending rate. Which is a 1.21 microsecond gap between packets. Any delays in sending decreases throughput or dead air
23 The cost of a delay 195 microseconds 195/1.21 = 160 packets. 180 microseconds 180/1.21 = 150 packets. 160,000packets = 242,880,000 Bytes or 240 MB
24 What is the right Window Size? Receive Window Auto-Tuning TCP Window Size = Bandwidth * Roundtrip Delay In previous version of Windows the buffer size was fixed
25 ServerClient Data 345678 Win 7 and Server 2008R2 Advantage – More data, less dead air 9101112 Network Performance Enhancements Receive Window Auto-Tuning
26 Network Performance Enhancements Receive Window Auto-Tuning Green Win 7 Orange XP XP Win 7-Server 2008R2 advantage, more initial in-flight data
27 Network Performance Enhancements Receive Window Auto-Tuning Green Win 7 Orange XP XP & Server 2003 Less in-flight data, resulting in less throughput. Win 7 & Server 2008R2 advantage, More efficient use of the network.
28 Network Performance Enhancements SMB2 Protocol Combined control messages More efficient use of the network SMB 2 only available Server 2008R2 – Server 2008R2 Server 2008R2 – Win 7 Win 7 – Win 7 No error correction in SMB
29 Network Performance Enhancements Receive side scaling (RSS) Allows packet receive-processing to scale with the number of available computer processors.
30 Network Performance Enhancements Compound TCP – cTCP Congestion Control Congestion Faster recovery Less time to transfer data In this example 80 minutes
31 What do all of these things give you? TCP Chimney TCP-A (I/OAT) Receive side scaling (RSS) Receive Window Auto-Tuning Compound TCP – cTCP Congestion Control Policy-based Quality of Service (QoS) Black-Hole Router detection (BHRD) Dead Gateway Detection The Win 7 – Server 2008R2 advantage Faster transfer of data
38 History of Internet Protocols Network Control Protocol (NCP) First protocol used on the Internet IPv4 Second generation protocol NCP and IPv4 were run concurrently Flag day January, 1, 1983 IPv6 Interplanetary Protocol
39 IPv6 Myths IPv6 is experimental No one is using IPv6 in production My network wont run IPv6 Microsoft is making a big mistake with IPv6 IPv6 is less secure than IPv4 IPv6 causes Win 7 to run slower
40 FACTS We are running out of IPv4 addresses IPv6 is the preferred protocol in Win 7 and Server2008R2 and can not be removed You been assigned an IPv6 address (Publicly assigned) It can be used today Linux and Apple already support IPv6 Microsofts implementation of IPv6 is feature rich ( compared to Apple and Linux)
41 Available IPv4 address by year Grey – available IP address Orange – Allocated IPv4
42 IPv6 is 2 128 addresses 340,282,366,920,938,000,000,000,000,000,000,000,000 addresses Are your ready to
43 IPv6 is 2 128 addresses 340,282,366,920,938,000,000,000,000,000,000,000,000 addresses IP on everything
44 How big is 2 128 or 340,282,366,920,938,000,000,000, 000,000,000,000,000? If the IPv4 address space is size of one atomic nucleus big, the IPv6 address space would require a month of light-speed travel to reach. Thanks to Sean Siler at Microsoft for this clever way of to explain just how large the address space is.
45 Think Global… Microsoft was brilliant for implementing IPv6 Thanks to Microsoft for doing this IPv6 in Win 7 and Server 2008R2 Ipv6 addressing and routing is easier No need for NAT Most Application just work Microsoft has made a commitment to IPv6 New MS software will support IPv6
46 New network stack design in Server 2008R2 and Win 7 AFD Inspection API IPv4 802.3 WSK WSK Clients TDI Clients NDIS WLAN 1394 Loop- back IPv4 Tunnel IPv6 Tunnel IPv6 RAW UDPTCP Win 7 and Server 2008R2 tcpip.sys TDX TDI Winsock User Mode Kernel Mode
47 IPv6 can not be removed from tcpip.sys IPv4 802.3 WLAN 1394 Loop-back IPv4 Tunnel IPv6 Tunnel IPv6 RAW UDPTCP Win 7 and Server 2008R2 tcpip.sys
49 Market forces pushing IPv6 adoption Mobile Internet Services - Internet Multimedia Services (IMS) Next gen cell phones IPTV Cable companies End to end security requirements Auto configuration for home and mobile devices Foreign countries 2008 Olympics
50 IPv4 had no security, IPSec and L2TP were bolt-ons Physical Data Link Network Transport Session Presentation App Physical Data Link Network Transport Network Transport Session Presentation App IPSec VPN L2TP VPN
51 In IPv6 IPSEC is built in Physical Data Link Network Transport Session Presentation App
52 Why IPv6? Security IPv4 security was an add-in IPv6 has IPSEC integrated Any IPv6 communication can automatically do authentication, message integrity and encryption or any combination of those Easier – saves time
53 Saves time No network IPv6 the following settings are optional Subnet masks No need for a subnet calculator Default Gateways DNS Servers DHCP Servers Private IP address Routing table IPv6 is easier to configure – saves time
54 Unicast IPv6 Addresses Hosts will have multiple addresses Global addresses (Public IPv4) Link-local addresses (192.168.1.1) Unique local addresses (10.10.1.1) Special addresses Compatibility addresses
55 Win 7 and Server 2008R2 New Protocols Native IPv6 – Preferred 6to4 ISATAP Intrasite automatic tunneling address protocol Teredo
57 Windows Win 7 and Server 2008R2 Native IPv6 Global address Native IPv6: Native IPv6 addresses start with the prefix 2000::/3 (Subject to change) A native IPv6 address looks like: 2001:0470:1F00:FFFF:0000:0000:0000:0FF3 /127 | prefix | host | subnet |
58 Windows Win 7 and Server 2008R2 6to4 It is a standard: IETF RFC 3056 6to4 is a tunneling technology Allows communication across the IPv4 Internet by tunneling IPv6 inside IPv4 packets to get to the IPv6 Internet through gateways
59 Windows Win 7 and Server 2008R2 6to4 IPv4 address: 184.108.40.206 is represented as cfd5:f601 (convert decimal to hex) Its 6to4 address is: 2002:cfd5:f601:0000:0000:0000:cfd5:f601 |pref| IPv4 | :: | IPv4 |
60 Windows Win 7 and Server 2008R2 ISATAP It is a standard: IETF RFC 4214 Intrasite Automatic Tunnel Addressing Protocol ISATAP is a tunneling technology Allows communication across an IPv4 intranet by tunneling IPv6 inside IPv4 packets
61 IPv6 Header Extension Headers Upper Layer Protocol Data Unit IPv6 Header Extension Headers Upper Layer Protocol Data Unit IPv4 Header IPv6 Packet Min MTU 1280 IPv4 Packet Max Ethernet MTU 1500 IPv4 header Protocol field is set to 41 for isatap and 6to4 tunnels Encapsulation For ISATAP and 6to4 packets Windows Win 7 and Server 2008R2 ISATAP and 6to4 packet encapsulation
62 Windows Win 7 and Server 2008R2 Teredo Teredo provides IPv4 NAT traversal capabilities by tunneling IPv6 inside of IPv4 using UDP Teredo provides IPv6 connectivity when behind an Internet IPv4 NAT device Is designed to be a universal method for NAT traversal for most types of NAT use
63 Something to think about…. With Teredo can boarder firewalls offer protection needed for todays networks? Or do they offer a false sense of security? What about IPv6 bot Nets?
64 Windows Win 7 and Server 2008R2 Preferred order of communication Native IPv6 – Preferred 6to4 ISATAP Intrasite automatic tunneling address protocol Teredo IPv4 …. last resort
65 Does all this work? Yes! I've been running it for 4 years Native IPv6, 6to4, ISATAP, Teredo, IPv4 Global IPv6 address
66 Watching for IPv6 traffic on your network Use a packet Analyzers – NetMon or Wireshark
67 Router Venders Support for IPv6 Native IPv6: IPv6 native routing protocols Cisco, Juniper Most are providing software upgrades to support native IPv6 deployments on existing hardware Cisco IOS 12.3+ mainline code has IPv6 support
68 If I can do it, so can Microsoft IPv6 Infrastructure In Redmond ISATAP available in all buildings world-wide Native v6 connectivity in all development buildings world-wide
69 Impact on IT Professionals IPv6 only hardware/software is on the way Smart cell phones PDAs Web cameras Law enforcement Cars MP3 players Next generation operating systems Win 7 – Server 2008R2 advantage More secure, faster data transfers with less CPU processing and ready for the future, IPv6. $ OPPERTUNITIES $
70 Impact on Customer Networks Test firewalls, are they IPv6 aware? Many allow IPv6 traffic to pass un-checked Is this the end of boarder firewalls? Teredo was designed to pass through NAT