Download Windows Server 2008 R2 Overview Part 2 Technical

Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

Wireless security wikipedia , lookup

AppleTalk wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Net bias wikipedia , lookup

TCP congestion control wikipedia , lookup

Server Message Block wikipedia , lookup

Deep packet inspection wikipedia , lookup

IEEE 1355 wikipedia , lookup

Computer network wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Network tap wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Internet protocol suite wikipedia , lookup

Airborne Networking wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Lag wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
Windows Server 2008 R2
Overview Part 2 Technical
Doug Spindler’s Background
24 years in IT as a Technology Consultant
MCT, MCITP, MCTS
President of Pacific IT Professionals
A professional association for IT Professionals
Join today at www.pacitpros.org
Technology Instructor
Author
Speaker
Lecturer
IT Pro Hero
2
Why IT Pros will want to deploy
Win 7 and Server 2008R2 NOW!
No I do not work for Microsoft.
This is NOT a marketing presentation.
3
Customer top security concerns
Security
Network Performance
Reliability
Ease of use for users
4
IT Pro “got to” haves
Bitlocker – whole drive encryption
User Access Control (UAC)
Secure Socket Tunneling Protocol
Terminal Services RemoteApp
Application virtualization - SoftGrid
Granular password policy
Re-startable AD without a reboot
5
Enhancements to Network Security
Network Level
Network Access Protection
Server Isolation
Domain Isolation
GPO managed
Quality of Server - QoS
Host based firewall
Firewall and IPSEC integration
6


Labs
Unmanaged
guests
NAP
Protects network & gets clients up to date
7


Labs
Unmanaged
guests
Server Isolation
8
Isolates high-valued servers and data
from the rest of the network.


Labs
Unmanaged
guests
Domain Isolation
9
Isolates high-valued servers and
clients from the rest of the network.
‘Policy-based’ QoS Enables
Management of Hosts’ Bandwidth
BEFORE
Queue
`
`
BE
`
`
AFTER
Queues
`
High
`
`
`
10
BE
Low
Enhancements to Network Security
Operating system
New network stack – New code
Impervious to existing attacks
New attack code is require
Windows Firewall with Advanced Security –
Protects hosts
11
Conclusion
New code in the network stack
=
Your Network is more secure
12
Windows history
Network stack used in XP and Server 2003 (and
prior) was written for Windows 95
Pentium I – 100MHz
10 Mb/sec network
Modems
Only minor enhancements and fixes since
Stack is inefficient – Lots of latency
Code (by today’s standards) is inefficient
13
Network Performance
Enhancements
TCP Chimney
TCP-A (I/OAT)
Receive Window Auto-Tuning
SMB2 Protocol
Receive side scaling (RSS)
Compound TCP – cTCP Congestion Control
Policy-based Quality of Service (QoS)
Black-Hole Router detection (BHRD)
Dead Gateway Detection
14
Network Performance
Enhancements
TCP Chimney
TCP-A (I/OAT) Intel
Ideal for iSCSI implementations
15
Network Performance Enhancements
Receive Window Auto-Tuning
Dynamic allocated packet receive buffer
More in flight data – up to 16MB
If too much data, use QoS.
Max 16MB window @ 100ms ~ 1.34Gbps
16
Win 7 Performance – Auto Tuning
Testing between Windows 2K3 server to Win 7
client
Average latency is 180 ms round trip
Applications tested - TTCP, FTP, Xcopy
TTCP - 3259 KB/sec (26.07 Mbps*) 869% increase
FTP - 633 KB/sec (5.06 Mbps) 85% increase
Xcopy - 604 KB/sec (4.83 Mbps) 109% increase
17
Network Performance Enhancements
Receive Window Auto-Tuning
Data
The application layer passes a block of data
down to the Transport Layer (TCP). The
transport layer then sends the data to the
client.
Server
Client
Transport layer breaks the data up into
blocks equal to the maximum segment size
(MSS) for the link.
For Ethernet this is 1460 bytes.
18
Network Performance Enhancements
Receive Window Auto-Tuning
Let’s assume the advertised Window Size of the Client is 8760
bytes and the MSS is 1460 bytes.
Outstanding Packets = Window Size / MSS
Outstanding Packets = 8760 / 1460
Outstanding Packets = 6
The sender (Server in this case) can only have 6 outstanding
packets on the network at one time. It must stop sending until
it receives an acknowledgement for some or all of the packets
before sending more.
19
Network Performance Enhancements
Receive Window Auto-Tuning
Once the transport layer has sent the 6th packet, it
must stop until it receives an acknowledgement for
one or more of the transmitted packets.
Data
6
Server
20
5
4
3
2
1
Client
Network Performance Enhancements
Receive Window Auto-Tuning
Data
6
5
4
3
Client
Server
Acknowledge 1 and 2
The client receives packets 1 and 2. Once it
receives packet number 2 it sends an
Acknowledgement back to the server indicated
that it successfully received the packets.
21
Cost of the delays in XP and
Server 2003?
Only way to get Gig out of Gig is to maintain a
sending a gig sending rate. Which is a 1.21
microsecond gap between packets.
Any delays in sending decreases throughput or
“dead air”
22
The cost of a delay
195 microseconds 195/1.21 = 160 packets.
180 microseconds 180/1.21 = 150 packets.
160,000packets = 242,880,000 Bytes or 240 MB
23
What is the right Window Size?
Receive Window Auto-Tuning
TCP Window Size =
Bandwidth * Roundtrip Delay
In previous version of Windows the buffer size was fixed
24
Network Performance Enhancements
Receive Window Auto-Tuning
Win 7 and Server 2008R2 Advantage –
More data, less “dead air”
Data
12
Server
25
11
10
9
8
7
6
5
4
3
Client
Network Performance Enhancements
Receive Window Auto-Tuning
Win 7-Server 2008R2
advantage,
more initial in-flight data
XP
26
Green Win 7
Orange XP
Network Performance Enhancements
Receive Window Auto-Tuning
Win 7 & Server 2008R2
advantage,
More efficient use of the
network.
XP & Server 2003
Less in-flight data,
resulting in less
throughput.
27
Green Win 7
Orange XP
Network Performance Enhancements
SMB2 Protocol
Combined control messages
More efficient use of the network
SMB 2 only available
Server 2008R2 – Server 2008R2
Server 2008R2 – Win 7
Win 7 – Win 7
No error correction in SMB
28
Network Performance Enhancements
Receive side scaling (RSS)
Allows packet receive-processing to scale with
the number of available computer processors.
29
Network Performance Enhancements
Compound TCP – cTCP Congestion Control
5000000
4500000
4000000
Faster recovery
3500000
Less time to
transfer data
In this example 80 minutes
CTCP
3000000
New Reno
2500000
2000000
1500000
1000000
500000
0
1
30
8
15 22 29
Congestion
36 43 50 57 64
71 78 85 92 99 106 113 120 127 134 141 148 155 162 169 176 183 190
What do all of these things give you?
TCP Chimney
TCP-A (I/OAT)
Receive side scaling (RSS)
Receive Window Auto-Tuning
Compound TCP – cTCP Congestion Control
Policy-based Quality of Service (QoS)
Black-Hole Router detection (BHRD)
Dead Gateway Detection
31
32
Blast some data through
33
34
Myth
A Microsoft 2000, XP, Server 2000,
2003 host on a gigabit network
will transfer data at gigabit speed.
35
Conclusion
New network stack
=
Dramatic improvements in network
performance
36
37
History of Internet Protocols
Network Control Protocol (NCP)
First protocol used on the Internet
IPv4
Second generation protocol
NCP and IPv4 were run concurrently
Flag day January, 1, 1983
IPv6
Interplanetary Protocol
38
IPv6 Myths
IPv6 is experimental
No one is using IPv6 in production
My network won’t run IPv6
Microsoft is making a big mistake with IPv6
IPv6 is less secure than IPv4
IPv6 causes Win 7 to run slower
39
FACTS
We are running out of IPv4 addresses
IPv6 is the preferred protocol in Win 7 and
Server2008R2 and can not be removed
You been assigned an IPv6 address (Publicly assigned)
It can be used today
Linux and Apple already support IPv6
Microsoft’s implementation of IPv6 is feature rich
(compared to Apple and Linux)
40
Available IPv4 address by year
Grey – available IP address
Orange – Allocated IPv4
41
IPv6 is 2 128 addresses
340,282,366,920,938,000,000,000,000,000,000
,000,000 addresses
42
IPv6 is 2 128 addresses
340,282,366,920,938,000,000,000,000,000,000
,000,000 addresses
43
How big is 2 128 or
340,282,366,920,938,000,000,000,
000,000,000,000,000?
If the IPv4 address space is size of one atomic
nucleus big, the IPv6 address space would
require a month of light-speed travel to reach.
Thanks to Sean Siler at Microsoft for this clever way of
to explain just how large the address space is.
44
Think Global…
Microsoft was brilliant for implementing IPv6
Thanks to Microsoft for doing this
IPv6 in Win 7 and Server 2008R2
Ipv6 addressing and routing is easier
No need for NAT
Most Application just work
Microsoft has made a commitment to IPv6
New MS software will support IPv6
45
New network stack design in Server
2008R2 and Win 7
Winsock
User Mode
Kernel Mode
TDI Clients
WSK Clients
AFD
TDI
WSK
TDX
Win 7 and Server 2008R2 tcpip.sys
RAW
UDP
IPv6
IPv4
802.3
WLAN
Loopback
1394
NDIS
46
Inspection
API
TCP
IPv4
Tunnel
IPv6
Tunnel
IPv6 can not be removed from
tcpip.sys
Win 7 and Server 2008R2 tcpip.sys
TCP
RAW
UDP
IPv6
IPv4
802.3
47
WLAN
1394
Loop-back
IPv4 Tunnel
IPv6 Tunnel
Win 7 and Server 2008R2R2
48
Market forces pushing IPv6 adoption
Mobile Internet Services - Internet Multimedia
Services (IMS)
Next gen cell phones
IPTV Cable companies
End to end security requirements
Auto configuration for home and mobile
devices
Foreign countries
2008 Olympics
49
IPv4 had no security,
IPSec and L2TP were
“bolt-ons”
App
Presentation
Session
Presentation
Transport
Session
Network
Transport
L2TP VPN
Transport
IPSec VPN
Network
50
App
Network
Data Link
Data Link
Physical
Physical
In IPv6 IPSEC is “built” in
App
Presentation
Session
Transport
Network
Data Link
Physical
51
Why IPv6?
Security
IPv4 security was an add-in
IPv6 has IPSEC integrated
Any IPv6 communication can automatically
do authentication, message integrity and
encryption or any combination of those
52
Saves time No network
IPv6 the following settings are optional
Subnet masks
No need for a subnet calculator
Default Gateways
DNS Servers
DHCP Servers
Private IP address
Routing table
53
Unicast IPv6 Addresses
Hosts will have multiple addresses
Global addresses
Link-local addresses
Unique local addresses
Special addresses
Compatibility addresses
54
(Public IPv4)
(192.168.1.1)
(10.10.1.1)
Win 7 and Server 2008R2
New Protocols
Native IPv6 – Preferred
6to4
ISATAP Intrasite automatic tunneling address
protocol
Teredo
55
Win 7 - ipconfig /all
Native IPv6
Teredo
ISATAP
56
Windows Win 7 and Server 2008R2
Native IPv6 Global address
Native IPv6:
Native IPv6 addresses start with the prefix 2000::/3 (Subject
to change)
A native IPv6 address looks like:
2001:0470:1F00:FFFF:0000:0000:0000:0FF3 /127
|
prefix
|
host
| subnet |
57
Windows Win 7 and Server 2008R2
6to4
It is a standard: IETF RFC 3056
6to4 is a tunneling technology
Allows communication across the IPv4 Internet
by tunneling IPv6 inside IPv4 packets to get to
the IPv6 Internet through gateways
58
Windows Win 7 and Server 2008R2
6to4
IPv4 address: 207.213.246.1 is represented as
cfd5:f601 (convert decimal to hex)
Its 6to4 address is:
2002:cfd5:f601:0000:0000:0000:cfd5:f601
|pref|IPv4|
::
| IPv4|
59
Windows Win 7 and Server 2008R2
ISATAP
It is a standard: IETF RFC 4214
Intrasite Automatic Tunnel Addressing Protocol
ISATAP is a tunneling technology
Allows communication across an IPv4 intranet by
tunneling IPv6 inside IPv4 packets
60
Windows Win 7 and Server 2008R2
ISATAP and 6to4 packet encapsulation
IPv6 Packet Min MTU 1280
IPv6 Header
Extension
Headers
Upper Layer Protocol Data
Unit
IPv6 Header
Extension
Headers
Upper Layer Protocol Data
Unit
Encapsulation
For ISATAP and
6to4 packets
IPv4 Header
IPv4 Packet Max Ethernet MTU 1500
IPv4 header Protocol field is set to 41 for isatap and 6to4 tunnels
61
Windows Win 7 and Server 2008R2
Teredo
Teredo provides IPv4 NAT traversal capabilities
by tunneling IPv6 inside of IPv4 using UDP
Teredo provides IPv6 connectivity when behind
an Internet IPv4 NAT device
Is designed to be a universal method for NAT
traversal for most types of NAT use
62
Something to think about….
With Teredo can boarder firewalls offer
protection needed for today’s networks?
Or do they offer a false sense of security?
What about IPv6 bot Nets?
63
Windows Win 7 and Server 2008R2
Preferred order of communication
Native IPv6 – Preferred
6to4
ISATAP Intrasite automatic tunneling address protocol
Teredo
IPv4 …. last resort
64
Does all this work?
Yes! I've been running it for 4 years
Native IPv6, 6to4, ISATAP, Teredo, IPv4
Global IPv6 address
65
Watching for IPv6 traffic on your network
Use a packet Analyzers – NetMon or Wireshark
66
Router Venders Support for IPv6
Native IPv6:
IPv6 native routing protocols
Cisco, Juniper
Most are providing software upgrades to
support native IPv6 deployments on existing
hardware
Cisco IOS 12.3+ mainline code has IPv6 support
67
If I can do it, so can Microsoft
IPv6 Infrastructure In Redmond
ISATAP available in all buildings
world-wide
Native v6 connectivity in all development
buildings world-wide
68
Impact on IT Professionals
IPv6 only hardware/software is on the way
Smart cell phones
PDAs
Web cameras
Law enforcement
Cars
MP3 players
Next generation operating systems
69
Impact on Customer Networks
Test firewalls, are they IPv6 aware?
Many allow IPv6 traffic to pass un-checked
Is this the end of boarder firewalls?
Teredo was designed to pass through NAT
70
71
© 2008R2 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Win 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
72