Index
Note to the reader:Italics are used to indicate references to illustrations.
A
A (host address) resource record 161
ABRs (Area Border Routers) 48
accounting information 298–299, 299
acknowledgments (ACKs) 29
ACS (Admission Control Service) 17
Active Directory 249–250
addressing and naming services
of 249
authorizing DHCP servers and,
240, 240
IPSec policy administration and 102
rogue DHCP server detection
and 250
support for legacy servers in,
249–250
using Group Policy with 16
address database file (.adr) 85
addressing
Active Directory and 249
address classes and 34–35, 35
NAT addressing component and 304
Address Resolution Protocol (ARP) 138
Add Static Mapping dialog box 215
administration tools 91–98
SNMP and 95–98
Terminal Services and 91–95
Admission Control Service (ACS) 17
Advanced Settings dialog box, NWLink 76
AH, routers and 122
all zone transfers (AXFR) 195
analysis phase, network implementation 11
AppleTalk 19
Application Layer, TCP/IP 26–27
network application APIs and 27
utilities and services of 27
application proxies, IPSec 123
Application Server mode, Terminal Services
91–92
architecture
IPSec 104–107
NWLink 56–60
TCP/IP 26, 26–29
Area Border Routers (ABRs) 48
ARP (Address Resolution Protocol) 138
Asynchronous NetBEUI (AsyBEUI) 6
Asynchronous Transfer Mode
(ATM) 17
auditing. See also monitoring
Event Viewer and 365–366
selecting audit policy 366
authentication
IPSec and 111–112
network security and 352
remote access profiles and 276
setting method of 127
Automatic Private IP Address Assignment 41
Auto Static update 290
AXFR (all zone transfers) 195
B
Bandwidth Allocation Control Protocol (BACP),
277–278
Bandwidth Allocation Protocol (BAP) 277–278,
278
binary notation 33–34
boot file, definition of 162–163
C
CACHE.DNS file
definition of 162
editing 178
caching
definition of cache file 162
definition of caching-only server 157
DNS and 160
implementing a caching-only server 192–193
Caller ID 274
canonical name (CNAME) record 161
Capture Filter dialog box 85
capture triggers 86
certificate authorities (CAs). See also certificates
authentication methods and 111
creating certificates with 329–330
deploying 333–334
issuing digital certificates with 7–8
protecting 334
trusted CA roots and 341
certificate enrollment
automated enrollment 336
client enrollment 336
Web-based enrollment 335, 335
certificates 328, 328–347, 329
deploying CAs 333–334
enrollment of 334–336
installing stand-alone subordinate certificates
337–339
issuing 343
overview of 328–330
protecting CAs 334
recovery and 339–341, 344–346
renewal of 339
revoking 343–344
types of 330–332
use of 330
Certificate Services 7–8
Certification Authority Manager
337, 344
Challenge Handshake Authentication Protocol (CHAP) 360
overview of 358
VPNs and 359–360
CIDR (Classless Inter-Domain Routing) 306
Class A addresses 34–35
Class B addresses 34–35
Class C addresses 34–35
Classless Inter-Domain Routing (CIDR) 306
Client (Respond Only) policy, IPSec policy 110
Client Service for NetWare 67–69
compared with Gateway Service for NetWare
67–68
installing 68–69, 70–71
NetWare connectivity and 67
NWLink and 18
CNAME (canonical name) record 161
Command Prompt Properties dialog box, NSLOOKUP,
175
communication protocols 25
configuring
Bandwidth Allocation Control Protocol (BACP),
277–278
Bandwidth Allocation Protocol (BAP) 277–278
demand-dial routing 283–285
Gateway Service for NetWare (GSNW) 63–64
Internet Connection Sharing (ICS) 316–317
Network Address Translator (NAT) 321–322
Remote Access Policies (RAP) 272
Routing and Remote Access
275–276
Transmission Control Protocol/ Internet Protocol (TCP/IP),
38–41
Connection Properties dialog box 277
Connection Sharing. SeeInternet Connection Sharing (ICS)
connectivity
IPSec and 110–111
NetWare and 68–69
routed and translated Internet connections and 305
verifying connection types 128
cryptographic key storage, PKI,
338–339
D
data
capturing with Network Monitor 82
reviewing capture data 87–88
viewing with Network Monitor
83–86
database files. See zones
databases, WINS
backing up 224–225
configuring replication 221–222
performing replication 222–224
Data Link Control (DLC) 19
data transfer utilities, TCP/IP 26
decimal notation 33–34
demand-dial routing 282–285
configuring 283–285
fields of 282–283
filters for 284
deployment phase, network implementation 11
design phase, network implementation 11
DHCP (Dynamic Host Configuration Protocol), 3,
227–259
adding relay agent to 236
configuring TCP/IP with 229
customizing IPSec and 124–125
definition of 3, 228
DHCP allocator component 312–313
DNS and 248
ICS and 314
Ipconfig and 234–236
IP lease discover/offer and 230–232
IP lease request/acknowledgement and 232–233
overview of 3–4
sending DHCPOFFER message 231
using with Routing and Remote Access 294–295
DHCP (Dynamic Host Configuration Protocol), Active Directory and 249–250
address assignment and naming services 249
rogue DHCP server detection 250
support for legacy servers 249–250
DHCP (Dynamic Host Configuration Protocol), clients
configuring 229–230
DNS dynamic update and 247
obtaining IP address 238
troubleshooting 252–254
use of DHCP servers by 237
DHCP (Dynamic Host Configuration Protocol), configuring,
237–244
authorizing DHCP server 239–240
configuring DHCP scopes 242–243
creating DHCP scope 241
implementing multiple DHCP servers 243–244
protecting against unauthorized DHCP servers
240–241
using DHCP on a network 237–238
DHCP (Dynamic Host Configuration Protocol), integrating
naming services 245–248
avoiding failed DNS lookups 246
dynamic DNS updates and 245–248
dynamic updates without Dynamic DNS support 247
options for interoperation of DNS and WINS 246
DHCP (Dynamic Host Configuration Protocol), servers
authorizing 239–240
implementing multiple servers
243–244
installing 233–234
installing and configuring 238
monitoring 257
moving databases and 257–258
protecting against unauthorized servers
240–241
providing optional data 238
rogue DHCP server detection 250
troubleshooting 255–257
DHCP (Dynamic Host Configuration Protocol)
troubleshooting 251–258
DHCP clients and 252–254
DHCP servers and 255–257
preventing problems 251–252
relay agent and 255
diagnostic utilities 26
Dial-in constraints 274, 275
Dial-Out Hours dialog box 285
dial-up networking 262
dial-up remote access 5
digital certificates 7–8. See also
certificates
Directory Service Migration Tool
55, 55
display filters
types of 87
using with Network Monitor 86–87
distributed network security. See network
security
DLC (Data Link Control) 19
DNS (Domain Name System) 151–164
adding new zone with DNS
console 179
boot file and 162–163
caching and 160, 162
configuration files of 160–161
configuring TCP/IP and 40
customizing IPSec and 124–125
definition of 2–3
DHCP interaction and 248
dynamic updates and 247
functioning of 153
ICS and 314
inverse queries and 159
iterative queries and 158–159
lookups and 246
name resolution with 141, 143–144
name server roles and 156–157
NAT DNS proxy component
and 313
origins of 152
recursive queries and 158
reverse lookup file and 161–162
structure of 154–155
TCP/IP Application layer and 27
Time to Live and 160
troubleshooting with NSLOOKUP 174–176
using HOSTS file with 147–148
Windows 2000 and 152
working with servers 192–197
working with zones 186–191
DNS (Domain Name System)
DHCP and avoiding failed DNS lookups 246
Dynamic DNS updates and
245–248
dynamic updates without Dynamic DNS 247
options for interoperation of DNS and WINS 246
DNS (Domain Name System), implementing 164–183
adding DNS domains and zones 179–180
adding resource records 181–182
configuring DNS Server properties 177–178
configuring reverse lookups 182
designing DNS for large networks 169–171
designing DNS for medium-sized networks
166–169
designing DNS for small networks 165–166
installing DNS Server 173, 180–181
registering with the Parent domain 164–165
verifying DNS client settings
172–173
DNS (Domain Name System), servers
implementing a caching-only server 192–193
monitoring performance of 194
overview of 192
performance counters for 195
remote management of 195
testing queries on 194
DNS Server Properties dialog box 193, 194
domain controllers, IPSec and
124–125
domain names
host name resolution and 140
separating name space into
levels 154
Domain Name System (DNS). SeeDNS (Domain Name
System)
domains
across multiple zones 155
adding DNS domains and zones 179–180
definition of 187–188
route domains 154
second-level domains 155
top-level domains 154
dotted decimal notation 33
drivers, Network Monitor and 81–82
dynamic address mapping, NAT 307
dynamic configuration, TCP/IP 39, 39
Dynamic DNS updates 245–248
Dynamic Host Configuration Protocol (DHCP). See
DHCP (Dynamic Host Configuration Protocol)
dynamic routing 48
dynamic updates
configuring zones for 189–190
enabling 190–191
without Dynamic DNS support 247
E
EAP (Extensible Authentication Protocol) 359
Edit Authentication Method Properties dialog box,
112
Edit Dial-In Profile dialog box 275
Edit Rule Properties dialog box 111
EFS Recovery policy 344–345, 346
encapsulation. See tunneling
encryption
NTFS and 353
protocols for 361–362
remote access profiles and 276
setting ESP encryption 133
setting level of 362
enterprise CAs 330–331
enterprise root CAs 331
enterprise subordinate CAs 331–332
overview of 330–331
Error Logon counter 369
ESP
routers and 121–122
setting ESP encryption 133
Event Viewer 365
Expression dialog box 88
Extensible Authentication Protocol (EAP) 359
external network number
changing 74
definition of 73
F
File and Print Services for NetWare 55
file resources, NetWare 65
File Transfer Protocol (FTP)
Network Monitor and 80
TCP/IP Application layer and 27
Filter Properties dialog box 114
filters
actions of 115–116, 127
adding filters 126–127
creating policy filters 276
demand-dial filters 282–283
specifications of 120–121
firewalls 355
IPSec and 122
network security and 355
Forwarder, NWLink 59–60
Forward Lookup Zones 181
FQDN. Seefully qualified domain names (FQDNs)
frames
capturing with Network Monitor 89
changing 74
definition of 72–73
examining with Network Monitor 83
FTP (File Transfer Protocol)
Network Monitor and 80
TCP/IP Application layer and 27
fully qualified domain names (FQDNs)
HOSTS file and 147
name resolution and 141
G
gateways
activating 65
configuring TCP/IP and 41
enabling 64
file gateway configuration and 61
security resources for 66
Gateway Service for NetWare (GSNW) 61–66
accessing NetWare resources with 66
compared with Client Service for NetWare 67–68
configuring 63–64
dialog box for 63
gateways and 61–62, 64–66
installing 62–63
NetWare and 54–55
NWLink and 18
overview of 61
Generic Quality of Service (GQoS) 17
Generic Routing Encapsulation
(GRE) 324
Group Policy
EFS Recovery policy and 346
IPSec configuration with 16
using Active Directory with 16
Group Policy Editor 129
GSNW. SeeGateway Service for NetWare (GSNW)
H
hardware, network implementation 12
headers
GRE header and 324
IP header and 324
translation of header fields 308
host address resource record (A) 161
host ID 32, 32
host names 140–145
backup methods for 145
definition of 140
Microsoft name resolution methods and 142
purpose of 140–141
resolving host name with DNS server 144
resolving host’s IP address to hardware address
143
standard name resolution methods and 141
host routes 281
hosts, adding 181
HOSTS file
advantages of 147
definition of 146
name resolution with 141, 142–143
overview of 146–147
using text editors with 148
using with DNS 147–148
HTTP (HyperText Transfer Protocol)
Network Monitor and 80
TCP/IP Application layer and 27
I
IAS (Internet Authentication Service)
definition of 264
remote access policies and 360
ICMP (Internet Control Message Protocol)
key fields in 283
router discovery and 263
ICS. SeeInternet Connection
Sharing (ICS)
inbound connections
allowing 270
inbound traffic and 311–312
NAT and 323–324
incremental zone transfer (IXFR) 195
Infrared Data Association (IrDA) 19
installing
Client Service for NetWare 68–69
Gateway Service for NetWare (GSNW) 62–63
Internet Connection Sharing
(ICS) 315
IP routing 279–280
remote access service 266–267
stand-alone subordinate certificates 337–339
TCP/IP 37–38
Integrated Services over Slow Links (ISSLOW) 17
internal network number
changing 72
definition of 71
Internet
connecting intranets to 309
connecting networks over 289
inbound traffic and 311–312
integrating VPN with 288–289, 289
outbound traffic and 310–311
remote access over 288–289, 289
routed and translated connections
on 305
security-related connection issues
and 354
Internet Authentication Service (IAS)
definition of 264
remote access policies and 360
Internet Connection Sharing (ICS) 314–319
components of 314
configuring 316–317
enabling 315
installing 315
Internet options for 316–317
NAT and 317–318
troubleshooting 318–319
Internet Control Message Protocol. See ICMP
(Internet Control Message Protocol)
Internet Layer, TCP/IP 27
Internet Network Information Center (InterNIC)
DNS implementation and 164
public addresses and 306
Internet Protocol Security. SeeIPSec (Internet
Protocol Security)
Internet service providers (ISPs) 6–7
InterNIC. SeeInternet Network Information Center
(InterNIC)
intranet, NAT 309
inverse queries, DNS 159
IP (Internet Protocol) 29–30, 31–36
address classes and 34–35
converting IP addresses from binary to decimal
33–34
dotted decimal notation and 33
guidelines for 35–36
host ID and 32
IP address format and 31
network ID and 31–32
IP addresses
composition of 33
configuring TCP/IP and 41
NAT and 6–7, 320–321, 322
ranges of private IP addresses
306–307
remote access profiles and 275
resolving host’s IP address to hardware address
143
troubleshooting 253–254
Ipconfig 234–236
report displayed by 235
switches of 235–236
testing TCP/IP configuration
41–42, 42
IP filters, IPSec 120–121
IP header 282
IP-in-IP tunneling 288
IP leases
acknowledgments 233
discovery 230, 230–231
offering 231–232
requests 232
IP Packet Filter Properties dialog
box 113
IP packet filters
configuring TCP/IP and 43–44, 44
firewalls and 355
IPSec and 112–115
IP routing 45, 45–49
administering routers 49–50
dynamic routing and 48
implementing demand-dial routing 282–285
installing 279–280
overview of 45–46
static routing and 47
updating routing tables 47, 280–282
IPSec (Internet Protocol Security)
99–136, 104
applications to use with 108
architecture of 104–107
benefits of 101–103
encryption with 362
in-depth defense with 101
network security and 108, 353
overview of 100–101
process of 104
TCP/IP and 15–16, 25
tunnel mode of 288
IPSec (Internet Protocol Security), configuring
109–118
additional tasks and 116–117
authentication method and 111–112
connection types and 110–111
filter actions and 115–116
how to implement 109
IP packet filtering and 112–115
IPSec policies and 109–110
prerequisites for 109
testing 117–118
IPSec (Internet Protocol Security), customizing
119–128
building a custom IPSec policy 125–128
DHCP, DNS, WINS, or domain controllers and
124–125
firewalls and 122
IP filters and 120–121
NAT and proxies and 122–123
negotiation policies and 121–122
policy-based security and 119–120
security methods and 121
SNMP and 123–124
TCP/IP properties and 125
IPSec (Internet Protocol Security), monitoring
129–134
IPSec Monitor and 133–134
IPSec statistics 129–130
ISAKMP/Oakley statistics
130–131
management tools and 129
Network Monitor and 131–133
troubleshooting tools and 129
IPSec Driver (IPSEC.SYS) 106
IPSECMON.EXE. SeeIP Security Monitor
(IPSECMON.EXE)
IPSec Monitor. SeeIP Security Monitor
(IPSECMON.EXE)
IPSec policies 125–128
activating 128
adding filters 126–127
adding rules 126
completing rule creation 128
definition of 119
setting authentication method 127
specifying filter action 127
testing 128
verifying connection types 128
verifying tunnel settings 128
IPSec Policy Agent Service 105
policy flow 107
tasks performed by 105
IPSEC.SYS 106
IP Security. SeeIPSec (Internet Protocol
Security)
IP Security Management snap-in 129
IP Security Monitor (IPSECMON.EXE) 129, 130
interface for 370
monitoring ISAKMP/Oakley statistics with
130–131
monitoring security events with 369–370
monitoring statistics with 129–130
using 133–134
IP Security Policy Wizard 112
IPX 57
IPX/SPX/NetBIOS compatible transport protocol. See
NWLink
IrDA (Infrared Data Association) 19
ISAKMP/Oakley 105–106, 130–131
ISPs (Internet service providers) 6–7
ISSLOW (Integrated Services over Slow Links) 17
iterative queries 158, 158–159, 159
IXFR (incremental zone transfer) 195
K
Kerberos
authentication methods and 111
network security and 353
keys
automatic management of 103
cryptographic key storage and
338–339
generating key pairs and 329
preshared key support 103
public key certificates and 103
recovery and 339–341
L
LANs (local area networks)
NetBEUI and 2
network application interfaces and 28
Layer Two Tunneling Protocol (L2TP)
router discovery and 264
TCP/IP and 25
tunneling protocols and 288
Layer 3 protection, IPSec 102–103, 103
LMHOSTS file 202, 202–203
definition of 202
predefined keywords and 203
local area networks (LANs)
NetBEUI and 2
network application interfaces and 28
logging
accounting information and
298–299
log file records and 298
overview of 296–297
recording failed logon attempts 365–366
remote access logging and 296
viewing security log 367–368
lookups, DNS 246
M
Main Policy properties 117
MANs (metropolitan area networks) 28
master name servers 157
metropolitan area networks (MANs) 28
Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP) 358
Microsoft Management Console (MMC)
activating auditing and 365–366
creating and configuring IPSec policies 109
DNS settings in 177
Windows 2000 member server and 110, 120
WINS integration with 219
Microsoft Proxy Server 355–356, 364
mirroring 115
MMC. SeeMicrosoft Management Console (MMC)
monitoring
DHCP servers 257
DNS servers 194
Event Viewer and 365
IPSec Monitor and 369–370
network security and 364
recording failed logon attempts 365–366
security overhead and 370–371
System Monitor and 368–369
viewing security log 367–368
WINS and 219
MPPE, encryption protocol 361–362
MS-CHAP (Microsoft Challenge Handshake Authentication
Protocol) 358
multilink 292–293
Multilink PPP and 290–293
PPP and 292
remote access profiles and 276
Multilink PPP 290–293
Next
