Lesson 1
Securing TCP/IP Solution and enhancing Design for Availability
The security of a network design is measured by the ability of the design to prevent unauthorized access to data transmission and intranet-based resources.
TCP/IP incorporates security features that provide protection of the TCP/IP data as it is sent on the network, along with configuration of the types of local host traffic that are processed.
The Windows® implementation of TCP/IP includes additional security features that you can employ to secure data as it moves "through the wire."
Probably the most significant feature included with Windows is Internet Protocol Security, or IPSec, which is able to encrypt and decrypt data transparently as it is transferred across the network.
This module demonstrates how to create a successful network design strategy using IPSec.
By the end of this module, you should be able to:
- Reduce unauthorized access to network resources using filters
- Define the data protection features provided by IPSec
- Define the data protection levels provided by IPSec
- Define how to negotiate security keys
- Define the strategies used to enhance the availability of TCP/IP routing structures
The next lesson examines how to protect IP traffic with filters.
Dynamic Host Configuration Protocol (DHCP)
The Dynamic Host Configuration Protocol (DHCP) automates the process of configuring new and existing devices on TCP/IP networks.
DHCP performs many of the same functions a network administrator carries out when connecting a computer to a network. DHCP enables a program to automatically manage policy decisions and bookkeeping tasks. Replacing manual configuration with a program adds flexibility, mobility, and control to networked computer configurations. This chapter provides an overview of how network administrators allocate, manage, and configure IP addresses, and it shows how administrators can use DHCP to accomplish these same tasks.
It also introduces some of the basic terminology required to understand the capabilities that the protocol provides and examines some reasons for, and caveats about, using DHCP.
Configuring Devices on a Network
Any network administrator using TCP/IP can testify that manually configuring computers attached to a network is a time-consuming and error-prone process.
Indeed, at almost any site, regardless of whether DHCP is in use, the address assignment and configuration process is automated in some way.
I worked as a network administrator at the Digital Equipment Corporation (DEC) campus in Palo Alto, California, before DHCP was available to simplify the tasks of address management and configuration.
The DEC campus used a central IP address administration system, which was based on a single list, or host table, of computers, IP addresses, and Domain Name System (DNS) names for the entire network.
To help introduce you to the tasks that a DHCP server performs, this section describes what network administrators did before DHCP became widely available.
As part of the network administration task, we network administrators updated the host table with new computers as they were added to the network and changed the entries for computers as their names and addresses changed.Periodically, I ran a shell script on the host table to update the DNS server database and configured individual computers manually, from the entries in the host table, by physically walking up to each computer and entering the configuration information. Users had a variety of questions about connecting their computers to the campus network. Usually, they wanted to know what IP address they could use for their computers.
To respond to such questions, we asked the following:
- Who are you?
- Is this a new device, or was it connected to the network before?
- What is the old IP address of the device?
- Where do you need to install this device?
- In what department do you work?