Lesson 5

Configuring Routing and Remote Access (RRAS) and Wireless Networking
Routing is the process of transferring data across an internetwork from one LAN to another using the internet and the TCP/IP protocol s between multiple organizations. Routing and Remote Access service, Windows Server 2008 is a software-based router that can be configured as a router and remote access server. A significant advantage of using Windows Server 2008 in this manner is that it is integrated with Windows features, such as Group Policy and the Active Directory service. The Routing and Remote Access console is the principal tool used for configuring and managing this service.

The following are some common routing protocols:

• RIP (Routing Information Protocol) and RIP v2, RIP will broad cast information about available on a regular basis, as well as when the network topology changes. RIP v2 increases the security and the information provided. Without dynamic routing protocols, such as RIPv2, network administrators must add static routes to connect to non-neighboring subnets when those subnets do not lie in the same direction as the default route.

• OSPF (Open Shortest Path First) designed to address scalability limitations of RIP. Rather than using broadcasts to transmit data, each router maintains a database of router to all destinations that it knows of; when it receives network traffic destined for one of these destinations, it routes the traffic using the shortest path/route.

Routers read the destination addresses of received packets and route those packets using the routing tables. These routing tables in Windows Server 2008, can be viewed using the Routing and Remote Access console or through the Route Print command.

The following are the five columns that are displayed in the routing table:
• Network destination as the name suggests, this indicates the destination network.
• Netmask refers to the subnet mask of the destination network.
• The Gateway indicates the value for each routing table entry.
• Interface value specified in that it determines which local network interface card is used to forward the packet to the correct gateway.
• Metric is the cost of using this route to transfer the data.
Four types of routes found in a routing table are:
• Directly attached Network routes
• Remote Network routes
• Host routes
• Default route

Demand-Dial Routing AKA (Dial-On-Demand routing) also is included within Routing and Remote Access, which is a low cost solution for low traffic situations.

Remote Access
Remote Access DUN (Dial-Up Networking) or VPN (Virtual Private Network) . When you are providing connectivity for remote access clients the client will use one of the two. DUN use a POTS line to dial directly into the remote access server. Since it is a dedicated physical connection it is often unencrypted traffic. VPN connectivity creates a secure point-to-point connection across either a private network or a public network (internet). VPN uses TCP/IP tunneling protocols to create a secured VPN connection.

The following are several other options available when configuring Remote Access:
• Remote Access (Dial-Up or VPN)
• Network Address Translation (NAT)
• Virtual Private Network (VPN) Access and NAT
• Secure Connection between two Private Networks
• Custom Configuration
A VPN connection consists of the following components:
• VPN server
• VPN client
• VPN connection(the data is encrypted)
• VPN tunnel(the data is encapsulated)
The Two tunneling protocols that provide this service are PPTP(Point-to-Point Tunneling Protocol) and L2TP (Layer Two Tunneling Protocol). PPTP supports only the 128-bit RC4 encryption and L2TP supports Advanced Encryption Standard (AES)256-bit, AES 192-bit, AES 128-bit, and 3DES encryption by default on Windows Server 2008.

Network Access Translation (NAT) enables private networks to connect to the internet. The NAT protocol translates internal, private IP addresses to external, public IP addresses and Vice versa.
Here’s how it works. The user’s IP on the client computer creates an IP packet with specific values in the IP and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) headers. The client computer then forwards the IP packet to the computer running NAT. The computer running NAT changes the outgoing packet header to indicate that the packet originated from the NAT computer’s external address. However, the computer running NAT does not change the destination. It then sends the remapped packet over the Internet to the Web server. The external Web server receives the packet and sends a reply to the computer running NAT. The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate the private address of the destination client and then sends the packet to the client.

NPS Network Policy Server
The remote access connection must be authorized by a Windows 2008 server running NPS RRAS role service or a RADIUS(Remote Authentication Dial-In Service) server. Use a RADIUS server to centralize remote access authentication, authorization, and logging. When you implement RADIUS, on multiple Windows Server 2008 computers running the Routing and Remote Access service forward access requests to the RADIUS server. The RADIUS server then queries the domain controller for authentication and applies remote access policies to the connection requests.

Keep in mind the AAA:
• Authentication proves the user is who they claim to be.
• Authorization controls what resources an authorized user can or can not access
• Accounting keeps track of what resources a user has accessed or attempted to access.

NPS which is a rule for evaluating remote connections consists of three components: conditions, constraints and settings. Here’s how it works: A user attempts to initiate a remote access connection. The Remote Access server checks the conditions in the first configured NPS Network Policy. If the conditions of this NPS Network Policy do not match, the Remote Access server checks any remaining configured NPS Network Policies until it finds a match. Once the Remote Access Server finds an NPS Network Policy with conditions that match the incoming connection attempt, the Remote Access server checks any constraints that have been configured for the policy. If the connection attempt does not match any configured constraints (time of day, minimum encryption level), the remote access server denies the connection. If the connection attempt matches both the conditions and the constraints of a particular NPS Network Policy, the remote access server will allow or deny the connection based on the Access permissions configured for that policy.

Authentication Protocols the following is a list on these (in order of most secure t least secure):
• EAP-TLS
• MS-CHAP v2
• MS-CHAP v1
• Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Shiva Password Authentication Protocol (SPAP)
• Password Authentication Protocol (PAP)
• Unauthenticated access

Wireless Access

The 802.1X IEEE standard allows for port-level network access control of both wired and wireless connections. A Windows Server 2008 server running the NPS role can also secure 802.1X connectivity for 802.1X-capable network switched and wireless access ports. The 802.1X standard provides port based security by using the following components:
• Supplicant which is the device that is seeking access to the network.
• Authenticator which is the component that requests authentication credentials for the supplicant (commonly the port on the switch or the wireless access point).
• Authentication Server (AS) is the server that verifies the supplicant’s authentication credentials, and informs the authenticator whether to allow or disallow access to the 802.1x secured network port.