TCP/IP, as you learned earlier in this book, is a suite of network protocols used in Unix systems, on the Internet, and as the primary protocol suite for Windows NT and Windows 2000 networks. TCP/IP is named for two of its key protocols, Transport Control Protocol and Internet Protocol.
As the transport protocol, TCP/IP forms the fundamental backbone of a network infrastructure, and thus your network design should begin with a plan for the configuration of these protocols. All of the network services discussed in the remainder of this chapter are built upon the foundation of TCP/IP.
The basic considerations when designing a TCP/IP implementation include the assignment of IP addresses and the method (manual or automatic) of assigning them; IP security, filtering, and encryption; and ways of ensuring optimum availability and performance. These are discussed in the following sections.
As discussed earlier in this book, each node in a TCP/IP network has a unique logical address called an IP address. Each IP address is a 32-bit number divided into 4 bytes, or octets. These are usually expressed in dotted-decimal format, such as 209.68.11.152.
An IP address is divided into a network address and a host address; the division between the two depends on the IP address class. Table 28-1 presents an overview of the three main IP address classes and their distinctions.
Table 28-1. Classes of IP Addresses
|
Class |
Network /Host Bytes |
Number of Networks |
Number of Hosts per Network |
|---|---|---|---|
|
A |
1/3 |
126 |
16,777,214 |
|
B |
2/2 |
16,382 |
65,534 |
|
C |
3/1 |
2,097,150 |
254 |
In addition to these basic divisions between network and host addresses, subnetting can be used to create finer divisions; for example, using 28 bits for the network address and 4 bits for the host address.
The key factor in planning IP addressing for a network is its connectivity to the Internet. Any machines that will be accessible across the Internet must have public IP addresses; machines that are inaccessible can use private addressing. These address schemes are described in the following sections.
Public IP addresses are assigned by the Internet Assigned Numbers Authority (IANA). Because there is a finite number of addresses in the standard IP addressing scheme, a limited number of addresses are available; Class C addresses are generally the only ones available to most companies.
Fortunately, for all but the largest companies, it is rarely necessary to assign public addresses to more than a few machines on a network. In fact, each machine with a public address increases the security risk. Public addresses are typically needed for the following situations:
Your network design should include a list of the machines that will initially require public addresses, because these will need to be registered before configuring Internet connectivity.
Private addresses are used on machines that cannot be accessed from the Internet and have no need for Internet access or will access the Internet through a proxy server or NAT device. Private addresses are assigned by the network administrator and do not require registration of any kind.
When you assign private addresses, using ranges specifically intended for use as private addresses ensures that traffic from these machines will never be routed to the Internet and, also, prevents conflicts with Internet addresses.
Private addresses are set aside by the IETF in RFC 1918 and are guaranteed to never be registered as valid public addresses. Table 28-2 lists the IP address ranges that can be used for private IP addressing.
Another facet of your IP addressing design should address the method of assigning IP addresses, whether public or private addresses are used. The following are the basic methods of assigning IP addresses in Windows 2000 networks:
- Manual assignment
Certain machines can be manually assigned a public or private IP address. This should be restricted to machines that require a consistent address, such as DHCP, DNS, and WINS servers, and machines that cannot use DHCP.
- DHCP scopes
DHCP (Dynamic Host Configuration Protocol) can be used to assign addresses from a scope (a pool of available addresses) automatically to clients. This is typically the main method of address allocation in large networks.
- DHCP reserved addresses
DHCP also allows IP addresses to be reserved for certain machines. Reservations can be used for application servers or other machines that require a consistent address.
- Automatic Private IP Addressing
Automatic Private IP Addressing (APIPA) is a Microsoft standard for assigning IP addresses in small networks that do not support DHCP. Addresses are assigned from the pool of private Class B addresses in the 169.254.x.x range.
Another important aspect of a TCP/IP network design is security. TCP/IP networks have significant security flaws when implemented with default settings, and you should plan to use such features as filtering and encryption to improve security. These are discussed in the following sections.
Packet filtering refers to a node analyzing TCP/IP packets based on certain criteria -- for example, the packet type, the source or destination addresses, or the ports used -- and discarding packets that do not match these criteria. Packets can be filtered in several locations within the network:
Firewalls and proxy servers include filtering and are an ideal place to implement this feature.
Windows 2000 includes per-node packet filtering as part of the TCP/IP stack. This feature allows complete control over incoming IP packets, but can be complex to implement on every machine.
TCP/IP routers may also include packet filtering features.
Windows 2000’s per-host IP filtering is most useful for hosts with special functions, such as dedicated web, FTP, or application servers. The filters for such a server can be set to disallow all inappropriate incoming traffic -- for example, on a machine used strictly as a web server, HTTP requests on port 80 should be the only incoming packets allowed.
The main alternative to packet filtering is a proxy server or firewall. This is a dedicated machine that acts as an intermediary between the Internet and your network. A proxy has certain advantages over simple filtering:
Proxies can perform more specific filtering -- for example, content-based filtering of web access.
Proxies support additional features, such as caching.
On the other hand, IP filtering has some advantages over a proxy server:
Proxies need to explicitly support each protocol used. IP filtering can support any protocol and can support new protocols without software changes.
Proxy servers introduce a slight delay; IP filtering does not.
IPSec (IP Security) is an IETF standard for the encryption of TCP/IP traffic. Windows 2000’s implementation of IP security allows an encrypted connection to be established between any two Windows 2000 computers. IPSec is supported in Windows 2000 by the following components:
- IPSec Policy Agent
This is a service that runs under Windows 2000 and manages IPSec policies. The policies are stored in the Active Directory or in the local computer’s registry.
- ISAKMP/Oakley Key Management Service
This combines two protocols: ISAKMP, a key management protocol, and the Oakley protocol, which generates keys for data encryption. The IPSec Policy Agent automatically starts and manages this service.
- IP Security Driver
This driver (IPSEC.SYS) acts as a filter for all IP communication and determines whether security is required for each packet. Secured packets are encrypted using the key provided by the Key Management Service.
IPSec supports two key features: encryption (encoding network traffic to prevent snooping) and authentication (verifying that the data comes from a specific known source). Depending on your network’s needs, a network infrastructure design can include either or both of these features.
Under Windows 2000, each computer can be configured with an IP Security policy. The policy determines when encrypted connections are used. Policies may be customized, or use one of the following default policies:
- Client (Respond Only)
Allows the computer to act as a client when a server requests or requires a secure connection.
- Secure Server (Require Security)
When the computer is accessed as a server, clients are required to use a secure connection.
- Server (Request Security)
When the computer is accessed as a server, clients are requested to use a secure connection. If the client does not support this, a standard plain-text connection is used.
As the final step in creating a design for a TCP/IP network, you should consider how the design will affect network availability and performance. These factors are discussed in the following sections.
In any network, especially one with WAN connections, availability is a concern. Services needed by users may become unavailable due to factors ranging from cable failure to software bugs. For a TCP/IP network design, the availability of the network transport and its protocols are the main concern.
The chief way to improve availability is to provide redundant links. Routers can be used to automatically route traffic to the most available link and temporarily bypass problems, provided there are redundant connections.
Routing protocols, such as RIP, can use link cost metrics to route traffic; for example, you can set a dial-on-demand connection using a modem to have a high cost, both because it may incur telephone company charges and because the modem will be unavailable for other tasks. If the dial-up connection has the highest cost, it will only be used when other connections fail.
Finally, your TCP/IP network infrastructure design should be structured to provide optimum performance. To improve the performance of a design, consider the following factors:
- IP address space
Public IP addresses are scarce and should be conserved. You may need to use variable-length subnetting to better divide the addresses in a range or use supernetting to combine a block of addresses (for example, those issued by an ISP) into a contiguous address space.
- Traffic considerations
Consider which types of traffic you will have on the network: latency- sensitive traffic, which causes user delays (for example, HTTP requests); and bandwidth-sensitive traffic, which requires a continuous flow of data.
- Optimizing TCP/IP
On some networks, TCP/IP performance can be improved by changing TCP/IP parameters in the registry settings, such as Receive Window Size and Bandwidth/Delay Product.
- QoS (Quality of Service)
QoS, a new feature of Windows 2000, can be used to allocate bandwidth to specific needs, so that bandwidth-critical applications are not restricted by regular network traffic.