Module 8: Routing As a Solution for Private

Network Connectivity

Overview

Introducing Routing Designing a Functional Routing Solution Discussion: Designing Routing Solutions Securing Private Network Connections Enhancing a Routing Design for Availability and

Performance Discussion: Enhancing Routing Solutions

To share data and resources, geographically distributed private networks require connectivity between multiple locations. These locations can be connected by using dedicated, private connections, or over shared, public networks such as the Internet.

Routing, as provided by the Routing and Remote Access feature of Microsoft® Windows® 2000, supports secured communication over private and public networks.

At the end of this module, you will be able to:

Recognize routing as a solution for connectivity between private networks.

Evaluate and create a functional routing design. Select appropriate strategies to secure a private

network connection. Select appropriate strategies to enhance the availability

and performance of a routing solution.

Introducing Routing

Design Decisions for a Routing Solution Routing and Remote Access Features Integration Benefits

Routing is provided by the Routing and Remote Access feature of Windows 2000. Routing and Remote Access supports multiple protocols and connects private networks while protecting the private network resources. Routing and Remote Access addresses the essential requirements of any solution for connectivity between private networks.

To design a routing solution based on Routing and Remote Access, you must:

Identify the design decisions that influence a routing solution.

Identify how the features provided by Routing and Remote Access support the design requirements for connectivity between private locations.

Identify the benefits of integrating Routing and Remote Access with other networking services.

Design Decisions for a Routing Solution

Number of Locations? Number of Hosts at Each Location? Routing Protocols Supported? Secured Connectivity Between Private Networks?

Internet

WebServer

Demand-Dial

ScreenedSubnet

ScreenedSubnet

CentralOffice

BranchOffice

BranchOffice

Router

Router

Router

Routing designs that connect private networks are based on a number of design decisions like the number of locations to be connected, the number of hosts at each location, the routing protocols supported, and the security requirements. Routing is an appropriate solution if the private network: Is spread across multiple geographic locations.

Includes any number of users.

Supports industry standard routing protocols, such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), or Internet Group Management Protocol (IGMP).

Connects networks requiring router authentication and data encryption.

Routing and Remote Access Features

Isolating and Securing the Private Network Integrating with Existing Network Designs Restricting Internet and Private Network Traffic Supporting Multiple Protocols

When designing a routing solution, you need to identify the features of Routing and Remote Access that fulfill the design requirements. Typically, these features enhance the security, availability, or performance of your routing solution.

Isolating and Securing the Private Network

Routing and Remote Access enhances the security of a network design by:

Isolating the private network from the Internet. Acting as an intermediary in the exchange of traffic

between the Internet and the private network. Providing data encryption if the data transferred

between locations is confidential. Supporting mutual authentication of routers to prevent

an unauthorized router from receiving confidential data.

Integrating with Existing Network Designs

After integrating with the existing network designs, Routing and Remote Access supports:

Internet Protocol (IP) and Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) routing protocols, thereby allowing the Routing and Remote Access-based routers to exchange routing table information with the existing routers.

IP and IPX/SPX transport protocols on private networks, thereby allowing IP and IPX/SPX-based clients to access the private network through the remote access server.

Various interface types, such as dial-up modems, Integrated Services Digital Network (ISDN), asymmetric digital subscriber line (ADSL), T1, T3, or Synchronous Optical Network (SONET).

Restricting Internet and Private Network Traffic

Routing and Remote Access allows you to restrict the traffic between private network segments, the Internet, and other private network locations. Restricting the traffic enables you to limit user access between private network segments, and limit Internet user access to private network segments.

Routing and Remote Access supports various transport and routing protocols. The following table lists the transport protocols supported by Routing and Remote Access, and the reason to include the protocols in your network design.

SelectSelect For connectivity to private For connectivity to private networks that suppornetworks that supportt

Transmission Control Protocol/Internet Protocol (TCP/IP)

A variety of operating systems (such as UNIX and Macintosh) and the Internet.

IPX/SPX NetWare-based clients and servers.

AppleTalk Macintosh-based clients and servers.

The following table lists the routing protocols supported by Routing and Remote Access, and the reason to include the protocols in your network design.

SelectSelect To automatically update routing table To automatically update routing table information by using theinformation by using the

RIP for IP RIP routing protocol on IP routed networks.

OSPF OSPF routing protocol on IP routed networks.

IGMP IGMP routing on IP routed networks.

RIP for IPX RIP routing protocol on IPX routed networks.

SAPService Advertising Protocol (SAP) on IPX-routed networks.

Integration Benefits

Authenticationand IPSec Tunnels

Machine Certificates andUser Account Authentication

Demand-Dial Connections,IP Filters, and VPN Tunnels

Routing and Remote Access–based Router

Active Directory

IPSec Routing andRemote Access

The router integrates with other networking services to take advantage of their features. These features require you to include additional specifications in the design, such as virtual private network (VPN) tunnels that are used for authentication and data encryption.

The following table describes the benefits of integrating the router with other networking services.

The router integrates withThe router integrates with ToTo

Internet Protocol Security (IPSec)

Provide router authentication and encryption of data transmitted between routers when specified.

Routing and Remote Access Provide support for nonpersistent connections by using specified demand-dial connections.

Reduce undesired traffic by using specified IP Filters.

Provide router authentication and encryption of data transmitted between routers.

Active Directory™ directory service

Provide Kerberos version 5 protocol and user account support so that router authentication occurs when specified.

Designing a Functional Routing Solution

Placing Routers Within a Network Integrating the Router into the Existing Network Including Static Routing Including the RIP-for-IP Routing Protocol Including the OSPF Routing Protocol Including the IGMP Routing Protocol Including the DHCP Relay Agent

There are a few essential decisions that you need to make for a routing solution to derive the specifications for the routing design. After you establish these essential decisions, you can optimize the routing solution by adding security, availability, and performance enhancements to your design.

The essential decisions for your routing design include: Where to place the router within a network so that network traffic is

localized without compromising on security. What IP address, persistence, data rate, and security router interface

characteristics affect the integration of the router into the existing network.

When to include static routing, and the static routing options that would affect the routing design.

When to include the RIP-for-IP routing protocol, and the RIP-for-IP routing protocol options that affect the routing design.

When to include the OSPF routing protocol, and the OSPF routing protocol options that affect the routing design.

When to include the IGMP routing protocol, and the IGMP routing protocol options that affect the routing design.

When to include the forwarding of Dynamic Host Configuration Protocol (DHCP) packets through the router, and the DHCP Relay Agent options that affect the routing design.

Placing Routers Within a Network

Placing Routers Within the Private Network Placing Routers at the Edge of the Private Network

Internet

WebServer

Demand-Dial

ScreenedSubnet

ScreenedSubnet

CentralOffice

BranchOffice

BranchOffice

Router

Router

Router

You need to place routers between the network segments so that network traffic is localized and security maintained. The routing provided by Windows 2000 is appropriate for providing routing between private network segments or between the private network and public networks.

Placing Routers Within the Private Network

You need to place routers within the private network so that:

The network traffic is isolated to the source, destination, and intermediary network segments.

Screened subnets are created within the private network, thereby protecting confidential data.

Network packets can be exchanged between dissimilar network segments, such as between an Ethernet network segment and an asynchronous transfer mode (ATM) network segment.

Placing Routers at the Edge of the Private Network

You need to place routers at the edge of the private network so that:

Remote locations within an organization can exchange network packets by using a public network.

The private network is isolated from the public network, thereby protecting confidential data.

Network packets can be exchanged between the private network segments and public network segments, such as between an Ethernet private network segment and an ISDN public network segment.

Integrating the Router into the Existing Network

Interface Address and Subnet Mask Interface Data Rate and the Persistence Interface Security

Internet

WebServer

Demand-Dial

ScreenedSubnet

ScreenedSubnet

CentralOffice

BranchOffice

BranchOffice

Router

Router

Router

Depending on the size of the network, your network design can include a number of routers. Each router in the network design must have at least one interface, although most routers have more than one. For each router interface, you must describe the interface characteristics so that the router can be integrated into the existing network.

Selecting the Interface Address and Subnet Mask

When selecting the router interface address and subnet mask, remember that:

Each router interface requires an IP address and subnet mask.

The IP address assigned to the router interface must be within the range of addresses that are assigned to the network segment that is directly connected to the interface.

The subnet mask assigned to the router interface must match the subnet mask that is assigned to the network segment that is directly connected to the interface.

Selecting the Interface Data Rate and the Persistence

Each router interface connects to a private or public network segment. These network segments can be persistent or non-persistent. In addition, the data rates for these network segments can vary considerably. You need to specify the data rate and persistence for router interfaces so that the router can connect to private and public network segments.

Interfaces that connect to private network segments

Private network segments are based on local area network (LAN) technologies that are persistent interface connections. The data rate of the private network segment is determined by the LAN technology, such as 100 megabits per second (Mbps) data transfer rate for 100 Mbps Ethernet.

Interfaces that connect to public network segments

Public network segments are based on LAN and demand-dial technologies that can be persistent or nonpersistent. Public network segments that appear to the router as LAN interfaces are persistent, and the data rate is determined by the LAN technology.

Public network segments that appear as demand-dial interfaces are nonpersistent, and the data rate is determined by the underlying technology. An example of this would be a 56 Kbps dial-up modem connection that supports a maximum data rate of 56 Kbps.

Interfaces that connect to public network segments ...

There are situations in which you will include demand-dial interfaces in your routing solutions when the public network segments are based on LAN technologies. For example, you can include a demand-dial VPN connection over a DSL connection. Include a demand-dial interface in your design if: An exchange of credentials is required to perform

authentication, such as VPN tunnel authentication.

Charges, such as ISDN connection charges, are accumulated if the public network segment is active.

Interfaces that connect to public network segments ...

For example, to connect to another location across the Internet, one solution is to specify a VPN tunnel over a DSL network segment. In this example, you need to include the following interfaces in your design: A LAN interface that supports the persistent DSL

network segment.

A demand-dial interface to perform the authentication required by the VPN tunnel.

Selecting the Interface Security

Within a private network or over public network segments, you can protect confidential data by authenticating routers and encrypting the confidential data transferred between routers.

Selecting the Interface Security …

When selecting the router interface security, remember that: Each router interface can support a different level of security. The level of authentication and encryption assigned to the router

interface should adhere to the authentication and encryption assigned to the network segment that is directly connected to the interface.

Some private network segments may require encryption within the private network to further protect confidential data.

Government regulations may restrict the data encryption standards that you may include in your design.

Note: As a best practice, you should authenticate all routers that communicate over public networks, and encrypt all data transmitted between these routers.

Including Static Routing

Default Route Entry Auto-Static Route Entries

Routing Table0.0.0.0 1 0.0.0.0 10.0.0.0 1 172.168.3.1192.168.0.0 1 172.168.3.1

Internet

WebServer

Demand-Dial

ScreenedSubnet

ScreenedSubnet

CentralOffice

BranchOffice

BranchOffice

Router

Router

Router

You need to include static routing in the Routing and Remote Access design so that routers can forward packets to their respective destinations. Static route entries are manually added to the routing table. You can include static and dynamic routing in the same design so that you can control the amount of routing information transmitted between routers.

Include static routing in your design: To reduce the network traffic generated by dynamic routing

protocols.

To secure the network by preventing the transmission of routing table information.

If the time spent in manually updating the routing tables is acceptable.

If there is little or no change to the routing table information.

To add a default route to the demand-dial interface if your network design includes a demand-dial interface.

After you decide to include static routing, you need to specify default route entry, auto-static route entry, or both as the entries in your design.

Default Route Entry

You can specify a default route entry for remote locations that connect to the private network by using demand-dial connections. A default route entry specifies that all IP packets with destinations outside the private network be forwarded through the demand-dial connection.

The advantage of a default route entry is that a single static route entry needs to be added only once, thereby reducing the manual modification to the routing table. The disadvantage of a default route entry is that any traffic, including traffic for unreachable destinations (not on the remote network) is forwarded through the demand-dial connection.

Auto-Static Route Entries

Auto-static route entries are a hybrid of static route entries and RIP-for-IP dynamic routing table entries. Auto-static routes are static routes that are automatically added, at scheduled intervals, to the routing table by using the RIP-for-IP routing protocol across a demand-dial connection. You can specify auto-static route entries for remote locations that connect to the private network by using demand-dial connections.

For a better understanding of auto-static route entries, consider a design that specifies that auto-static route entries be updated once every day at 12:00 midnight. The following sequence illustrates the use of auto-static route entries:

1. The router initiates the demand-dial connection to other locations at 12:00 midnight.

2. The router deletes any existing auto-static route entries that match the updates received by using RIP-for-IP.

3. The router adds auto-static route entries for the updates received by using RIP-for-IP.

4. The router initiates the demand-dial connection throughout the day for any IP traffic destined for other locations. The routing table information is not updated throughout the day.

5. The cycle continues again at 12:00 midnight the following day.

The advantage of auto-static routes is that unreachable destinations do not cause the router to initiate the demand-dial connection. The disadvantage of auto-static routes is that the auto-static route entries must be periodically updated to reflect the subnets that are at other private network locations.

For example, if a new subnet is added to another location and the local private network has not performed an auto-static update, all destinations on the new subnet are unreachable.

Note: Auto-static route entries are supported for RIP-for-IP, RIP-for-IPX, and SAP-for-IPX, but not OSPF.

Including the RIP-for-IP Routing Protocol

RIP Version Support RIP Version 2 Options

Password: xYZzY-02Multicast: Enabled

Password: xYZzY-02Multicast: Enabled

WebServer

Demand-Dial

ScreenedSubnet

ScreenedSubnet

CentralOffice

BranchOffice

BranchOffice

= Multicast Traffic

Internet

Router

Router

Router

You can include RIP-for-IP in the design so that routers can automatically update the routing table information. Routing and Remote Access supports RIP versions 1 and 2.

Include RIP in your routing design: To automatically update routing table information. If the time spent in manually updating the routing tables is

unacceptable. If there is constant change to the routing table information. If existing routers use RIP. If the design includes a demand-dial interface so that you can use

RIP to create auto-static route entries. If the maximum number of routers that any IP packet must cross is

less than 14. Note: Routing and Remote Access considers all non-RIP learned

routes, such as static route entries, to be at a fixed hop count of two instead of one. As a result, the normal maximum number of hops that any IP packet can cross is reduced from 15 to 14.

Selecting the RIP Version Support

You can specify the RIP versions to include in the design based on the existing RIP version that is supportive of the network. You can specify RIP version 2 support in your design by default, because RIP version 2 is a superset of the RIP version 1. RIP version 2 is required if your design includes: Classless Inter-Domain Routing (CIDR).

Variable length subnet masks.

Routing table updates by using multicast traffic.

Simple password authentication between routers.

Selecting the RIP Version 2 Options

If you want to include routing table updates by using multicast traffic or simple password authentication between routers, you must specify the RIP version 2 options that need to be included in the design.

The following table lists the RIP version 2 options and why you would include either specific option in your design.

Select this option If you want to

Routing table updates by using multicast

Reduce network traffic received by all computers on the network.

Password authentication

Prevent unauthorized routers from receiving routing table updates.

Note: The RIP version 2 password authentication is used in addition to any authentication credentials exchanged during the initiation of a demand-dial connection.

Including the OSPF Routing Protocol

Autonomous System

Area ANetwork 1

Area CNetwork 4

Area BNetwork 2 and 3

Internet

OSPF Autonomous System Design OSPF Area Design OSPF Network Design

You include the OSPF routing protocol in a network design so that routers can automatically update routing information for unicast packets. Unlike RIP-for-IP routers, OSPF routers maintain a map of the network in the link state database. Updates to the network are reflected in the link state database and are synchronized between routers.

Include OSPF in your routing design if: There is constant change to the routing information. Existing routers use OSPF. The design includes redundant paths between two

subnets. The number of subnets in the design is over 50.

You can simplify the creation of an OSPF design by subdividing the design into the following hierarchical levels:

OSPF Autonomous System. All of the OSPF routers in an organization define OSPF Autonomous Systems (AS). By default, only OSPF routes that correspond to directly connected network segments are considered part of the AS.

OSPF Area. A collection of OSPF routers that connect to contiguous network segments. All areas are connected through a common area, called a backbone area, by using area border routers (ABR).

OSPF Network. The individual network segments that are connected with one or more OSPF routers.

Specifying the OSPF Autonomous System Design When designing the OSPF Autonomous Systems level, you can:

Subdivide the OSPF autonomous system into areas that can be summarized. Subdivide your IP address space into an internetwork/area/subnet/host

hierarchy, if possible Make the backbone area a single, high-bandwidth network segment. Create stub areas whenever possible.

A stub area is an area that does not maintain routes to external autonomous systems. Instead, stub areas use a default route, network ID 0.0.0.0, with the subnet mask of 0.0.0.0, to communicate with external networks.

Note: All stub areas have a single entry and exit point to the backbone. External routes cannot be sent into the stub area because the stub's routing information is not forwarded to the external AS.

Avoid virtual links whenever possible.

Virtual links are established if two routers belong to the same area, but are not physically connected to the same backbone. A disconnected area can be logically connected to the area backbone by establishing a virtual link between the disconnected area and the area backbone.

Specifying the OSPF Area Design

When designing the OSPF area level, you can: Ensure that all areas are assigned TCP/IP network IDs

that result in a small number of routes within the area. Make the area ID the single route that is being

advertised, if the area can be summarized with a single route.

Ensure that multiple ABRs for the same area are summarizing the same routes.

Ensure that all inter-area traffic crosses the backbone area.

Keep the number of network segments in an area under 100.

Specifying the OSPF Network Design

When designing the OSPF network level, you can: Assign router priorities so that the least busy routers are

the designated router and backup designated router. Designate link costs to reflect bit rate, delay, or reliability

characteristics of the network segment. Assign a password to all of the routers in the same area.

Including the IGMP Routing Protocol

IGMP Router Mode Interface IGMP Proxy Mode Interface

Private Network

IGMP RouterMode Interface

IGMP ProxyMode Interface

Private Network

IGMP RegistrationsIGMP Registrations

Multicast TrafficMulticast Traffic

Internet

MulticastMbone Server

Routing and Remote Access-based Router

Many organizations are including applications and protocols that are based on multicast transmissions. Microsoft NetMeeting® or Windows Media™ viewer are examples of applications that can take advantage of multicast transmissions. RIP-for-IP version 2 is an example of a protocol that can take advantage of multicast transmissions to update routing information.

The IGMP protocol allows multicast clients to register with servers so that the clients can receive multicast traffic from the server. You can add the IGMP protocol to a routing design so that the router can pass IGMP Membership Report packets from a single-router private network to a multicast-capable portion of the Internet. The multicast-capable portion of the Internet is known as the Internet multicast backbone (Mbone).

Multicast clients on the private network use IGMP to register with IP multicast-capable routers so that the computers can receive IP multicast traffic. All Windows 2000-based computers are IP multicast-capable.

Include IGMP in your router design: To enable multicast forwarding to IGMP clients directly

connected to the same subnet as the router. If existing routers are true multicast-capable routers. To receive multicast traffic from multicast sources on

the Internet and send multicast registrations to the sources on the Internet.

Routing and Remote Access IGMP support is separated into the following modes:

IGMP Router Mode. In this mode, the router appears to be a multicast-capable router to the IGMP client computers on the routed subnet.

IGMP Proxy Mode. In this mode, the router appears to be an IGMP client computer to a true multicast-capable router.

Note: For more information on IGMP and multicast routing, see the Windows 2000 Help files.

Specifying the IGMP Router Mode Interface

In Routing and Remote Access, the IGMP router mode interface listens for IGMP Membership Report packets from multicast clients, and tracks group membership. Specify IGMP router mode on the interfaces connected to the same subnet as the IGMP clients.

IP multicast-capable routers must be able to: Listen for all multicast traffic on all attached networks. Listen for IGMP Membership Report packets and update

the TCP/IP multicast forwarding table. Use a multicast routing protocol to propagate multicast

group listening information to other multicast-capable routers.

Note: The IGMP routing protocol provided with Routing and Remote Access does not propagate multicast group listening information to other multicast-capable routers, and it is not a full multicast-protocol router.

Specifying the IGMP Proxy Mode Interface

In Routing and Remote Access, the IGMP Proxy mode interface forwards IGMP Membership Report packets to upstream multicast-capable routers. Specify IGMP Proxy mode on the interfaces connected to subnets that are serviced by upstream multicast-capable routers or multicast servers.

When the router receives an IGMP Membership Report packet, the following steps occur:

1. The IGMP Proxy mode interface forwards the packet to upstream multicast-capable routers or to multicast servers.

2. The upstream multicast-capable routers add the registrations to their multicast routing tables.

3. The upstream multicast-capable routers use a multicast routing protocol to propagate multicast group membership to other multicast-capable routers.

Including the DHCP Relay Agent

DHCP Servers and Clients Are on Isolated Subnets Existing Routers Support DHCP or BOOTP Forwarding

Internet

DHCPServer

Demand-Dial

ScreenedSubnet

ScreenedSubnetCentral

Office

BranchOffice

BranchOffice

DHCPClients

Router

Router

Router

When the private network is divided into multiple routed network segments that are configured by using DHCP, the routers isolate the DHCP servers from DHCP clients. You must include the DHCP Relay Agent in the design so that routers can forward DHCP traffic from DHCP clients to DHCP servers.

Include the DHCP Relay Agent in your router design if: The network includes DHCP clients and servers that are

placed on isolated network segments. The existing routers support DHCP or Bootstrap

Protocol (BOOTP) forwarding. Note: As a best practice, include the DHCP Relay Agent

on routers that connect to only private network segments.

Discussion: Designing Routing Solutions

Seattle

Los Angeles

Dallas

Winnipeg

Toronto

Montreal

New York

Washington DC

Atlanta

Kansas City

As you create routing designs, you need to translate information relating to the solution into design requirements. This discussion involves designing basic routing solutions. During the discussion, note any ideas presented by other students in the class that are relevant to the routing solution.

The following scenario describes the current network configuration of a telemarketing company.

Scenario

A telemarketing research company conducts studies to collect demographics on potential consumers for other organizations' products and services. At each location, a group of market research analysts conducts telephone interviews to determine the purchasing decisions of the target consumer profile.

The market research analysts use a Web-based application for call tracking and recording the consumer responses. The organizations that are funding the study can examine the results over the Internet by using a Web-based application, or by accessing the data directly from a Microsoft SQL Server™ located in the Kansas City location.

Securing Private Network Connections

Restricting Traffic with IP Packet Filters Protecting Confidential Data with IPSec Tunnels Protecting Confidential Data with VPN Tunnels Authenticating Routers Integrating Routers into Screened Subnets

The security of an IP routing design is measured by the ability of the design to prevent unauthorized access to data transmissions. Routing and Remote Access enhances IP routing security by encrypting data and by the mutual authentication of remote routers.

To secure communication between the Internet and the private network, or between private network locations, you can use Routing and Remote Access. To secure a routing solution, consider: Restricting unwanted traffic with IP Packet Filters.

Protecting confidential data with IPSec tunnels.

Protecting confidential data with VPN tunnels.

Authenticating routers to enhance security.

Integrating routers into screened subnets.

Restricting Traffic with IP Packet Filters

Restrict Using Routing and Remote Access Filters Filter All Traffic Based on IP Address and Protocol

PrivateNetwork Outbound

Filters

CentralOffice

Internet

InboundFilters

WebServer

BranchOfficeRouter

RouterRouter

To ensure a secure network, you must prevent traffic between the private networks and the Internet, or between locations within the private network. You can prevent traffic by specifying unique Routing and Remote Access filters for each router interface.

Restricting Using Routing and Remote Access Filters

Routing and Remote Access filters are layer two filters that affect the IP traffic received by an interface. These filters specify which IP packets are forwarded or rejected by the interface. Routing and Remote Access filters restrict: Internet access to private network resources, such as

servers.

Private network user access to Internet-based resources, such as partner networks or central offices.

Filtering Traffic Based on IP Address and Protocol

You can create filters by specifying the source or destination IP address range and the protocol number of the packets to be filtered. To address any security requirement, you can create a combination of filters by specifying multiple filters for each interface. Your filter design can be based on a single criteria or any combination of the following: Source IP address range

Destination IP address range

IP protocol number

Specify filters to either accept or reject packets that match any of the filters assigned to the interface.

Note: When more than one router forwards an IP packet, the effect of filtering is cumulative of all the filters through which the packet passes.

Protecting Confidential Data with IPSec Tunnels

CentralOffice

BranchOffice

WebServer

BranchOffice

Internet

Router

RouterRouter

You can prevent the unauthorized viewing of confidential data transmitted across public networks by encrypting the data with IPSec tunnels. IPSec offers a variety of authentication and data encryption algorithms. The method chosen for authentication and packet encryption varies according to the confidentiality of the information and the limitations imposed by any government standards.

You can specify IPSec in the network design if: All routers that you want to secure support IPSec. Machine-based certificates accomplish the

authentication of routers. An Active Directory or a public key infrastructure exists

to issue the machine-based certificates.

If your design includes all Routing and Remote Access-based routers, then you can select IPSec to authenticate the routers and encrypt data transmissions.

IPSec supports tunnel mode and transport mode for securing data. Tunnel mode specifies the endpoints of the tunnel. You specify the tunnel endpoints by using the IP addresses of the routers. Transport mode does not specify endpoints, as it communicates with more than one computer at a time. IPSec in tunnel mode is specified for router-to-router authentication and encryption.

Protecting Confidential Data with VPN Tunnels

Selecting VPN Tunnels to Authenticate and Encrypt Specifying PPTP Tunnels Using MPPE for Encryption Specifying L2TP Tunnels Using IPSec for Encryption

CentralOffice

BranchOffice

WebServer

BranchOffice

Internet

Router

RouterRouter

In addition to IPSec tunnels, you can also use VPN tunnels to encrypt data and prevent the unauthorized viewing of confidential data that is transmitted across public networks. You can specify the strength of encryption from the list of encryption algorithms supported by VPN tunnels.

Selecting VPN Tunnels to Authenticate and Encrypt

You can specify VPN tunnels in the design if: All routers that you want to secure support VPN tunnels. Authentication of routers is accomplished with user

accounts, machine-based certificates, or both.

For example, if your design includes all Routing and Remote Access-based routers, then you can select either IPSec or VPN tunnels to authenticate the routers and encrypt data transmissions.

VPN supports Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) for securing traffic. The following table describes when you select the VPN-supported tunneling protocols in your design.

Select If your design includes

PPTP Microsoft Windows NT® version 4.0, Windows 2000, or third-party routers that support PPTP.

L2TP Windows 2000 or third-party routers that support L2TP.

Specifying PPTP Tunnels Using MPPE for Encryption

PPTP tunnels use Microsoft Point-to-Point Encryption (MPPE) to encrypt data. The version of Windows 2000 available in the United States and Canada supports either 40-bit or 128-bit encryption. The versions of Windows 2000 available in other countries support only 40-bit encryption.

Specify PPTP by using MPPE as the VPN data encryption method if:

Using the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP version 2 (v2), or Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication protocols.

User-based authentication is sufficient, and the added security of machine-based authentication is not required.

A machine-based certificate infrastructure, such as Kerberos V5 or Public Key Infrastructure (PKI), does not exist.

Specifying L2TP Tunnels Using IPSec for Encryption

L2TP tunnels use IPSec to encrypt data within a connection. The version of Windows 2000 available in the United States and Canada supports 40-bit DES, 56-bit DES, or Triple DES (3DES) encryption. The versions of Windows 2000 available in other countries support 40-bit DES and 56-bit DES encryption. IPSec uses machine-based certificates for authentication, thereby reducing the ability of an unauthorized router to impersonate an authorized router.

Specify L2TP by using IPSec as the VPN data encryption method if: The added security of machine-based authentication is

desired, and user-based authentication is insufficient.

A machine-based certificate infrastructure, such as Kerberos V5, exists.

Authenticating Routers

Specifying RIP-for-IP or OSPF Passwords Specifying Demand-Dial Authentication Specifying IPSec Machine Certificates

= IPSec AH Protocol

CentralOffice

WebServer

BranchOffice

BranchOffice

Demand-DialInterface

Router

Router

Router Internet

By authenticating routers, you can prevent unauthorized routers from receiving confidential data. You can authenticate routers with RIP-for-IP passwords, OSPF passwords, IPSec machine certificates, and demand-dial authentication.

Specifying RIP-for-IP or OSPF Passwords

Specify RIP-for-IP or OSPF passwords to authenticate routers in your network design if: All routers use the same routing protocols.

Clear text password exchange is sufficient for authenticating routers.

Note: Since RIP-for-IP and OSPF passwords are exchanged by using clear text, these passwords can be captured and displayed by protocol analyzers, such as Network Monitor. Because the passwords can be displayed, the RIP-for-IP and OSPF passwords provide minimal security

Specifying Demand-Dial Authentication

You can specify demand-dial authentication for routers that include demand-dial interfaces. Demand-dial authentication can use any authentication protocol supported by Routing and Remote Access, and can be performed by using one-way or two-way authentication.

One-Way Authentication

In one-way authentication, the demand-dial router initiates the connection and authenticates by using a predefined account and password. The disadvantage of one-way authentication is that the demand-dial router cannot verify if the router is dialing to another router within the organization, or to a router impersonating a router within the organization.

Two-Way or Mutual Authentication

In two-way, or mutual, authentication, the demand-dial router initiates the connection and authenticates by using a predefined account and password. The responding router provides a predefined account and password so that the demand-dial router can verify that the router is dialing to another router within the organization.

Note: Two-way or mutual authentication requires that the MS-CHAP v2 authentication protocol is enabled on both of the routers.

Specifying IPSec Machine Certificates

IPSec machine certificates provide packet integrity, anti-replay, and authentication by using the Authentication Header (AH) protocol. Specify IPSec AH protocol if your security design requires integrity for both the IP header and data, but not the encryption of data.

Include IPSec machine certificates to authenticate routers in your design if: All routers in the solution support IPSec.

An Active Directory or a public key infrastructure exists to issue the machine-based certificates.

Integrating Routers into Screened Subnets

Placing Routers to Establish Screened Subnets Placing Routers to Route Between Screened Subnets

Internet

ScreenedSubnet A

ScreenedSubnet C

Screened Subnet B

Internet

Screened Subnet

Router

Router

Proxy Server

You can place routers within the private network to create screened subnets or to integrate into existing screened subnets. Screened subnets isolate the private network from the Internet while allowing private network traffic to be routed between locations. You can establish screened subnets by filtering traffic with Routing and Remote Access IP filters.

Placing Routers to Establish Screened Subnets

Place routers in your network design to establish screened subnets: If filters meet the security requirements for the screened

subnets.

If the router is connected to the Internet and isolates the private network from the Internet.

Placing Routers to Route Between Screened Subnets

In many networks, the screened subnets are created by other methods, such as Microsoft Proxy Server or third-party firewall products. In the situations in which the subnet is created by other methods, you can increase the security within the screened subnet by using IP filters to further restrict access to resources.

In your network design, place routers to route between screened subnets: If the security requirements require more security than

the security that is already provided by IP filters

To further divide screened subnets so that you can place additional restrictions on computers in the routed screened subnets

Enhancing a Routing Design for Availability and Performance

Dedicating a Computer Selecting Persistent Connections Providing Multiple Connections and Routers

Private Network

InternetLAN Interface

Demand-Dial Interface

Private Network

Internet

LAN Interfaces

Router

Router

Router

You can enhance the availability and performance of routing solutions by dedicating a computer to routing, selecting persistent wide area network (WAN) connections, and providing multiple routers or multiple WAN connections.

The following table describes the strategies used to enhance the availability and performance of a routing solution.

Use this strategy To enhance availability by To optimize performance by

Dedicating a computer to routing

Preventing unstable applications from restarting the computer.

Preventing other applications running on the same computer from consuming system resources and impacting routing performance.

Persistent WAN connections

Preventing problems in establishing the connection.

Eliminating the time required to establish a nonpersistent connection.

Multiple WAN connections

Providing redundant connections to the WAN if one of the connections fails.

Distributing the traffic across the multiple connections.

Multiple routers Providing redundant routers in the event of one of the routers failing.

Distributing the traffic across the multiple routers.

Discussion: Enhancing Routing Solutions

Seattle

Los Angeles

Dallas

Winnipeg

Toronto

Montreal

New York

Washington DC

Atlanta

Kansas City

After you have provided a basic routing design, you need to examine the security, availability, and performance requirements for the solution. During the discussion, note any ideas presented by other students in the class that are relevant to the routing solution.

The following scenario describes the requirements for enhancing the routing design of a telemarketing company.

Scenario

A few months after you created the solution for the telemarketing research company, the company decides to connect all of the regional research locations over the Internet to reduce leased line costs. Each location will receive a connection data rate to the Internet that is the same data rate as the original leased line, T1 or T3, respectively. The performance of the network can be improved by using multiple routers at each location to provide load balancing across the routers.

Lab A: Designing a Routing Solution

Objectives

After completing this lab, you will be able to: Evaluate an existing scenario to determine the

requirements that affect a routing design. Design a routing solution for the given scenario.

Prerequisites

Before working on this lab, you must have: Knowledge of the design decisions required to create a

router design. Knowledge of routing strategies to enhance the

security, availability, and performance.

Exercise 1: Designing a Router Solution

In this exercise, you are presented with the task of designing a routing solution for an engineering firm. This engineering firm has a headquarters, four field offices, and customer offices where the field engineers work. You will design the headquarters or Central Office. You will design a routing solution that supports the organization's requirements.

Review the scenario, the design requirements, and the diagram for the Central Office. Follow the instructions to complete the exercise.

You will not be providing a solution for the customer offices because the engineering firm has no control over the customers' routing solution.

Scenario

An engineering firm that designs cooling towers for nuclear power plants is preparing to connect their offices over the Internet. The engineering firm is headquartered in Paris where the administration and billing for all projects within the firm occurs. The engineering firm has field offices in Brussels, Sydney, Hong Kong, and New Delhi. Within the field offices, project management and human resources management occurs for the field engineers that work from the respective field offices.When assigned to a project, the field engineers work on-site at the project location. While there, the field engineers are assigned temporary offices within the customer's facilities.

Design Limitations and Requirements

By examining existing documentation, and conducting interviews with the engineering firm personnel, you have established the design requirements that must be achieved. Make sure your solution meets or exceeds these requirements.

Applications

The engineering firm uses a number of applications to conduct the day-to-day operations. To create a solution for the engineering firm, your design must provide: Support for a mission-critical Web-based application that provides

project management and project time billing for field engineers. Private network access to all shared folders and Web-based

applications at the central office and regional offices. Internet access from the field offices. Active Directory as the directory services for the engineering firm. Router response times such that the application response time is not

reduced. Pilot tests on approved computers indicate that each router can support no more than 350 hosts while providing performance within the given application response times.

Support for all mission-critical applications to be available 24-hours-a-day, 7-days-a-week.

Connectivity

The applications used by the engineering firm require connectivity between the central office, field offices, and the onsite engineers. When creating the router design for the engineering firm, remember that your design must provide:

Support for the field offices to connect to the central office by using dedicated connections over the Internet.

Support for the onsite field engineers to connect to the respective field office by using dedicated or dial-up connections over the Internet supplied by the customer.

Support for customers' existing routing design. The customers cannot upgrade or change their existing routers.

The customers' routers support:• OSPF routing protocol.• RIP-for-IP routing protocol. • Static routing. • VPN tunneling by using PPTP. • Isolation of the central office and the field offices from the Internet.

Isolation of the central office and the field offices from the Internet.

Review

Introducing Routing Designing a Functional Routing Solution Discussion: Designing Routing Solutions Securing Private Network Connections Enhancing a Routing Design for Availability and

Performance Discussion: Enhancing Routing Solutions