Routers are used to connect subnets in a network, and are an essential element for all but the smallest networks. Routers can either be hardware devices or computers; Windows 2000 and Windows NT computers can act as routers.
Remote access is another important feature for most of today’s networks, allowing access to employees or customers across modem connections. Routing and remote access can also be combined, for example, to allow dial-up access to a remote portion of the network.
The following sections describe what you should consider when planning to use the routing and remote access features of Windows 2000 in your network design.
Routers are an important part of most networks. They not only connect subnets, but also provide security and provide communication between dissimilar networks. The following sections describe the basics of planning a network routing design.
Routers are generally placed between subnets; a router typically has at least two network interfaces, one for each subnet. Routers can support both persistent network connections (such as Ethernet or DSL) and non-persistent connections, such as dial-up PPP.
Routers are chiefly used in two positions: first, as a connection between subnets in a LAN or WAN, and second, as an interface to a public network, such as the Internet.
Routers use a routing table to keep track of potential network destinations and their paths. There are two basic types of IP routers:
- Static routers
Use a fixed routing table specifying available destinations, configured by the administrator.
- Dynamic routers
Maintain a routing table dynamically by communicating with other routers.
Static routing is typically used in smaller networks; when several routers are used in a network, dynamic routing provides greater efficiency, greater availability, and easier administration.
Dynamic routers use one or more routing protocols to communicate between routers. The following routing protocols are supported by Windows 2000:
- RIP (Router Information Protocol)
RIP is the most basic router protocol. Routers running RIP keep a table of destinations and the number of hops (intermediate nodes) they require. RIP is known as a distance vector routing protocol .
- RIP v2
RIP Version 2 is an improved version of RIP supported by Windows 2000. Its chief advantages are that it sends updates only when needed rather than repeating them unnecessarily, and it provides for router authentication.
- OSPF (Open Shortest Path First)
OSPF is a link state routing protocol , meaning that routing is based not only on distance, but also on the current status of links in the network. OSPF uses a more efficient method to transmit changes between routers and, thus, conserves network bandwidth.
- IGMP
IGMP is a specialized protocol that allows multicast transmissions, such as those used in streaming media, to route within a subnet. It can be used in combination with other routing protocols to support multicasts.
Because routers form the backbone of a complex network, they are an important place to consider the security of the network. The following sections describe ways you can build security into your network routing design.
Routers can be authenticated to prevent unauthorized access to the network. The simplest form of authentication is the passwords used by the RIP v2 and OSPF protocols. All routers must be set to the same password, which prevents unauthorized routers from participating in the network.
You can improve upon basic router authentication in the following ways:
For demand-dial routing, use the encrypted authentication supported by Remote Access.
IPSec can be used to authenticate routers and to encrypt communications.
The IP filtering feature of Windows 2000’s Routing and Remote Access service provides additional security for routing. You can use this feature to control the IP addresses and protocols that routers can use to communicate. Windows 2000’s TCP/IP filters provide an additional layer of security.
Routers that operate inefficiently can bog down an entire network. Although Windows 2000’s routing features are reasonably efficient, you can optimize routing to improve availability and performance. Follow these guidelines to optimize routing:
If Windows 2000 computers are used as routers, consider using a faster machine or a cluster to provide increased performance and reliability. If the machine is also performing other services, consider dedicating the machine to routing.
Use multiple routers to ensure availability.
Use redundant routes to ensure connectivity when a portion of the network is unavailable.
Consider using persistent connections (such as DSL) for Internet access instead of dial-up connections.
Windows 2000’s Remote Access features allow dial-up modems to be used for network connectivity. Although this feature is often used for remote access by users, it also works with Windows 2000 routing to allow dial-up routing to portions of the network.
As discussed earlier in this chapter, Remote Access works with DHCP to assign IP addresses to modem users. It is also integrated with Windows 2000’s DNS, WINS, and Active Directory services.
Important considerations when designing a remote access solution include server placement, security, and authentication for remote users. The following sections describe items you should consider when planning remote access for a network.
A remote access server can be placed in a subnet to provide dial-up access to public networks for users of the subnet and to provide dial-in access to the subnet for remote users. The server should be configured with a fast network connection, because remote users already experience delays caused by modem use.
Remote access is particularly vulnerable to security breaches, because access by modem is available to anyone who has the phone number. Thus, Windows 2000 remote access includes a number of security options. Security begins with the authentication of clients. Windows 2000 supports the following authentication types:
- CHAP (Challenge Handshake Authentication Protocol)
An Internet-standard protocol that exchanges encrypted tokens for authentication
- MS-CHAP
Microsoft’s proprietary version of CHAP, supported by Windows and Windows NT
- MS-CHAP v2
A new version of MS-CHAP, available only to Windows 2000 clients and servers
- Extensible Authentication Protocol (EAP)
A dynamic authentication protocol that can use certificates, smart cards, or other authenticated methods
- Unencrypted Authentication
Allows use of the PAP (Password Authentication Protocol) and SPAP (Shiva PAP) protocols, which provide authentication using plain-text passwords
In addition to authentication, Windows 2000 remote access supports encryption of communications. The following types of encryption are supported:
Another important use of remote access is to support virtual private networks, or VPNs. This refers to the use of a public network, such as the Internet, to provide a transport for two or more otherwise unconnected portions of a private network.
Because VPN data travels over public networks, security is of great concern. Windows 2000’s VPN protocols support tunneling, or encrypting VPN traffic and encapsulating it in standard network protocols, to prevent snooping on the public network. Windows 2000 supports two tunneling protocols:
- PPTP (Point-To-Point Tunneling Protocol)
The basic VPN protocol, created as an extension to the dial-up protocol PPP (point-to-point protocol). PPTP connections are encrypted with MPPE.
- L2TP (Layer 2 Tunneling Protocol)
A protocol that combines L2F (Layer 2 Forwarding) with PPTP to create a more efficient virtual private network. L2TP uses IPSec for encryption.
Your choice of the protocol to use mainly depends on the operating systems in use on the network. PPTP is supported by older Windows systems (beginning with Windows 98 SE) and by other platforms; L2TP with IPSec is more secure, but requires Windows 2000.
Remote access can provide an essential link in the network infrastructure, and your design should ensure the optimum availability and performance of remote access. The following are guidelines for improving availability and performance:
Use redundant dial-in servers and modems.
Add additional servers at remote locations to provide local availability.
Consider using Windows 2000 clustering or DNS load balancing to divide remote access tasks among multiple servers.
Use the highest-speed modems available.
Consider dedicating a server to remote access or using a faster machine or faster disk storage to support large numbers of remote users.
RADIUS (Remote Access Dial-In User Services) is a new Windows 2000 feature that centralizes remote access management and provides accounting features. This can be used as a more sophisticated management tool for remote access.
RADIUS uses existing mechanisms for user authentication rather than providing its own authentication and is a standard defined in RFCs 2138 and 2139. RADIUS allows remote users to authenticate with a Windows NT domain or with the Windows 2000 Active Directory.
For security, RADIUS supports the same encryption and authentication methods as standard remote access. RADIUS also uses a system of secrets (passwords) for authentication between RADIUS servers.