Module 7: Designing for Network Connectivity

Contents Overview Lesson: Gathering Data for Network Connectivity Lesson: Evaluating Connection Types Lesson: Designing a Connectivity Infrastructure Lesson: Designing for Internet Connectivity Lab A: Designing for Network Connectivity Course Evaluation 1 2 6 12 21 32 36

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, BackOffice, Microsoft Press, MSDN, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Module 7: Designing for Network Connectivity

iii

Instructor Notes
Presentation: 160 minutes Lab: 60 minutes This module provides students with the knowledge and skills needed to create a design for network connectivity. The module describes how to create an Internet Protocol (IP) addressing design, an intranet design, an extranet design, and a Dynamic Host Configuration Protocol (DHCP) infrastructure design. After completing this module, students will be able to:
! ! ! !

Determine the information that you need to design for network connectivity. Evaluate connection types. Design a connectivity infrastructure. Create a design for Internet connectivity.

Required materials

To teach this module, you need Microsoft PowerPoint file 2282A_07.ppt. Important It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, features of the slides might not be displayed correctly.

Preparation tasks

To prepare for this module:

! ! !

Read all of the materials for this module. Complete the practices. Complete the lab, practice discussing the answers, and become familiar with the lab environment. Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials compact disc.

Consider reading appropriate sections in the additional resource referenced in this module, Microsoft Windows Security Resource Kit, by Ben Smith and Brian Komar, Microsoft Press. Classroom setup The information in this section provides setup instructions that are required to prepare the instructor computer or classroom configuration for a lab. The computers in the classroom should be set up in the configuration specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. No additional classroom setup is required to perform the lab in this module.

iv

Module 7: Designing for Network Connectivity

How to Teach This Module

This section contains information that will help you to teach this module.

Lesson: Gathering Data for Network Connectivity

This section describes the instructional methods for teaching this lesson. In this lesson, students examine the specific types of information and business requirements that are relevant to designing for network connectivity. Connectivity Requirements Explain that when determining connectivity requirements, it is important not only to consider the organizations current needs, but to anticipate any known changes that will affect the organization within the next five years. If you do not anticipate any changes, your physical network design will become outdated almost as soon as it is implemented. Point out that it is also important to determine an organizations need for network availability, performance, security, fault tolerance, and contingency/disaster recovery. Security Requirements When determining how to best meet your companys security requirements as you design for network connectivity, consider the types of vulnerabilities inherent in networks. Decide how, and to what extent, you will prevent or mitigate these vulnerabilities by including various strategies or components in your connectivity design. Use this section to summarize the topics covered in this lesson.

Guidelines for Gathering Data for Network Connectivity

Lesson: Evaluating Connection Types

This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to evaluate connection types so that they can choose the appropriate type(s) of connections to include in their organizations network connectivity design. Types of Connections Considerations for International Connections Business Requirements for Connection Types Guidelines for Selecting Connection Types Practice Assess your students knowledge level of connection types and tailor your discussion of this topic to meet their needs. Point out that when considering using redundant links provided by two different carriers to achieve fault tolerance, you should obtain a map of the physical fiber path used by these multiple carriers. If at any point the lines converge and the same link is used by both carriers, you will no longer have fault tolerance. Emphasize that business requirements will drive the connection type design. The needs of the business should always be the focus of design decisions. As you present these guidelines, point out that because nearly every business location now has a connection to the Internet, the use of VPNs as a connection type solution has become extremely popular. There is no practice for this lesson.

Module 7: Designing for Network Connectivity

Lesson: Designing a Connectivity Infrastructure

This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to design a connectivity infrastructure. The lesson describes strategies and considerations for intrasite and intersite connectivity and explores options for VPNs. Strategies for Connectivity Within a Location Strategies for Connectivity Between Locations Options for VPNs Introduce the three-tier model. Remind students that in order to achieve the best performance for the least amount of cost, they must make careful design decisions when determining which network devices to use in their connectivity infrastructure, and how to best place these devices. Emphasize that business requirements, particularly security needs, will determine the design a company chooses for network connectivity between its various physical locations. Discuss the advantages and disadvantages of using a VPN solution, as well as how you can secure a VPN by using authentication, encryption, and connection constraints. Use this section to summarize the points presented in this lesson and to emphasize best practices for designing a connectivity infrastructure. Call attention to the fact that you must ensure that your network connectivity design meets your Active Directory requirements, particularly bandwidth requirements for replication and authentication. In this practice, students design a connectivity infrastructure for Northwind Traders. Students design solutions may vary. This is Okay as long as students can justify their own solutions.

Guidelines for Designing a Connectivity Infrastructure

Practice

Lesson: Designing for Internet Connectivity

This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to create an intranet design based on relevant business requirements. The lesson compares common choices for firewall design, discusses forest options for a firewall environment, and describes strategies for securing replication through firewalls and strategies for extranet designs. Strategies for Firewall Design Forest Options for a Firewall Environment Explain that one of the ways organizations protect their private networks from outside attack via the Internet is to use a perimeter network (also called a screened subnet) behind an external firewall. Discuss the advantages and disadvantages of the various forest options that can be used to enhance security of intranets and extranets. The forest option selected by an organization will depend on its security needs, its administration model, the quality of its internal security practices, and the cost involved in administering the selected forest design. Note that all of the forest options except for the multiple forests with no trusts between domains in each forest option facilitate the use of Microsoft Internet Security and Acceleration (ISA) Server, which provides RADIUS authentication for remote access connections and is an ICSA certified enterprise firewall and secure application gateway.

vi

Module 7: Designing for Network Connectivity

Strategies for Securing Replication Through Firewalls Strategies for Extranet Design

Explain that performing replication securely through a firewall is challenging. If very high security is desired, you should open firewall traffic only for IPSec, DNS, and Kerberos traffic, and use IPSec for all replication traffic. Explain that before you can create an extranet design, you need to determine which external users need to access your organizations data, and the kind of data they need to access (public, private, sensitive, etc.). For security reasons, external users should not be able to access any more corporate data than they need. Use this section to summarize the key points of this lesson and to emphasize best practices for Internet connectivity design. Call attention to the fact that only data that needs to be accessed by external users should be placed on the perimeter network.

Guidelines for Internet Connectivity Design

Practice

In this practice, students create an Internet connectivity design for Northwind Traders. Students design solutions may vary. This is okay as long as students can justify their own solutions.

Lab A: Designing for Network Connectivity

In this lab, students evaluate connection types, create a connectivity design, and create an extranet design for Tailspin Toys. After completing this lab, students will be able to:
! ! !

Evaluate connection types. Create a connectivity design. Create an extranet design.

Note To prevent confusion, at the start of the lab, remind students that in the practices they have been working with Northwind Traders, but in the labs they are working with Tailspin Toys. To begin the lab, open Microsoft Internet Explorer and then, on the Web page that appears, click the link for this lab. Play the video interviews for students, and then instruct students to begin the lab with their lab teams. Note that:
!

The e-mail message from Michael Alexander provides the specific tasks that must be accomplished in this lab. Students will need to view the new Connectivity Map document that has just been placed in the Network Files folder. This document, which is mentioned in the e-mail message from Michael Alexander, is the key company document for this lab.

Give students approximately 30 to 40 minutes to complete their designs. Then spend approximately 15 to 20 minutes discussing the students designs as a class.

Module 7: Designing for Network Connectivity

vii

Student answers will vary because there are several possible connectivity and extranet designs and no single correct solution. After the teams develop their connectivity designs, ask one person from each team to draw their teams design on a whiteboard or flip chart. You can also have one member of each team present their teams extranet design to the class. Then, as a class, you can discuss all of the teams designs. Important Each team will carry forward their connectivity designs from this lab as they go forward and complete the remaining labs in this course. Keep the teams drawings on the whiteboard or flip chart throughout the remainder of the course. General lab suggestions For general lab suggestions, see the Instructor Notes for the Module 1 lab, Preparing to Design an Active Directory Infrastructure, in Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. Those notes contain detailed suggestions for facilitating the lab environment in this course.

Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is dependent on the classroom configuration specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. Important Although no computer configuration changes occur on student computers during the labs, the information gathered and many of the solutions produced in a lab carry forward to subsequent labs in the course. Therefore, if this course is customized and all of the modules are not used, or they are presented in a different order, when the instructor begins a lab the instructor might need to provide students with a possible answer from the previous lab(s) to use as a starting point for the current lab.

Module 7: Designing for Network Connectivity

Overview

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Network connectivity ensures access to public networks and supports networkbased applications and authentication methods on your internal network. In this module, you will learn how to design a secure network connectivity solution for your organization. After completing this module, you will be able to:
! ! ! !

Objectives

Determine the information that you need to design for network connectivity. Evaluate connection types. Design a connectivity infrastructure. Create a design for Internet connectivity.

Module 7: Designing for Network Connectivity

Lesson: Gathering Data for Network Connectivity

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction As you begin designing a network connectivity solution, you need to gather information about your organizations connectivity requirements and security requirements. This information greatly influences your design decisions for the physical network. After completing this lesson, you will be able to:
!

Lesson objectives

Explain how connectivity requirements influence connectivity design decisions. Explain how security requirements influence connectivity design decisions. List guidelines for gathering data for network connectivity.

! !

Module 7: Designing for Network Connectivity

Connectivity Requirements

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Evaluate your current infrastructure As you map the details of LAN and WAN links on a physical network diagram, consider your organizations current connections and usage statistics. Use this information to determine whether the existing connections meet your business needs for Microsoft Windows Server 2003 Active Directory directory service or other network applications and whether you can accommodate future growth. Also consider your organizations requirements for network availability, performance, security, fault tolerance, and disaster recovery. Taking into account your organizations business needs, consider the following types of connectivity requirements:
! !

Types of connectivity requirements

Local connectivity Remote connectivity WAN links to other locations within the organization Routed, demand-dial links to other locations within the organization Amount of bandwidth for authentication, replication of Active Directory, server-based applications, and other network traffic between locations Dial-up connectivity for remote users Internet connectivity Internet connectivity at each location VPN connectivity between locations, or to business partners VPN connectivity for employees who are traveling or working from home

Module 7: Designing for Network Connectivity

Security Requirements

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Before Internet connectivity became common, an organizations network often maintained a single connection to a public network. Today, Internet access, remote access, and branch office connectivity have become vital to the operation of an organization. As requirements for connectivity increase, so does the difficulty of managing network connection security and the risk that information and computers might be exposed to threats and attacks. When designing for network connectivity, identify all internal and external threats to data transmission. You can then design your network connectivity to overcome these threats and thereby meet your organizations security requirements. Threats to data transmission Threats to data transmission differ, depending on the mode of transmission and the goals of the attacker. Threats can range from passive monitoring to malicious disruption of traffic. For example, an attacker who wants to gain knowledge about data as it is transmitted can passively monitor the network from within an organization. This type of attack reveals data but does not interrupt data transmission. However, an attacker who wants to stop the transmission of traffic entirely can attempt a denial of service (DoS) attack over the Internet, which prevents legitimate traffic from flowing to and from a network. For more information about identifying security requirements for your design, see Microsoft Windows Security Resource Kit, by Ben Smith and Brian Komar, Microsoft Press.

Additional reading

Module 7: Designing for Network Connectivity

Guidelines for Gathering Data for Network Connectivity

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When gathering data for network connectivity, use the following guidelines:
!

Assess the existing network infrastructure. Assess the current network configuration and network traffic patterns. Determine the number and types of clients, the types of server-based applications used, and the type of connectivity required at each location, between locations, and for remote users. Determine specific network connectivity requirements. Because every organization is unique, you must determine your organizations specific network connectivity requirements. For example, you need to determine whether your organization requires WAN connectivity between a central office, regional offices, and branch offices, or requires VPN connectivity for employees who are traveling or working from home. Identify future requirements of the organization. Determine whether there are expectations for the organizations growth over the next three to five years, and whether there are anticipated changes in utilization due to implementing Active Directory or network applications. Identify potential security risks. Determine the potential threats to network connectivity in your organization. Determine the types of network traffic that you must secure and the level of security that each type of network traffic requires.

Module 7: Designing for Network Connectivity

Lesson: Evaluating Connection Types

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The underlying connections that make up your companys WAN are critical to the success of your network and Active Directory designs. You must evaluate the various types of connections that are available, consider your business requirements, and then create a design that will meet your organizations needs for the next several years. After completing this lesson, you will be able to:
! ! ! !

Lesson objectives

Compare choices for connection types. Explain the considerations for international connections. Explain the relevant business requirements for designing connection types. Select connection types based on the relevant business requirements.

Module 7: Designing for Network Connectivity

Types of Connections

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The type of connection used to connect two sites will affect all facets of network communications between the sites. Connections can be grouped into circuit-switched, leased line, packet-switched, and virtual categories. Circuit-switched connections are dial-up connections that establish a temporary switched circuit through the carriers telecommunications system for the duration of the communication session. Types of circuit-switched connections include:
! !

Circuit-switched connections

Modems. Maximum connection speed is 56 kilobits per second (Kbps). Integrated Services Digital Network (ISDN). Connection speeds range from 64 Kbps to 2048 Kbps. Different speeds are available depending on the capabilities of the carrier and the country you are located in.

Leased lines

Leased lines are dedicated connections that establish a permanent switched circuit through the carriers system. Leased lines are typically point-to-point connections. Examples of leased line types include:
!

Broadband. A broadband connection is often a connection to the local cable TV providers network that allows small businesses and home offices to have an Internet connection through the cable network. Data rates vary from 1.5 Mbps to 3 Mbps and even higher. Most broadband connections are asynchronous with a much higher download speed than upload speed. Digital Subscriber Line (DSL). There are a lot of different options available for DSL connections. It is not available in all areas because of line length limitations and because carriers have not implemented support for DSL in all areas. DSL is available in both asynchronous and synchronous options. Data rates range from 144 Kbps to 1.544 megabits per second (Mbps) and even higher in some areas. The most common types of DSL are: IDSL. DSL over an ISDN line. ADSL. Asynchronous DSL, where the download speed is higher than the upload speed.

Module 7: Designing for Network Connectivity

SDSL. Synchronous DSL, where the download and upload speeds are the same. Usually more expensive than ADSL.
!

T-carrier and E-carrier. T-carrier lines are available in North America. T-carrier lines are created by combining one or more 64 Kbps channels. For example, a T1 link consists of 24 channels. E-carrier lines are available in Europe. E-carrier lines are also created by combining 64 Kbps channels. An E1 link consists of 32 channels. The following table the T-carrier and E-carrier line types that are available.
T-carrier type Fractional T1 Speed Available in 64 Kbps increments; always less than T1 speed 1.544 Mbps 6.312 Mbps 44.736 Mbps 274.176 Mbps E-carrier type Fractional E1 Speed Available in 64 Kbps increments; always less than E1 speed 2.048 Mbps 8.448 Mbps 34.368 Mbps 139.264 Mbps

T1 T2 T3 T4

E1 E2 E3 E4

Packet-switched connections

Packet-switched connections can be either dedicated or dial-up connections to a public packet-switching network such as X.25, a public frame relay network, or an Asynchronous Transfer Mode (ATM) network. Packet-switched connections send packets of data along the best route possible by using the logical address of the destination node. Packet-switching links can be either point-to-point or point-to-multipoint connections. Examples of packet-switched connection types include:
!

X.25. This is the oldest packet-switched standard. It was designed for use over unreliable analog telephone connections, and has high overhead due to the extensive amount of error checking that is included in each packet. X.25 is still used in many areas. X.25 connections are available from 9600 bps to 2 Mbps; however, most connections are limited to 64 Kbps. Frame relay. Frame relay is the successor to X.25. It was designed for reliable digital connections and so has much less error correction overhead than X.25. Frame relay is available in speeds from 56 Kbps to 1.544 Mbps and higher. ATM. ATM connections are made over high-speed broadband media such as fiber optic cable. ATM is available in speeds from 25 Mbps to 622 Mbps. ATM provides a global telephony standard, and many telecommunications companies have implemented ATM for their backbone networks.

Virtual connections

A Virtual Private Network (VPN) requires that an existing routed connection exist between the private networks being connected. VPN connections typically use encryption to protect data as it is carried over the public network. The speed of a VPN is slower than the speed of the connections to the public network at each end of the VPN, because of the extra overhead of maintaining the VPN and the overhead caused by encrypting the data.

Module 7: Designing for Network Connectivity

Considerations for International Connections

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Very often, connection types available in one country are not available in another. Make sure that your connection design can be implemented in all of the geographic locations that are required by your organization. When designing international connections, consider the following:
!

Interoperability. Differing international standards might affect interoperability. For example, crossing national borders also might require the integration of service providers. You must design your international connections to ensure interoperability between service providers and link types. Cost. Connections that cross oceans can be expensive. VPN options. Consider the possibility of using local Internet connections at each location, and connecting the locations by using a VPN. Fault tolerance. Consider your requirements for uptime and for continued communications in case of a link failure. You might need to include an additional link in your plan to provide fault tolerance. Options include multiple links, slower speed backup links, or a VPN over the Internet. Governmental issues. Depending on the countries that the WAN links traverse, there might be legal, language, regulatory, or value added tax (VAT) issues to consider. For example, local laws might restrict the use of specific types of encryption.

! !

10

Module 7: Designing for Network Connectivity

Business Requirements for Connection Types

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Business considerations Business factors greatly influence the connection types that you will use. The following technical decisions might have a direct bearing on business requirements:
!

Connection speed. The speed at which your organization makes transactions might be an important business factor in determining a connection type. Evaluate the necessary speed between locations in your organization and between your organization and its partners. Number of connections between sites. Determine which sites will require multiple connections to other sites. For example, a hub site might have connections to multiple remote offices. In addition, consider additional connections between remote sites to provide fault tolerance. Cost. The connection choice used between different locations might be determined by the cost. For example, it might be more cost-effective to design a VPN connection over the Internet instead of a dedicated line. Reliability and fault tolerance. Consider the effect of connection loss on the business. For example, if a branch office is connected to the main office by a single connection and the connection fails, the branch office might not be able to contact a server-based application at the main office. Having a backup connection in place for critical network communications would help alleviate this risk. Contingency connections. Consider the effect of a natural or man-made disaster on your network connections and how your design will provide for this type of situation. For example, an earthquake could completely sever a WAN link and isolate any business units that use that link. To address this type of contingency, your design could include provisions to quickly establish a satellite-based connection until the WAN link can be restored.

Module 7: Designing for Network Connectivity

11

Guidelines for Selecting Connection Types

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Selecting connection types

!

Use leased lines for dedicated high-traffic WAN links. If you have high bandwidth requirements, and require a dedicated link, consider using a leased line connection. Use packet switching for intermittent traffic. If you only need to send data intermittently, it might be more cost-effective to use a packet-switched connection instead of a leased line. Use dial-up circuit-switched connections. Use dial-up circuit-switched connections as backup links for leased lines or when the amount of data to be sent over the connection does not justify the cost of a leased line or a packet-switched connection. Use a VPN connection. Consider using a VPN connection to connect sites that have dedicated high-speed connections to the Internet. For example, if you have a location in Singapore and a location in Seattle, and both locations have dedicated high-speed Internet connections, it is more costeffective to connect the two locations by using a VPN over the Internet than using an international WAN link. However, the downside of this option is that a disruption of traffic on the Internet might also result in a disruption of traffic between the two locations.

12

Module 7: Designing for Network Connectivity

Lesson: Designing a Connectivity Infrastructure

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction There are numerous elements to consider as you design a network connectivity infrastructure. In this lesson you examine strategies for connectivity within a location, strategies for connectivity between locations, options for VPNs, and guidelines for designing a connectivity infrastructure. After completing this lesson, you will be able to:
! ! ! !

Lesson objectives

Explain the requirements for connectivity within a location. Explain the requirements for connectivity between locations. Compare choices for router placement. Determine when to use VPNs.

Module 7: Designing for Network Connectivity

13

Strategies for Connectivity Within a Location

*****************************ILLEGAL FOR NON-TRAINER USE****************************** The three-tier model A proven strategy for designing your intranet is to use the three-tier model. This model optimizes the availability of network resources. The modular nature of a hierarchical model such as the three-tier model can simplify deployment, capacity planning, and troubleshooting in a large internetwork. In this design model, the tiers represent the logical layers of functionality within the network. In some cases, a network device serves only one function; in other cases, the same device might function within two or more tiers. The three tiers of this hierarchical model are referred to as the core, distribution, and access tiers. The above slide illustrates the relationship between network devices operating within each tier. Designing the core tier The core tier facilitates the efficient transfer of data between interconnected distribution tiers and typically functions as the high-speed backbone of the enterprise network. This tier can include one or more building-wide or campuswide backbone LANs, metropolitan area network (MAN) backbones, and highspeed regional WAN backbones. The primary design goal for the core is reliable, high-speed network performance. As a general rule, locate any feature that might affect the reliability or performance of this tier in an access or distribution tier. Select high-performance and highly reliable network equipment for the core tier. If the equipment used in the core tier does not have the capacity to handle the amount of data that is sent over the core tier, the speed and responsiveness of your entire network will be affected. Design a fault-tolerant core tier system whenever possible. Many products meet these criteria, and most major network vendors offer complete solutions to meet the requirements of the core tier.

14

Module 7: Designing for Network Connectivity

Designing the distribution tier

The distribution tier distributes network traffic between related access layers, and separates the locally destined traffic from the network traffic destined for other tiers through the core. Network security and access control policies are often implemented within this tier. Network devices in this layer can incorporate technologies such as firewalls, NAT routers, VPN servers, remote access servers, and proxy servers. The distribution tier is often the layer in which you define subnets. By using subnets, distribution devices typically function as routers. The routing methods and routing protocols used affect the scalability and performance of the network in this tier. A server network in the distribution tier might house critical network services and centralized application servers. Computers running Windows Server 2003 can be used in the distribution tier to run Active Directory, DNS, DHCP, and other core infrastructure services.

Designing the access tier

The access tier is the layer in which users connect to the rest of the network, including individual workstations and workgroup servers. The access tier of an intranet usually includes a relatively large number of low- to medium-speed network ports, whereas the core tier usually contains fewer but higher-speed network ports. Design the access tier with efficiency and economy in mind, and balance the number and types of access ports to keep the volume of access requests within the capacity of the higher layers.

Module 7: Designing for Network Connectivity

15

Strategies for Connectivity Between Locations

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To design your network connections between locations, determine the number and type of intersite connections you will need, the job functions that take place at each location, and any business requirements your organization has that will influence your design.
!

Considerations

How many and which types of inter-location connections does your organization need? Determining how your organizations resources are organized will help you figure out the number of connections that are needed. For example, if you have a location that contains the backup copies for all the servers in the organization, you might need to provide that location with connections to each of the other locations in the organization. Your current location map and the number and type of computers at each site will help you determine how much bandwidth you will need for each connection. For example, a remote site with ten computers that only rarely need to access data from headquarters might be able to use a dial-up ISDN link to connect to the headquarters location.

Will hardware- or software-based routers be used to connect locations? Once you have determined the number and type of connections to use between sites, you need to specify how those connections will be implemented. For example, if you specified that each site would be connected by a VPN, you would have to choose between using a hardwarebased VPN solution or a software-based VPN solution, such as the Routing and Remote Access service in Windows Server 2003.

16

Module 7: Designing for Network Connectivity

!

Which routing protocols will you use for your connections between remote locations? The decision on which routing protocols to use between sites is largely dependent on the routing protocols that are currently in use on your network. For example, if you are using Open Shortest Path First (OSPF) as your routing protocol within each site, you should choose OSPF as your routing protocol between sites as well. Small sites with a single subnet might choose to implement static routing instead of using a routing protocol.

Do your business security needs indicate that your design should require all data that is sent between sites to be encrypted or digitally signed? This choice is driven by two factorsthe importance and sensitivity of the data being sent and the type of link being used. For example, a VPN link over the Internet might require a higher level of security than a direct fiber optic link between two sites in the same metropolitan area.

Module 7: Designing for Network Connectivity

17

Options for VPNs

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To avoid the cost of leasing your own private line to connect to a network, you can create a secure tunnel over a public network such as the Internet to form a VPN. VPNs are popular with enterprises that require users to travel or that need to provide customers, business partners, or vendors with access to corporate data. The VPN is authenticated and encrypted for security. However, a VPN solution can affect performance. For example, if you are dependent on a slow underlying network connection, such as a 56 Kbps dial-up modem, you will incur extra overhead associated with the tunnel protocol. Before you can determine if a VPN solution is suitable for your network infrastructure strategy, you need to consider the advantages and disadvantages of this type of network access as described in the following table.
VPN advantages Can use an existing network infrastructure, such as the Internet, to transport your tunneled data. Does not require the expense of a private connection between devices. Scales better than a dial-up solution. VPN disadvantages Data-tunneling process can result in extra overhead. Both devices need to support the same tunneling protocols (PPTP or L2TP). Increased risk of packets being viewed and analyzed by attackers. Even though packets can be encrypted, hashed, and authenticated, they are still being transmitted on a public network, such as the Internet. Requires additional support. You need to ensure that your network infrastructure allows the transmission of tunneled packets from the Internet to your private network.

Choosing a VPN solution

18

Module 7: Designing for Network Connectivity

Security options

Security is an important requirement for any remote connection. The following table describes how to secure a VPN solution.
VPN option Authentication Security options Standard Point-to-Point Protocol (PPP) authentication methods such as Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), MS-CHAP, and Password Authentication Protocol (PAP) Extensible Authentication Protocol (EAP) authentication methods (including public key certificates) Internet Protocol Security (IPSec) Data encryption Microsoft Point-to-Point Encryption (MPPE 40-bit, 56bit, or 128-bit) IPSec Connection constraints Time of day or duration of connection. These constraints give you the ability to restrict connections.

Module 7: Designing for Network Connectivity

19

Guidelines for Designing a Connectivity Infrastructure

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When designing for network connectivity, consider the types of connections needed, the network medium you will use, and the physical limitations of the connections.
!

Consider the three-tier model as part of your network design for large locations. This model will simplify troubleshooting and optimize network traffic for large intranet designs. Use a VPN to connect sites if the cost of a dedicated WAN link is prohibitive. If you need to connect more than one network, determine if you will do so through dedicated lines or through a VPN. If the sites are distributed across a wide area and the cost of a dedicated link is prohibitive, consider using a VPN over the Internet to connect the sites. Ensure that the network connectivity design meets Active Directory requirements. For example, when designing WAN links, make sure that the WAN links have enough free bandwidth to accommodate Active Directory replication and authentication traffic. Use the appropriate network topology. For example, if the LAN is streaming media to all workstations, consider using 100 Mbps, gigabit, or higher-speed connections. If the cost of rewiring a building is prohibitive, consider using high-speed wireless connections instead.

20

Module 7: Designing for Network Connectivity

Practice: Designing a Connectivity Infrastructure

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Scenario In this practice, you will design a connectivity infrastructure for Northwind Traders new locations. Northwind Traders is in a period of unprecedented growth. The company is adding five new offices and needs to ensure that the new branch offices will be able to communicate with the rest of the organization efficiently. Northwind Traders current connectivity infrastructure is illustrated in the diagram on the slide. The following table shows the location and user information about these new offices.
Location New Delhi, India Beijing, China Minsk, Russia Sarajevo, Croatia Number of office and users 1 office with 75 users 2 offices, one with 1,250 users and the other with 88 users 1 office with 260 users 1 office with 50 users

Practice

Based on the scenario, how will you connect these new offices to your existing network infrastructure? Answers may vary. One possible answer is: Use an E1 line between Beijing and Sydney. Use high speed local Internet connections for all locations. In all locations except Beijing, use VPN connections to connect to the headquarters in Paris. ________________________________________________________________ ________________________________________________________________

Module 7: Designing for Network Connectivity

21

Lesson: Designing for Internet Connectivity

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Securing network connectivity is the common thread that runs throughout this lesson. In this lesson, you will examine strategies for firewall design, forest options for a firewall environment, strategies for securing replication through firewalls, and strategies for extranet designs. Finally, you will explore guidelines for Internet connectivity design. After completing this lesson, you will be able to:
! ! ! ! !

Lesson objectives

Describe strategies for a firewall design. Discuss forest options for a firewall environment. Compare choices for securing replication through firewalls. Create an extranet design. Create a design for Internet connectivity.

22

Module 7: Designing for Network Connectivity

Strategies for Firewall Design

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Intranet An intranet is a private network that is contained within an organization. It consists of one or more interconnected subnets. Security on a private network might not be as stringent as security on computers that are directly exposed to the Internet. However, it is important that you protect your intranet from the Internet by one or more firewalls that control access for all traffic entering and leaving the internal network. An example of an enterprise firewall is Microsoft Internet Security and Acceleration (ISA) Server. There are many possible firewall configurations. The three most commonly used firewall configurations are:
!

Common firewall configurations

Bastion host. This firewall is used as the single point of contact between the internal network and the Internet. It is typically implemented on small networks to protect against attacks on resources on the internal network. Three-homed firewall. This is a single firewall that has three network adapters in it. One adapter is connected to the internal private network. The second adapter is connected to another internal network, called a perimeter network, which contains Web, e-mail, and other servers that will be accessed by users on the Internet. The third adapter is connected to the Internet. The three-homed firewall uses different filters for traffic depending on the network for which the traffic is destined. A three-homed firewall reserves the highest level of protection for traffic destined for the internal network. Back-to-back firewalls. This configuration uses two firewalls to create a perimeter network, which is protected from the Internet by one firewall but is also separated from the internal network by another firewall. This configuration is often used for larger networks. Note A perimeter network is also referred to as a screened subnet, or as a demilitarized zone (DMZ).

Module 7: Designing for Network Connectivity

23

Forest Options for a Firewall Environment

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Forest options for firewall environments include trusts and security issues. The following tables show advantages and disadvantages of each forest option for use in a firewall environment design. Single Forest
Advantages Easiest to manage Avoids multiple logons Less expensive than the other options because it requires fewer domain controllers and DNS servers Perimeter clients can access internal resources Facilitates the use of ISA Server Disadvantages Requires diligent security practices to ensure that only appropriate users have access to resources An attacker with valid credentials can access any resource

Multiple forests with no trusts between domains in each forest

Advantages Not susceptible to enumeration of internal account information An attacker with valid credentials can damage only servers on the perimeter network Security practices are less critical Disadvantages More costly and difficult to manage than a single forest because it requires additional domain controllers and DNS servers Requires multiple logons by administrative staff Requires duplicate accounts Might make extranet scenarios from the perimeter difficult Does not facilitate use of ISA Server

24

Module 7: Designing for Network Connectivity

Multiple forests with a one-way trust from the perimeter forests domain to the internal forests domain
Advantages Does not require multiple logons Does not require duplicate accounts Somewhat easier to manage than the multiple forests with no trusts because groups in the internal forests domain can be placed into groups within the perimeter forests domain An attacker with valid credentials can damage only servers on the perimeter network Facilitates the use of ISA Server Disadvantages More difficult to manage and more costly than a single forest because additional domain controllers and DNS servers are required Susceptible to enumeration of internal account information Might make extranet scenarios from the perimeter difficult An attacker with valid credentials on the perimeter forests domain can enumerate the account information of internal uses and groups

Multiple forests with two one-way trusts between the internal and perimeter forests' domains
Advantages Does not require multiple logons Somewhat easier to manage than the multiple forests with no trusts between domains because groups in the internal forests domain can be placed into groups within the perimeter forests domain Perimeter clients can access internal resources Facilitates use of ISA Server Disadvantages More difficult to manage and more costly than a single forest because it requires additional domain controllers and DNS servers An attacker with valid credentials on the perimeter forests domain can enumerate the account information of internal users and groups and can also access resources on the internal network

Additional reading

For more information about designing intranets, see Directory Services, under Additional Reading on the Web page on the Student Materials compact disc.

Module 7: Designing for Network Connectivity

25

Strategies for Securing Replication Through Firewalls

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Performing replication through a firewall is a difficult task. It is also difficult to secure the traffic during replication and to maintain a secure firewall configuration. There are two major types of replication challenges:
!

Initial promotion of a server to a domain controller. Requires that the server be able to authenticate to the domain controller, join the domain, and then replicate Active Directory through the firewall. Replication between domain controllers through a firewall. This type of replication requires that the servers be able to authenticate each other and perform replication.

Configuration options

You can use any of the following configurations to perform replication through a firewall:
!

Open all required firewall ports, including the ports required for remote procedure call (RPC) and for dynamic RPC. This configuration creates holes in your firewall configuration. It allows replication, but also allows undesirable traffic to pass through. Open all required firewall ports for RPC and a specified port for dynamic RPC. In this configuration you only need to open one port for dynamic RPC. To use this configuration, you must modify the registry on all domain controllers in the forest to specify which TCP port will be used for dynamic RPC traffic, and then open that specific TCP port on the firewall. This option opens fewer ports on your firewall, but still creates holes in your firewall.

26

Module 7: Designing for Network Connectivity

!

Open firewall only for Internet Protocol security (IPSec), DNS, and Kerberos traffic, and use IPSec for all replication traffic. This configuration is the most secure option. To use this configuration, you must configure an IPSec policy that requires IPSec for replication on all domain controllers. If you want to be able to promote a server to a domain controller through a firewall, you must use certificates for IPSec mutual authentication because the server is not a member of the domain and, therefore, cannot use Kerberos for authentication.

Additional reading

For more information about security strategies for network connectivity, see Active Directory in Networks Segmented by Firewalls under Additional Reading on the Web page on the Student Materials compact disc.

Module 7: Designing for Network Connectivity

27

Strategies for Extranet Design

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The purpose of an extranet is to allow a supplier, vendor, business partner, or customer to access some or all of your private corporate data. Because most of these parties will not have a direct WAN connection to your corporate intranet, you must make arrangements for them to either dial up to your network, or more commonly, access your data over the Internet. For obvious reasons, it is not a good idea to directly connect your private network to the Internet without some sort of security. Here are some general security requirements for an extranet:
!

Extranet security requirements

External access to corporate data should be limited to only those users who are authorized to view the data. External users should not be able to access corporate data that they do not have a need to see. Non-authorized users should not be able to access any private corporate data.

Extranet access options

There are several methods that can be used to enable external users to access corporate data.
!

Place public data on a Web server that is available to all users on the Internet. This option should be used only for data that should be publicly available to everyone. Enable access to private corporate data via a secured Web site that requires authentication from external users before they can access the data. Protect the data as it is transmitted over the Internet by using Secure Sockets Layer (SSL) encryption. Place the Web server on a screened subnet outside your corporate network. This option should be used when a limited amount of data needs to be made available to external users. Every effort should be made to secure the data on this server and to keep the server software up to date, so that only authorized users are able to access the data.

28

Module 7: Designing for Network Connectivity

!

Enable external users to connect to a secured portion (or all) of your private network by using a VPN server that enables them to connect to your network over the Internet. This option allows external users to connect to a portion (or all) of your network as if they were logged on locally to a computer on the network. This option is recommended for external users who have a connection to the Internet. You can also connect another organizations network to your network by using a VPN tunnel. Enable external users to connect to a secured portion (or all) of your private network by using a dial-up server that enables them to connect to your network by using a modem. This option also allows external users to connect to a portion of your network as if they were logged on locally to a computer on the network. This option is recommended if external users do not have a connection to the Internet, or if you do not want to connect your private network to the Internet at all.

Module 7: Designing for Network Connectivity

29

Guidelines for Internet Connectivity Design

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When creating an extranet design, use the following guidelines:
!

Use one or more firewalls to control all traffic to and from your corporate network. Use the forest model that best meets your organizations cost and administrative needs: Use a single, global forest model when you want to lower the administrative costs of maintaining the directory service. Although this model lowers administrative costs, it places some constraints on the participants of the forest. Use a multiple forest model when the majority of the business units in an organization deploy their own instance of Active Directory. The multiple forest model meets the requirements of business units that want or need to retain administrative autonomy, but can be costly to maintain.

! !

Use IPSec to secure Active Directory replication through firewalls. Only place data that needs to be accessed by external users on your perimeter network. Use a VPN server to enable external users to access data on a secured portion of your corporate network, such as on your perimeter network. Use a Web server on your perimeter network to allow external users to access limited amounts of corporate data. Secure the Web server by requiring all users to authenticate to the server, and use SSL encryption to protect the data during transmission over the Internet.

30

Module 7: Designing for Network Connectivity

Practice: Creating an Internet Connectivity Design

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Scenario In this practice, you will create an Internet connectivity design for Northwind Traders Glasgow office. Northwind Traders Research and Development departments are located in Glasgow, Scotland. Currently, the Glasgow office does not have a connection to the Internet. Now, the plan is to have a direct Internet connection in this office. Recent original equipment manufacture (OEM) agreements require that the Glasgow office allow premiere partners to access some of the source code to the companys flagship product. This access must be as secure as possible. It is anticipated that the average amount of data that will be transmitted over the new Internet connection will be approximately 1.4 Mbps. Practice Based on the scenario, create an Internet connectivity design for the Glasgow office by answering the following questions. Be prepared to discuss your solutions with the class. 1. What type of connection will you use for the Internet connection in Glasgow? Answers may vary. One possible answer is to use an E1 link to a local Internet service provider. An E1 link will have sufficient bandwidth to accommodate the anticipated amount of network traffic. Broadband and DSL options would probably not be appropriate here because they typically have a slower outbound speed than inbound speed when most of the traffic described here is outbound. ____________________________________________________________ ____________________________________________________________

Module 7: Designing for Network Connectivity

31

2. How will you protect the Glasgow offices network data from unauthorized users on the Internet? Answers may vary. On possible answer is to implement back-to-back firewalls between the corporate network and the Internet. ____________________________________________________________ ____________________________________________________________ 3. How will you enable external users to access data? Answers may vary. One possible answer is: Place all data except source code on a Web server on the perimeter network and require authentication for all accesses to this server. Place all source code on a server on an internal network, protected by a firewall. Require clients who can access the source code to make a VPN connection by using a smart card to authenticate, and then require them to check out source code individually so that the company can track all accesses to the source code. ____________________________________________________________ ____________________________________________________________

32

Module 7: Designing for Network Connectivity

Lab A: Designing for Network Connectivity

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to:
! ! !

Evaluate connection types. Create a connectivity design. Create an extranet design.

Scenario

You are a consultant who has been hired to create a network connectivity design for Tailspin Toys. The lab uses an interactive application to convey scenario-based information. To begin this lab, open Internet Explorer, and then, on the Web page that appears, click the link for this lab. View the videos, real the e-mail messages and other company documents, and then, using the exercises below as a guide, complete the tasks that are assigned in the e-mail messages.

Estimated time to complete this lab: 60 minutes

Your instructor will break the class into groups to do the lab. Each group should be prepared to present their design to the class at the end of the lab.

Module 7: Designing for Network Connectivity

33

Exercise 1 Creating a Connectivity Design

In this exercise, you will evaluate connection types and create a connectivity design for Tailspin Toys, based on the information you have gathered in previous labs and the new information presented in the scenario. As you draw your connectivity design on the map provided below, answer the following questions: 1. How will you improve connectivity and replication? Answers may vary. To improve connectivity and replication, one possible answer is to make the following changes: Because the existing WAN link from Istanbul to the Internet is at 80 percent average utilization, upgrade to a fractional E3 link. Because the existing WAN link from Monterrey to the Internet is at 75 percent average utilization, upgrade to a T1 link. Because the existing WAN link from Singapore to Fayetteville is at 90 percent average utilization, discontinue the WAN link. Instead, connect the Singapore office to the Internet with an E-3 link. Then, add a VPN connection from Singapore to New York and create a site link between Singapore and New York. Delete the site link between Singapore and Fayetteville because the WAN link will be discontinued. ____________________________________________________________ ____________________________________________________________

34

Module 7: Designing for Network Connectivity

2. How will you reduce operating expenses and keep the cost of your design as low as possible? Answers may vary. To keep costs as low as possible, one possible answer is to replace the existing WAN link between Singapore and Fayetteville with an E-3 link from Singapore to the Internet. This will significantly increase the amount of bandwidth available to the Singapore office without incurring a large increase in costs. Although this solution doesn't actually reduce costs, it does limit cost increases.

Module 7: Designing for Network Connectivity

35

Exercise 2 Creating an Extranet Design

In this exercise, you will answer questions relating to an extranet design for Tailspin Toys. Use the information you have gathered in previous labs, your connectivity design in the previous exercise, and the new information presented in the scenario to answer the following questions. 1. How will you use firewalls to protect each physical location from Internetbased attacks? Answers may vary. One possible answer is to protect each location, except Wicklow, from the Internet by using two firewalls in a back-toback configuration. This will provide the highest level of protection for these locations, and will allow each location to implement a perimeter network for servers that must be exposed to the Internet. Because Wicklow has only 300 users, the cost of a back-to-back firewall implementation is not justified. You can protect Wicklow by using a three-homed firewall so as to implement a perimeter network for their Web and e-mail servers. ____________________________________________________________ ____________________________________________________________ 2. How will you provide access for Tailspin Toys testers to the research and development Web site so that they can log in and provide user feedback but also prevent competitors from accessing the Web site? Answers may vary. One possible answer is to place a Web server on the perimeter network in Kobe, Japan, to provide the testers with the appropriate access. The Web server will be configured to use SSL for all communications. The server will also be configured to require authentication for all testers before they are allowed to access any confidential information or to provide feedback. Complex passwords will be required for all testers user accounts. ____________________________________________________________ ____________________________________________________________

36

Module 7: Designing for Network Connectivity

Course Evaluation

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Your evaluation of this course will help Microsoft understand the quality of your learning experience. At a convenient time before the end of the course, please complete a course evaluation, which is available at http://www.CourseSurvey.com. Microsoft will keep your evaluation strictly confidential and will use your responses to improve your future learning experience.