Download cis620-14

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Internet protocol suite wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Server Message Block wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wireless security wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
Windows 2000 Remote Access
Remote Access Overview
With Windows 2000 remote access, remote access
clients connect to remote access servers and are
transparently connected to the remote access
server, known as point-to-point remote access
connectivity, or transparently connected to the
network to which the remote access server is
attached, known as point-to-LAN remote access
connectivity. This transparent connection allows
remote access clients to dial-in from remote
locations and access resources as if they were
physically attached to the network.
Remote Access Overview
•
•
Windows 2000 remote access provides two
different types of remote access connectivity:
Dial-up remote access
With dial-up remote access, a remote access
client uses the telecommunications infrastructure
to create a temporary physical circuit or a virtual
circuit to a port on a remote access server.
Virtual private network (VPN) remote access
With virtual private network remote access, a VPN
client uses an IP internetwork to create a virtual
point-to-point connection with a remote access
server acting as the VPN server.
VPN Introduction
• A Virtual Private Network
(VPN) connects the
components of one network
over another network. VPNs
accomplish this by allowing
the user to tunnel through the
Internet or another public
network in a manner that
provides the same security
and features formerly
available only in private
networks
Elements of a VPN Connection
•
•
•
•
•
•
•
VPN server
VPN client
Tunnel
VPN connection
Tunneling protocols
Tunneled data
Transit internetwork
VPN Connections
Creating the VPN is very similar to establishing a point-topoint connection using dial-up networking and demanddial routing procedures. There are two types of VPN
connections:
Remote Access VPN Connection
Router-to-Router VPN Connection
Common Uses of VPNs
• Remote User Access Over the
Internet
Common Uses of VPNs
•Connecting Networks Over the Internet
Using dedicated lines to connect a branch office
to a corporate LAN
Using a dial-up line to connect a branch office
to a corporate LAN
Common Uses of VPNs
• Remote Access over an Intranet
Common Uses of VPNs
• Connecting Networks over an Intranet
Basic VPN Requirements
•
•
•
•
•
User Authentication
Address Management
Data Encryption
Key Management
Multiprotocol Support
TUNNELING Basics
Tunneling is a method of using an internetwork
infrastructure to transfer data for one network over
another network.
TUNNELING Basics
Tunneling technologies have been in
existence for some time. Some examples of
mature technologies include:
• SNA tunneling over IP internetworks
• IPX tunneling for Novell NetWare over IP
internetworks
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• IP Security (IPSec) Tunnel Mode
Tunneling Protocols






Tunneling Protocols and the Basic Tunneling
Requirements :
User Authentication
Token card support
Dynamic address assignment
Data compression
Data encryption
Key Management
 Multiprotocol support
Tunneling Protocols
Point-to-Point Protocol (PPP)
• Phase 1: PPP Link Establishment
• Phase 2: User Authentication
 Password Authentication Protocol (PAP)
 Challenge-Handshake Authentication Protocol
(CHAP)
 Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP)
• Phase 3: PPP Callback Control
• Phase 4: Invoking Network Layer Protocol(s)
• Data-Transfer Phase
Tunneling Protocols
Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Forwarding (L2F)
Layer 2 Tunneling Protocol (L2TP)
Active Directory
A core feature of distributed systems in
Microsoft Windows 2000
Logical Structure in
Active Directory
• Active directory is the directory service used to store information
about network objects and implements service that make information
available within its domain and usable to users, computers and
applications
• It Is based on the Lightweight Directory Access Protocol (LDAP).
LDAP is implemented for several UNIX OS and is derived from DAP
and X.500 protocol
•
The Domain Name System(DNS) hierarchical naming system and Windows
2000 trust relationships provide a consistent, logical structure
1. Active directory stores information about objects in one or more
domain
2. Trust Relationship: A logical relationship established between domains that
allows pass-through authentication in which a trusting domain honors the
logon authentications of a trusted domain
Domain Hierarchy in
Active Direcotory
•
In Windows 2000, a domain defines both an administrative boundary and a
security boundary for a collection of objects that are relevant to a specific
group of users on a network
• Two-way hierarchy: not a flat structure as in Window NT
1 .Implicitly transitive.
2. Allow to search multiple domain in one query because each domain
knows the domain immediately below and above it
Active Directory and DNS
• DNS is a naming system used for locating domain names on the
Internet and on private TCP/IP networks. DNS provides a service for
mapping DNS domain names to IP addresses, and vice versa
• Similarities: window 2000 uses DNS naming standards for
hierarchical naming of Active Directory domains and computers. For
this reason, domain and computer objects are part of both the DNS
domain hierarchy and the Active Directory domain hierarchy. Both
share an identical domain structure.
•
Difference: although these domain hierarchies have identical names,
they represent separate namespaces. In each namespace, specific
rules determine how names can be created and used. DNS stores
zones and resource records, and Active Directory stores domains and
domain objects. Active directory stores information about objects in
one or more domains.
Domain Controller in
Active Directory
• A domain controller is a computer that is running Windows 2000
Server and hosts Active Directory. Each domain controller must have
a DNS server installed.
• A domain controller stores directory partitions. Directory partitions
(also known as "naming contexts") correspond to the logically
distributed segments of Active Directory
• Earlier versions of Windows NT used multiple domain controllers,
only one of which was allowed to update the directory database. This
single-master scheme required all changes to be replicated from the
primary domain controller to the backup domain controllers.
• In Windows 2000, every domain controller can receive changes, and
the changes are replicated to all other domain controllers
DNS Hostnames and Window
2000 Computer Names
• Windows NT 4.0 and earlier, DNS names were not required. A
computer is identified primarily by a NetBIOS name — a name that
is recognized by WINS (Windows Internet Name Service). Wins
maps the name to a static IP address or to an address configured
dynamically by the Dynamic Host Configuration Protocol (DHCP)
• In Unix, NIS service provide the similar service for name resolution
• For backward compatibility, window 2ooo computer DNS name has
two parts
1. DNS hostname: computer's account that is stored in Active Directory,
which
is NetBIOS computer name
2. DNS suffix: DNS domain name
Active Directory and DNS
Active Directory and
Window 2000 Architecture
• Two processor access mode: kernel and user
• The security subsystem in user mode is the module in which
Active Directory runs. The security reference monitor, which
runs in kernel mode, is the primary authority for enforcing the
security rules of the security subsystem
• The tight integration of the directory service and security
subsystem services is key to the implementation of windows 2000
distributed system. For example, Access to all directory objects
first requires proof of identity authentication, which is performed
by components of the security subsystem, and then validation of
access permissions authorization, which is performed by the
security subsystem in conjunction with the security reference
monitor. The security reference monitor enforces the access
control applied to Active Directory objects
Active Directory within
Window 2000 OS
Directory Service Architecture
• Active Directory functionality can be described as a layered
architecture in which the layers represent the server processes that
provide directory services to client applications
• Active Directory consists of three service layers and several interface
and protocols
• The three service layers accommodate the different types of
information that are required to locate records in the directory
database. Above the service layers in this architecture are the
protocols and APIs (APIs are on the clients only) that enable
communication between clients and directory services
Directory Service Architecture
Active Directory Data Model
• The Active Directory data model is derived from the X.500 model of
objects and attributes
• An object is a distinct, named set of attributes that represents
something concrete, such as a user, a printer, or an application
• Container is a structural class of object
• The universe of objects that can be stored in Active Directory is
defined in the schema
• Schema defines the objects and specifies the relationships between
classes of objects
Location of the Schema in
Active Directory
• The objects stored in Active Directory are arranged in a logical
hierarchy called the Directory Information Tree (DIT).
• Active Directory includes a preconfigured database (commonly
referred to as the base DIT) that contains the information that is
required to install and run Windows 2000 and Active Directory
• The Directory Information Tree is divided into directory partitions. A
directory partition is a tree of directory objects that forms a unit of
replication in Active Directory
• All changes made to Active Directory are validated first against the
schema
Active Directory Replication
• Replication is the process by which the changes that are made on one
domain controller are synchronized with all other domain controllers
in the domain or forest that store copies of the same information.
• Data integrity is maintained by tracking changes on each domain
controller and updating other domain controllers in a systematic way
• Replication topology is the set of connections by which domain
controllers in a forest synchronize the directory partition replicas that
they have in common.
• The Knowledge Consistency Checker (KCC) is a built-in process that
runs on all domain controllers and creates the replication topology for
the forest. By default, the KCC runs at 15-minute intervals and
designates the replication routes between domain controllers on the
basis of the most favorable connections that are available at the time.