c


  

  c


  

  
In this module we will study the concepts of Routing and Networking where
concepts of routers and network topologies, registering domain name,
internet connectivity and issues regarding segmentation of internet and
intranet are discussed. Also there is a considerable amount of discussion
on IP addressing schemes, DHCP, location of routers and perimeter
network.




   

1. Routing and Networking

2. Subnetting the Organization
3. Routing and Remote Access Infrastructure Design
4. Availability of Remote Access Infrastructure

© 2006 IIHT Limited

 c


  



  


In this chapter we are going to discuss the designing of a network topology,
including routing, router placement, Internet connectivity, addressing and
subnetting, and firewall considerations.


   




‡ Networking and Routing

‡ Internet Connectivity
‡ Registration of Domain Name
‡ Segmentation of Internet from the Intranet
‡ Network Topology Definitions

© 2006 IIHT Limited

 c


  

  

The very first thing that needs to be considered for building any reliable and
scalable network is assessing and designing a network that can support
contemporary and any future requirements i.e. scalability factor must be
taken into account.
One important thing that needs to be ensured is you have a supported
private internal IP addressing scheme and a registered external IP
addressing scheme for your network.
Other factor that needs to be considered is how to properly segment the
internal and external network.
Consideration need to be taken for the placement of the router and security.

© 2006 IIHT Limited

 c


  

!   " 

Internet connectivity provides a means of communication that is both cost

effective and expedient. It is used to support the business in many different
ways.
An internal network needs to connect to the Internet for such applications as
research, e-mail, and e-commerce.
While designing a network steps must be taken to ensure that your
organization can connect to the outside world to do business, and other
organizations and customers can connect to your organization to conduct
business.

© 2006 IIHT Limited

 c


  

#  
c

Every organization that is willing to conduct business over the Internet has
to have a domain name.
To acquire an appropriate domain name, you need to deal with companies
that specialize in registering these for you. The first thing you need to do is
choose a domain name.
This will not be easy, because most organizations want a ³.com´ and most
of these are taken.
You will also need to research the chosen domain name to avoid any
trademark conflicts. After choosing the domain name get it registered.
It is also useful to have a registered domain name for internal use with
Active Directory.
Maintaining a registered name internally helps to resolve any conflicts in the
future.
A good solution is to select an internal domain name with a suffix that is not
a Top Level Domain or any of the country-specific domains.

© 2006 IIHT Limited

 c


  

$ %    

  
Mostly two different yet similar methods of separating the intranet from the
Internet are used by organizations.
Routers are used as both a stand-alone method and in conjunction with a
firewall. Some routers have built-in firewall features to help alleviate having
multiple pieces of equipment.
Depending on how much work will be required of the router, it might make
sense to have a separate firewall to offload the work from the router.
An intranet is an internal Web environment that serves an organization¶s
personnel, and is generally not accessible to the public.
An extranet is means of selectively extending an organization¶s intranet to
individuals and organizations through the Internet who are not physically
connected to the organization¶s network.
Routers will help to route IP traffic in and out of the intranet and Internet.
Firewalls are mostly used to filter what IP traffic can pass from the Internet
to the intranet.
Proxy servers and authentication servers are used for filtering and
monitoring what IP traffic flows from the intranet to the Internet

© 2006 IIHT Limited

 c


  

&   

c 

There are three basic physical topologies viz. bus, ring, and star and have
same components.
'
 
- In this topology all nodes are connected together by a
single bus and use an open-ended cable in which all network devices are
connected. Both ends of this cable must be terminated. Generally, this
topology is best suited for small networks because it does not require the
use of a switch or hub.
  
- In this topology every node has exactly two branches
connected to it. Ring topology uses a cable that is connected to all network
devices in a ring formation so there is no termination because there are no
open ends.
%  
- In this topology peripheral nodes are connected to a central
node, which rebroadcasts all transmissions received from any peripheral
node to all peripheral nodes on the network, including the originating node.
Here each device is connected centrally to a switch or hub. The star
topology is physically and logically the same. Each device is independently
connected to the media and does not have to concern itself on how the other
devices are connected.
© 2006 IIHT Limited
 c


  



! %(  )


In this chapter you are going to study about the concept of subnetting the
organization which requires to deal with the segmenting the organisation
into subnets, IP addressing, DHCP, location of routers and perimeter
network.


     




‡ Segmenting the Organization into Subnets

‡ IP Addressing and DHCP
‡ Location of Routers
‡ Perimeter Network

© 2006 IIHT Limited

 c


  

 %   )

%( 
A subnet is just a way of taking a complete network and reducing it to
manageable and optimized chunks. Every organization wants to create a
network that will be both fast and secure.
Creating subnets will help the organization to achieve this goal by reducing
the size of the network and thus help to control network traffic.
At times an organization will require creating subnets to separate groups of
devices from one another and also want to have each floor of your building
on a different subnet which is considered to be better way for creating
subnets.

© 2006 IIHT Limited

 c


  

! *

c+"

The Dynamic Host Control Protocol (DHCP) is a message-based service

and is used in Windows Server 2003 to provide automatic TCP/IP
addressing and management of the addresses.
Information that is required by a designer to create a strong DHCP design
consists of the three management features supported by DHCP and are
Scopes, Superscopes, & TCP/IP options
Now we will discuss the DHCP server and the DHCP client. DHCP can
distribute IP addresses from a scope of addresses, or it can always give a
device the same IP address.
When the networks increase in size and complexity then the management
of IP addressing becomes increasingly important.
DHCP is a client/server process which is used to assign and manage the IP
addresses.
Windows Server 2003 can host the DHCP Server service to facilitate the
assigning and managing of IP addresses.

© 2006 IIHT Limited

 c


  

#  

To control access and bandwidth it is important to place the Router

appropriately. For this you need to know where to place the routers and how
to calculate a subnet with enough available hosts to accommodate the
number of nodes in a particular location. It is important when designing a
network that you assess the current router placement or design a new
router placement that will provide a fast and stable network.
‡ Performance
‡ Redundancy
‡ Scalability
‡ Manageability
‡ Cost

© 2006 IIHT Limited

 c


  

$     

One of the important aspects of a network design is security and protecting

a network from the outside is difficult so it is necessary to design your
network with this protection in mind.
The Network perimeter consists of a combination of firewalls, routers, and
remote access equipments.
Router is the first line of defence against the Internet in any network.
Using IP filtering to control data and also considering a firewall in your
design for security is a must.
A firewall is designed to handle network perimeter security and should
always be used in a network design.
A firewall inspects incoming and outgoing packets and compares them to a
set of rules to determine if they should be denied access, dropped, or
permitted to pass through to the connected network.

© 2006 IIHT Limited

 c


  



#   *




 c


This chapter discusses the designing of Routing and Remote Access
Infrastructure.


     




‡ Design Requirements
‡ Perimeter Requirements
‡ Intranet and Extranet
‡ Authentication Requirements of Intranet
‡ Windows 2003 Server Authentication
‡ RADIUS and RADIUS Policies

© 2006 IIHT Limited

 c


  

 c
 ,  

The selection of hardware and software for remote access solution is

decided after it is clear that how your remote access solution will be used.
You need to collect the data to ensure you are designing a remote access
solution that will fit the needs of the current environment and also the future
requirements.
Because the organization supplies these users with home workstations that
will connect back to the environment.
All this information is required to scale the server to meet the demand.
The other question that needs to be answered is, are there any partners of
the organization who will require access to the network environment as this
information will help to properly design the VPN and/or dial-up access to
allow partners to get to the necessary information.

© 2006 IIHT Limited

 c


  

!     ,  

Perimeter is the point at which all remote access will flows into the network
environment. All the clients or partners access your network through the
perimeter.
Windows Server 2003 is a good solution for implementing on the perimeter
to support the remote access solution and provide security for this solution
which can support dial-in access and VPN access by using Routing and
Remote Access Server (RRAS).
Even it can provide TCP/IP filtering to help protect it from intruders that are
located at the perimeter of the network.

© 2006 IIHT Limited

 c


  

#  -. 

Extranet can be supported if you are using a secure remote access solution
and they who wish to connect to you are using methods for connecting to
your network that are compatible with your remote access solution.
The best solution is typically a site-to-site VPN. Windows Server 2003 can
provide this solution with the use of RRAS and dial-on-demand.
The site-to-site VPN works in the following manner when traffic that is
destined for your network from other network occurs, using the existing
Internet connection, a VPN connection is initiated from the other network
Windows Server 2003 RRAS and the VPN connection is established with
your Windows Server 2003 RRAS.
This takes place with the assistance of dial-on-demand and can occur in
either direction.

© 2006 IIHT Limited

 c


  

$ *  ,  


 
After authentication is established only then secure remote access solution
can be supported. For supporting authentication, you will have requirements
on your intranet that will be accessed from the perimeter remote access
solutions. There are two choices for authentication:
‡ Windows Authentication
‡ Remote Authentication Dial-In User Service (RADIUS)

© 2006 IIHT Limited

 c


  

& /
!00#%  

* 
Using the Windows Authentication will suffice if you are planning on one
RRAS server.
The Windows Server 2003 with RRAS, if it is a member server, will use
Active Directory for authentication.
But if it is a stand-alone server then it will use its internal user database.

© 2006 IIHT Limited

 c


  

1 *c2%*c2% 

To incorporate more than one RRAS server Windows Server 2003 must be
configured to use RADIUS for authentication purposes. This access control
protocol i.e. RADIUS uses a challenge/response method for authentication.
Each Windows Server 2003 RRAS server acts as a RADIUS client and
each of these RADIUS clients authenticates via a top-level RADIUS server,
which itself can then authenticate to Active Directory.
In intranet RRAS policies allow you to control connection security,
connection times, user and group access, etc. These policies are beneficial
for creating a secure RRAS environment.
Policies basically allow you to control how you want clients to connect to
your organizations network.

© 2006 IIHT Limited

 c


  



$ * ( 
  *





In this chapter we will discuss the concepts pertaining to availability of
remote access infrastructure and will discuss the topics like determining the
Sizing of Remote Access Infrastructure, Availability of Remote Access
Server, Placing the Components of RRAS Server and Scalability,
Availability and Failover of RRAS.


     


‡ Determining the Sizing of Remote Access Infrastructure

‡ Availability of Remote Access Server
‡ Placing the Components of RRAS Server
‡ Scalability, Availability and Failover of RRAS

© 2006 IIHT Limited

 c


  

 c   %)

  *



We need to design a remote access solution so we have to determine how
much of it we require. You need to know how many hosts will be using the
network.
The same goes for remote access. Now we are going to determine what
and where we should place these solutions and also examine the level of
scalability and availability we need to design into the solution.
The things you need to determine is how many users will need to connect
remotely via VPN and/or dial-in apart from if any other remote access
clients like site-to-site are there.
This can be called the starting point for sizing. Many network designs today
do not want to use dial-in because of its cost and speed.
And there is a better choice i.e. VPN as it does not require the provisioning
of additional analog or ISDN lines within the organization.

© 2006 IIHT Limited

 c


  

! * ( 
  *


%  
It¶s important to provide a remote access solution for the scalability of a
network for the future. In Windows Server 2003, each server providing up to
1000 concurrent VPN connections, and the solution should be scalable.
Provide the scalability in the hardware for ensuring the server more
connections than are required. The key here is to provide the monitoring of
the server¶s system resources for maintaining this availability.
Provide the means for failover for ensuring the availability. And the way is to
provide multiple remote access servers.
You can then either provide users with multiple remote access entries or
with a dial-in solution and a VPN solution.
Another consideration for remote access availability and failover is done by
providing dial-on demand for backing up routers.

© 2006 IIHT Limited

 c


  

#   " 


*%%  
It is important that we place devices where they can function efficiently and
securely. Functionality and security is always a constant trade-off.
At times security measures can be ignored to provide clients with more
freedom to use the network.
Designing any system that has a security aspect associated with it is to get
the right balance between security and operation. While deploying a
Windows Server 2003 server that is providing VPN access to the network, it
should be placed in a DMZ behind a firewall.
This is just to protect the server from attacks, and the DMZ will isolate the
inside network from that server in the event of security threat.
But if we are dealing with a Windows 2003 Server providing dial-in access
to the network then place this server inside the network perimeter.

© 2006 IIHT Limited

 c


  

$ % ( 
3* ( 

4  *%
Scalability is an important issue in respect of providing a remote access
solution. Scalability is having in mind the future needs.
For this it is better to use Windows Server 2003 as each server is capable
of providing up to 1000 concurrent VPN connections.
You need to provide the scalability in the hardware to ensure that the server
can maintain more connections than are required.
This availability is maintained by monitoring the server¶s system resources.
While installing RRAS on a server choice of creating a pool of IP address to
give to clients or to use DHCP for IP addressing is given and the better
option of the both is DHCP for IP addressing as it will allow you to manage
your organization¶s IP addressing in a better manner.
The RRAS server reserves 10 IP addresses from the DHCP server when
the service starts and when these services are used up then another 10 IP
addresses are reserved.

© 2006 IIHT Limited

 c


  

" 


%
 

Internet connectivity provides a means of communication that is both cost

effective and expedient.
Every organization that is willing to conduct business over the Internet has
to have a domain name.
To acquire an appropriate domain name, you need to deal with companies
that specialize in registering these for you.
Proxy servers are very beneficial in separating the intranet from the Internet.
There are three basic physical topologies viz. bus, ring, and star and have
same components.
A subnet is just a way of taking a complete network and reducing it to
manageable and optimized chunks.
The Dynamic Host Control Protocol (DHCP) is a message-based service
and is used in Windows Server 2003 to provide automatic TCP/IP
addressing and management of the addresses.

© 2006 IIHT Limited

 c


  

" 


%
 

NAT translates the private IP addresses to public IP addresses.

To control access and bandwidth it is important to place the Router
appropriately.
The selection of hardware and software for remote access solution is
decided after it is clear that how your remote access solution will be used.
Perimeter is the point at which all remote access will flows into the network
environment. All the clients or partners access your network through the
perimeter.
Extranet can be supported if you are using a secure remote access solution
and they who wish to connect to you are using methods for connecting to
your network that are compatible with your remote access solution.

© 2006 IIHT Limited

 c


  

" 


%
 

There are two choices for authentication: Windows Authentication and

Remote Authentication Dial-In User Service (RADIUS)
To incorporate more than one RRAS server Windows Server 2003 must be
configured to use RADIUS for authentication purposes.
It is important that we place devices where they can function efficiently and
securely. Functionality and security is always a constant trade-off.
Scalability is an important issue in respect of providing a remote access
solution. Scalability is having in mind the future needs.

© 2006 IIHT Limited