Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright line. IP Addressing and Services EXAM OBJECTIVES Configuring IPv4 and IPV6 Addressing Configuring IPv4 and IPV6 Addressing Configuring Dynamic.

Similar presentations


Presentation on theme: "Copyright line. IP Addressing and Services EXAM OBJECTIVES Configuring IPv4 and IPV6 Addressing Configuring IPv4 and IPV6 Addressing Configuring Dynamic."— Presentation transcript:

1 Copyright line. IP Addressing and Services EXAM OBJECTIVES Configuring IPv4 and IPV6 Addressing Configuring IPv4 and IPV6 Addressing Configuring Dynamic Host Configuration Protocol (DHCP) Configuring Dynamic Host Configuration Protocol (DHCP) Configuring Network Authentication Configuring Network Authentication Configuring IP Security (IPSec) Configuring IP Security (IPSec) Configuring Windows Firewall with Advanced Security Configuring Windows Firewall with Advanced Security

2 Copyright line. Slide 2 Configuring IPv4 and IPV6 Addressing IPv4 addressing uses 32-bits and a subnet mask to identify the network and host portions of the address. IPv4 addressing uses 32-bits and a subnet mask to identify the network and host portions of the address. IPv6 addressing uses 128 bits and the network information is contained in the left-most 64 bits, host information in the right- most 64 bits. IPv6 uses hexadecimal notation. IPv6 addressing uses 128 bits and the network information is contained in the left-most 64 bits, host information in the right- most 64 bits. IPv6 uses hexadecimal notation. Supernetting uses the Classless Inter-Domain Routing (CIDR) notation, and this notation is also used in IPv6. Supernetting uses the Classless Inter-Domain Routing (CIDR) notation, and this notation is also used in IPv6. IPv6 address types include local-link, unique local IPv6 unicast, global unicast, multicast, anycast, and special addressing. Local-link maps to IPv4 private addressing, global unicast maps to IPv4 public addressing. IPv6 address types include local-link, unique local IPv6 unicast, global unicast, multicast, anycast, and special addressing. Local-link maps to IPv4 private addressing, global unicast maps to IPv4 public addressing. The local loopback address in IPv6 is ::1/128; FF80::/64 is used for local-link addressing. The local loopback address in IPv6 is ::1/128; FF80::/64 is used for local-link addressing. IP4 to IP6 transition technologies include dual IP layer architecture, IPv6 over IP4 tunneling, Intra-Site Automatic Tunneling Addressing Protocol (ISATAP), 6to4, and Teredo. IP4 to IP6 transition technologies include dual IP layer architecture, IPv6 over IP4 tunneling, Intra-Site Automatic Tunneling Addressing Protocol (ISATAP), 6to4, and Teredo.

3 Copyright line. Slide 3 Configuring Dynamic Host Configuration Protocol (DHCP) The DHCP server role in Windows Server 2008 includes native support for IPv6 as DHCPv6. The DHCP server role in Windows Server 2008 includes native support for IPv6 as DHCPv6. Scope, reservations, exceptions, and scope options are configured in IPv6 much the same as they are in IPv4. Scope, reservations, exceptions, and scope options are configured in IPv6 much the same as they are in IPv4. A DHCP server should have its scope and configuration data set, the scope should be activated, and the server should be authorized in the Active Directory domain in order to bring a new DHCP server online. A DHCP server should have its scope and configuration data set, the scope should be activated, and the server should be authorized in the Active Directory domain in order to bring a new DHCP server online. DHCP and Network Access Protection (NAP) are integrated in Windows Server 2008, providing the ability to deny or limit access to network resources based on the client computers health status. Health status includes having the latest operating system updates and antivirus signatures installed. DHCP and Network Access Protection (NAP) are integrated in Windows Server 2008, providing the ability to deny or limit access to network resources based on the client computers health status. Health status includes having the latest operating system updates and antivirus signatures installed. DHCP can be configured using command line commands. This is helpful for managing DHCP servers remotely across the network. DHCP can be configured using command line commands. This is helpful for managing DHCP servers remotely across the network.

4 Copyright line. Slide 4 Configuring Network Authentication Network authentication is managed through Active Directory and uses Kerberos as the default authentication protocol. NTLMv2 is supported for backward compatibility and should be used only if needed. Network authentication is managed through Active Directory and uses Kerberos as the default authentication protocol. NTLMv2 is supported for backward compatibility and should be used only if needed. Network Policy and Access Services is a role that can be installed on the Windows Server 2008 computer. It includes NPS, RRAS, RADIUS, RADIUS proxy, and NAP. Network Policy and Access Services is a role that can be installed on the Windows Server 2008 computer. It includes NPS, RRAS, RADIUS, RADIUS proxy, and NAP. WLAN access and authentication follows , 802.1X, and standards. Associated protocols include EAP-TLS, PEAP-TLS, PEAP-MS-CHAPv2, PPTP, and SSTP. WLAN access and authentication follows , 802.1X, and standards. Associated protocols include EAP-TLS, PEAP-TLS, PEAP-MS-CHAPv2, PPTP, and SSTP. Support for SPAP, EAP-MD5-CHAP, and MS-CHAPv1 has been removed in Windows Server EAPHost architecture includes new features not supported in earlier operating systems including support for additional EAP methods, network discovery, vendor-specific EAP types, and coexistence of multiple EAP types across vendors. Support for SPAP, EAP-MD5-CHAP, and MS-CHAPv1 has been removed in Windows Server EAPHost architecture includes new features not supported in earlier operating systems including support for additional EAP methods, network discovery, vendor-specific EAP types, and coexistence of multiple EAP types across vendors. Routing and remote access supports the use of IPSec through transport and tunnel modes. Point-to-point tunneling protocol (PPTP), Microsoft Point-to-Point Encryption (MPPE), Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec), and Secure Socket Tunneling Protocol (SSTP) are supported for data authentication, integrity, encryption, and confidentiality. Routing and remote access supports the use of IPSec through transport and tunnel modes. Point-to-point tunneling protocol (PPTP), Microsoft Point-to-Point Encryption (MPPE), Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec), and Secure Socket Tunneling Protocol (SSTP) are supported for data authentication, integrity, encryption, and confidentiality.

5 Copyright line. Slide 5 Configuring IP Security (IPSec) IPSec provides peer authentication, data origin authentication, data integrity, data confidentiality, antireplay, and key management. Due to increasing needs for network security, IPSec is being implemented with greater frequency. IPSec provides peer authentication, data origin authentication, data integrity, data confidentiality, antireplay, and key management. Due to increasing needs for network security, IPSec is being implemented with greater frequency. The AH and ESP protocols within IPSec provide different types of security. Data encryption is provided by ESP, not by AH, making it the preferred protocol. The AH and ESP protocols within IPSec provide different types of security. Data encryption is provided by ESP, not by AH, making it the preferred protocol. IPSec is integrated with Windows Firewall with Advanced Security and is also managed through Group Policy in the Active Directory context. IPSec is integrated with Windows Firewall with Advanced Security and is also managed through Group Policy in the Active Directory context. IPSec can be configured via command line commands within the netsh ipsec context. IPSec can be configured via command line commands within the netsh ipsec context. IPSec can be used to provide server and domain isolation to ensure secure IP traffic remains secure. IPSec can be used to provide server and domain isolation to ensure secure IP traffic remains secure.

6 Copyright line. Slide 6 Configuring Windows Firewall with Advanced Security New features include IPSec integration, support for IPv6, integration with Active Directory user, computer, and group settings, location aware profiles (for mobile computers), detailed rules, and expanded authenticated bypass capabilities. New features include IPSec integration, support for IPv6, integration with Active Directory user, computer, and group settings, location aware profiles (for mobile computers), detailed rules, and expanded authenticated bypass capabilities. Inbound and outbound rules along with connection security rules provide the network administrator with the ability to create finely tuned rules to protect the network and the host. Inbound and outbound rules along with connection security rules provide the network administrator with the ability to create finely tuned rules to protect the network and the host. Connection security rules can be configured with requirements, authentication methods, and profiles to manage and restrict connections on the network. Connection security rules can be configured with requirements, authentication methods, and profiles to manage and restrict connections on the network. IPSec settings can be configured to use a variety of authentication methods. IPSec settings can be configured to use a variety of authentication methods. Customized IPSec data protection settings allow you to configure data protection to use the ESP and AH IPSec protocols. Advanced authentication methods can also be configured within the IPSec settings of Windows Firewall with Advanced Security. Customized IPSec data protection settings allow you to configure data protection to use the ESP and AH IPSec protocols. Advanced authentication methods can also be configured within the IPSec settings of Windows Firewall with Advanced Security. Windows Firewall with Advanced Security can be configured using the snap-in from the Group Policy Management console. Windows Firewall with Advanced Security can be configured using the snap-in from the Group Policy Management console. You can use command line options for configuring, managing, and monitoring Windows Firewall with Advanced Security. You can use command line options for configuring, managing, and monitoring Windows Firewall with Advanced Security.

7 Copyright line. Slide 7 FAQ Q: Im pretty solid with IP addressing in IPv4 but Im not really well-versed in IPv6. How much do I need to know for the exam? A: You will need to be comfortable with IPv6 in order to navigate one or more questions on the exam. You should understand the basics such as the address format; how networks, hosts, and ranges are specified; and where you configure IPv6 settings. Also be clear about the terminology, such as temporary and nontemporary, specific to IPv6 and be sure to be familiar with site local, link local, and other IPv6 formats and naming conventions.

8 Copyright line. Slide 8 FAQ Q: Ive been reading a bit about Windows Server 2008 online and theres a lot of discussion about the Core version. What do I need to know about this? A: Expect to see questions about using the command line on the exam. Command line options have always been available, but the release of the Core version of Window Server 2008 will certainly bring this to the forefront. Dont expect the exam to test you on syntax necessarily, but do expect to see questions related to using the command line options for frequently used features.

9 Copyright line. Slide 9 FAQ Q: DHCP is pretty basic stuff, though the addition of IPv6 makes it a bit different. What should I expect in the way of DHCP questions on the exam? A: Expect to see questions that test your understanding of DHCP configuration and settings as well as questions that test your understanding and knowledge of new DHCP features. Since IPv6 is just being rolled into organizations, you can expect to see some IPv6-based questions related to DHCP.

10 Copyright line. Slide 10 FAQ Q: There are tons of protocolssometimes its like alphabet soupMS-CHAP, MS-CHAP v2, EAP, PEAP, PPP, Kerberos V5, and the list goes on. Im having a hard time keep all these straight and remembering how theyre used (or not) in Windows Server Any tips you can share? A: First, divide protocols into those used to authentication users locally (Kerberos, etc.) and those used to authentication users remotely (PPP, EAP, PEAP). It can be helpful to divide the protocols according to these areas so you can better keep track of what they do and when theyre used. Also, spend time in the Routing and Remote Access Server segment of Windows Server 2008 as well as in the Windows Firewall with Advanced Security section. The more you see the various protocols being used in the default screens, the more they should sink in. Most of the time, the item will be spelled out the first time you see it. If its not, then its a pretty common acronym such as AD for Active Directory or IP, IPSec, or DHCP.

11 Copyright line. Slide 11 FAQ Q: Im not sure Im clear on the difference between IPSec settings in the Windows Firewall with Advanced Security and the IPSec settings in Active Directory Group Policy. Ive reread the material in this chapter, but I am still a bit confused. Can you provide any additional information that might help? A: Yes. Group Policy in AD is going to specify how computers, users, and groups much be configured or must interact with the network. If you specify IPSec within Group Policy for a set of computers, you are requiring that all computers to which that policy is applied must use IPSec to communicate with other computers. Windows Firewall with Advanced Security, on the other hand, can be configured to require IPSec for inbound and/or outbound connections. So, the computers to which the IPSec Group Policy has been applied (well call them the GP computers for short here) can communicate with other GP computers or other computers using IPSec all day long and have no interaction with the IPSec rules in the Windows Firewall on the Windows Server 2008.

12 Copyright line. Slide 12 Test Day Tip Expect to see a question or two on the exam comparing the features of IPv4 to the features of IPv6. Often youll see several answers that are possibly correct and youll need to have a solid understanding of the differences between IPv4 and IPv6 in order to determine the correct response. Expect to see a question or two on the exam comparing the features of IPv4 to the features of IPv6. Often youll see several answers that are possibly correct and youll need to have a solid understanding of the differences between IPv4 and IPv6 in order to determine the correct response.

13 Copyright line. Slide 13 Test Day Tip Remember that subnets are assigned to sites via AD Sites and Services console, whereas subnetting options are set up in the DHCP Server role. Also remember that subnets can easily be moved to different sites within the AD Sites and Services console simply by double-clicking the subnet in the Subnets folder and changing the site association in the Site selection list on the General tab. Remember that subnets are assigned to sites via AD Sites and Services console, whereas subnetting options are set up in the DHCP Server role. Also remember that subnets can easily be moved to different sites within the AD Sites and Services console simply by double-clicking the subnet in the Subnets folder and changing the site association in the Site selection list on the General tab.

14 Copyright line. Slide 14 Exam Warning Be familiar with IP notation in both IPv4 and IPv6. Youre likely to see more on IPv6 and transitioning to IPv6 than on standard IPv4 notation. If youre not up to speed on IPv6, you might want to take some time to thoroughly understand IPv6 and transition technologies before heading into the exam. Be familiar with IP notation in both IPv4 and IPv6. Youre likely to see more on IPv6 and transitioning to IPv6 than on standard IPv4 notation. If youre not up to speed on IPv6, you might want to take some time to thoroughly understand IPv6 and transition technologies before heading into the exam.

15 Copyright line. Slide 15 Exam Warning Questions about DHCP on the exam will likely fall into one of three typesDHCP server questions, DHCP relay agent questions, and DHCP lease questions. Questions about DHCP on the exam will likely fall into one of three typesDHCP server questions, DHCP relay agent questions, and DHCP lease questions.

16 Copyright line. Slide 16 Exam Warning All DHCP traffic uses the User Datagram Protocol (UDP). Messages from the client to the server use UDP port 68 as the source port and port 67 as the destination port. Messages from the server to the client use just the reverseUDP port 67 as the source and UDP port 68 as the destination. If you see questions using UDP ports 67 or 68, think DHCP. All DHCP traffic uses the User Datagram Protocol (UDP). Messages from the client to the server use UDP port 68 as the source port and port 67 as the destination port. Messages from the server to the client use just the reverseUDP port 67 as the source and UDP port 68 as the destination. If you see questions using UDP ports 67 or 68, think DHCP.

17 Copyright line. Slide 17 Test Day Tip Only Windows-based DHCP servers must be authorized in an Active Directory domain. If someone wanted to install a non-Windows- based DHCP server (such as a Linux-based DHCP server) on the network, they could start it up and start handing out IP configuration data to unsuspecting DHCP clients. Check your answers on DHCP to ensure the server specified is (or is not) Windows-based. Only Windows-based DHCP servers must be authorized in an Active Directory domain. If someone wanted to install a non-Windows- based DHCP server (such as a Linux-based DHCP server) on the network, they could start it up and start handing out IP configuration data to unsuspecting DHCP clients. Check your answers on DHCP to ensure the server specified is (or is not) Windows-based.

18 Copyright line. Slide 18 Exam Warning Microsoft exams are notorious for extensive testing on new features. In Windows Server 2008, there are two notable new features related to DHCP. The first is support for Dynamic Host Configuration Protocol for IPv6 (DHCPv6), which is defined by the IETFs RFC 3315 specification. Microsoft exams are notorious for extensive testing on new features. In Windows Server 2008, there are two notable new features related to DHCP. The first is support for Dynamic Host Configuration Protocol for IPv6 (DHCPv6), which is defined by the IETFs RFC 3315 specification. The second important change related to DHCP is the addition of Network Access Protection (NAP) enforcement support. The second important change related to DHCP is the addition of Network Access Protection (NAP) enforcement support.

19 Copyright line. Slide 19 Test Day Tip Be sure to familiarize yourself with the command line options. Even though you wont have to memorize every command and all its syntax to pass the exam, you should expect to see a fair amount of emphasis on command line usage. Understanding the basics of how to use the command line window, which is the user interface for the Windows Server 2008 Core installation, will help you answer these types of questions, and they might be the difference between passing and just squeaking by (or not). Be sure to familiarize yourself with the command line options. Even though you wont have to memorize every command and all its syntax to pass the exam, you should expect to see a fair amount of emphasis on command line usage. Understanding the basics of how to use the command line window, which is the user interface for the Windows Server 2008 Core installation, will help you answer these types of questions, and they might be the difference between passing and just squeaking by (or not).

20 Copyright line. Slide 20 Test Day Tip Numerous authentication and communication-based protocols are no longer supported in Windows Server For the full list, refer to the Microsoft Web site. Support has been removed for: Numerous authentication and communication-based protocols are no longer supported in Windows Server For the full list, refer to the Microsoft Web site. Support has been removed for: ·X.25 ·SLIP-based connections (automatically updated to PPP- based connections) ·ATM ·NWLinkIPX/SPX/NetBIOS Compatible Transport Protocol ·Service for Macintosh ·OSPF ·SPAP, EAP-MD5-CHAP and MS-CHAPv1 authentication protocols

21 Copyright line. Slide 21 Test Day Tip Group Policy and Network Policy Server are two Windows Server 2008 areas with which you should be familiar. Understand the role of Group Policy versus the role of Network Policy Server in securing the network. Be able to explain in your own words what these two features do in Windows Server If you can describe them in your own words, theres a good chance you understand their functionality and will be able to distinguish right and wrong answers on the exam. Group Policy and Network Policy Server are two Windows Server 2008 areas with which you should be familiar. Understand the role of Group Policy versus the role of Network Policy Server in securing the network. Be able to explain in your own words what these two features do in Windows Server If you can describe them in your own words, theres a good chance you understand their functionality and will be able to distinguish right and wrong answers on the exam.

22 Copyright line. Slide 22 Exam Warning A concept you should be familiar with is defense-in-depth. This refers to a network security strategy that uses layers of security methods to provide security at several different layers of the network. A concept you should be familiar with is defense-in-depth. This refers to a network security strategy that uses layers of security methods to provide security at several different layers of the network.

23 Copyright line. Slide 23 Exam Warning Microsoft recommends enabling Windows Firewall with Advanced Security for all three profiles. You may see an exam question on this topic implying that you can enable only one profile at a time. You can configure these profiles by right-clicking Windows Firewall with Advanced Security in the left pane of Server Manager, then clicking Properties. You can also access the properties from the Action menu item, the Action pane on the right, or the center pane, when the folder is selected. All three profiles should be enabled, but only one will be applied based on the Network Awareness API functionality. Microsoft recommends enabling Windows Firewall with Advanced Security for all three profiles. You may see an exam question on this topic implying that you can enable only one profile at a time. You can configure these profiles by right-clicking Windows Firewall with Advanced Security in the left pane of Server Manager, then clicking Properties. You can also access the properties from the Action menu item, the Action pane on the right, or the center pane, when the folder is selected. All three profiles should be enabled, but only one will be applied based on the Network Awareness API functionality.

24 Copyright line. Slide 24 Exam Warning Heres a key take away for working with Windows Firewall with Advanced Security. When you allow or block unsolicited traffic by creating a TCP or UDP port rule, that action will be taken any time Windows Firewall is running. This differs from creating a rule for a program in which the action is taken only when the program is running. So, if you create a rule to allow UDP 1443 traffic, that rule will be enabled when the firewall is enabled (which should be all the time). Contrast that to a program rule that specifies that it needs UDP 1443 traffic. In that case, the firewall will allow only UDP 1443 traffic when the program is runninga much more secure setting and the recommended method, whenever possible. Heres a key take away for working with Windows Firewall with Advanced Security. When you allow or block unsolicited traffic by creating a TCP or UDP port rule, that action will be taken any time Windows Firewall is running. This differs from creating a rule for a program in which the action is taken only when the program is running. So, if you create a rule to allow UDP 1443 traffic, that rule will be enabled when the firewall is enabled (which should be all the time). Contrast that to a program rule that specifies that it needs UDP 1443 traffic. In that case, the firewall will allow only UDP 1443 traffic when the program is runninga much more secure setting and the recommended method, whenever possible.

25 Copyright line. Slide 25 Exam Warning Whenever you run server-type commands from the command line, you have must have Administrator- equivalent rights. Depending on the server and its roles, you may need Domain Administrator rights rather than local Administrator rights. That said, keep in mind that best practices suggest you log onto a server using a standard user account and log in using the Administrator account only by using the Run As Administrator option. This helps maintain tight security on your network. If you see questions on the exam that use the Run As option, chances are good its a correct answer. Whenever you run server-type commands from the command line, you have must have Administrator- equivalent rights. Depending on the server and its roles, you may need Domain Administrator rights rather than local Administrator rights. That said, keep in mind that best practices suggest you log onto a server using a standard user account and log in using the Administrator account only by using the Run As Administrator option. This helps maintain tight security on your network. If you see questions on the exam that use the Run As option, chances are good its a correct answer.


Download ppt "Copyright line. IP Addressing and Services EXAM OBJECTIVES Configuring IPv4 and IPV6 Addressing Configuring IPv4 and IPV6 Addressing Configuring Dynamic."

Similar presentations


Ads by Google