Understanding IP Addressing, Subnetting, and Network Security

Posted on Sep 3, 2024 in Technology

  • CIDR (Classless Inter-Domain Routing) is a subnetting method that allows administrators to divide network and host bits anywhere in the address, not just between octets. It introduces a new notation: a standard dotted-decimal address followed by a forward slash and a numeral indicating the network prefix size. The IANA (Internet Assigned Numbers Authority), managed by ICANN (Internet Corporation for Assigned Names and Numbers), is the source of all registered addresses. They allocate address blocks to RIRs (Regional Internet Registries), which then allocate smaller blocks to ISPs (Internet Service Providers).
  • Private Addresses:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16
  • Network Address Translation (NAT) is a network-layer technology enabling multiple workstations to share a single registered address. A NAT router has two interfaces: one connected to a private network and the other to the Internet. It handles all traffic types.
  • Proxy Servers operate at the application layer, forwarding specific traffic to internet destinations. They primarily provide web access through browsers. Unlike NAT routers, applications must be configured to use a proxy server. Functions include:
    • Filtering
    • Logging
    • Caching
    • Scanning
  • IPv6 has no broadcast transmissions or addresses.
  • IPv6 Address Types:
    • Unicast: One-to-one transmission to individual interfaces.
    • Multicast: One-to-many transmission to groups of interfaces identified by a single address.
    • Anycast: One-to-one-of-many transmission to groups of interfaces, with only the nearest receiving the transmission.
  • A global unicast address is the IPv6 equivalent of a registered, globally routable, and unique IPv4 address.
  • Link-local unicast addresses are automatically created and are similar to APIPA addresses in IPv4. Example: fe80:0000:0000:0000/64 = fe80::/64.
  • Unique local unicast addresses are the IPv6 equivalent of private network addresses in IPv4.
  • The loopback address returns messages to the sender. In IPv6, it’s 0:0:0:0:0:0:0:1, commonly written as ::1.
  • Site-Local Unicast Addresses: fec0::/10 (deprecated).
  • Tunneling encapsulates IPv6 datagrams within IPv4 packets for transmission over IPv4 networks.
  • Teredo (2001::/32) is an automatic tunneling protocol used by Windows behind NAT routers.
  • Windows Server 2003 and Windows XP support IPv6 but don’t install it by default.
  • The IP standard reserved Class D for multicast and Class E as experimental.
  • Unique local unicast addresses begin with fd00.
  • Link-local addresses begin with fe80.
  • Reducing DNS Traffic:
    • Configure the perimeter DNS server to use the ISP’s DNS server as a forwarder.
    • Configure workstations to use the ISP’s DNS server as their primary DNS server.
  • DMZ (Demilitarized Zone) is a subnetwork that exposes external-facing services to the internet for added security.
  • DNS Name Resolution Requests:
    • Recursive Query: The DNS server takes full responsibility for resolving the name.
    • Iterative Query: The DNS server responds with the best information it has at the time.
  • A forwarder is a DNS server designed to send recursive queries to another server.
  • Push vs. Pull Partnerships in Replication:
    • Push Partners: Trigger replication based on the number of database changes.
    • Pull Partners: Initiate replication on a schedule.
  • Reasons for Multiple Domains in a Forest:
    • Security: Separate security policies.
    • Administration: Administrative autonomy.
    • Namespace: Different namespaces for branding or mergers.
    • Replication: Reduced replication traffic.
  • Disadvantages of Multiple Domains:
    • Group Policy: Separate GPOs needed for each domain.
    • Moving Objects: Easier to move objects between OUs than domains.
    • Domain Controllers: More servers required.
    • Administration Policies: Still need enterprise-wide policies.
    • Access Control: Requires inter-domain trusts.
    • Global Catalog: Careful planning of global catalog servers needed.
  • Benefits of a Dedicated Root Domain:
    • Forest-Level Group Security: Minimizes users in critical groups.
    • Simplified Replication: Reduced replication traffic.
    • Easy Backup: Smaller domain database.
  • Administrative Delegation Models:
    • Centralized: Single staff manages all tasks from a central location.
    • Distributed: Tasks delegated among IT staff based on geography or business unit.
    • Mixed: Combination of centralized and distributed delegation.
  • Standard Windows Three-Step Policy for Creating Groups:
    1. Create domain local groups and grant them access to resources.
    2. Create global groups and add users (or other global groups) to them.
    3. Add the global groups as members of the domain local groups.
  • Reasons for Creating Multiple ADDS Sites:
    • Replication: Conserves bandwidth with intersite replication.
    • Authentication: Clients authenticate with domain controllers in the same site.
    • Applications: AD-aware applications minimize intersite traffic.
  • Intrasite vs. Intersite Replication:
    FeatureIntrasiteIntersite
    InitiationAutomaticScheduled
    CompressionNoYes
    ConfigurationSimpleComplex
    ADDS ObjectsNot RequiredRequired (Sitelinks, etc.)
    Participating DCsMultiple PartnersBridgehead Servers
  • Replication Topology Models:
    • Hub-and-Spoke: One central hub site communicates with all branch offices.
    • Full Mesh: Each site connects to every other site.
    • Hybrid: Mixes hub-and-spoke and full mesh.
  • How Many Domain Controllers?
    • Minimum two per domain for fault tolerance.
    • Preferably two per site per domain with resources at that site.
  • Read-Only Domain Controller (RODC):
    • Introduced in Windows Server 2008 for enhanced security in branch offices.
    • Only receives replication traffic, preventing database compromise.
  • Universal Group Membership Caching:
    • Introduced in Windows Server 2003.
    • Allows domain controllers to cache user group memberships, reducing reliance on global catalog servers.
  • Location Schema: A hierarchical system for designating physical locations of devices.
  • Creating GPOs Strategically:
    • Create GPOs for specific purposes.
    • Use descriptive names.
    • Avoid deploying the same GPO to multiple sites.
    • Disable unused elements.
    • Use blocking and enforcement sparingly.
  • Security Filtering: Restricts GPO application based on security group membership.
  • Multifactor Authentication: Combines two or more authentication methods for increased security.
  • Branch Office Considerations:
    • Large Branch Office: At least two domain controllers, DNS servers, and a Global Catalog server.
    • Medium-Sized Branch Office: At least one domain controller, DNS server, and a Global Catalog server.
    • Small Branch Office: Generally, no domain controller due to lack of qualified personnel and physical security.
  • Administrative Role Separation: Allows designation of local administrators for RODCs without domain permissions.
  • Dsmgmt.exe: Command-line tool for managing AD DS partitions and creating local administrators.
  • BranchCache: Feature in Windows Server 2008 R2 and Windows 7 that caches frequently accessed files locally to conserve bandwidth. Two modes:
    • Distributed Cache Mode: Each workstation caches data and shares it with others.
    • Hosted Cache Mode: A dedicated server caches data for the branch office.
  • Steps of BranchCache File Negotiation (Hosted Cache Mode):
    1. Client requests file from content server.
    2. Content server responds with metadata.
    3. Client checks local cache using metadata.
    4. Caching server confirms file availability.
    5. Client requests file from caching server.
    6. Caching server sends the file to the client.
  • Two-Stage RODC Deployment: Allows a domain admin to create the RODC account and a local admin to complete the deployment without domain privileges.
  • Public Key Infrastructure (PKI): A system for managing digital certificates.
  • Digital Certificate: An electronic document that verifies identity and contains a public key.
  • Encryption: Ensures confidentiality in PKI.
  • Digital Signature: Ensures integrity, authenticity, and non-repudiation.
  • Hash Function: Maps data of arbitrary size to a fixed-size hash value.
  • Certificate Chain: A list of certificates used to authenticate an entity.
  • Secure Sockets Layer (SSL): Uses a public and private key system for secure communication.
  • Certificate Templates: Define the format and content of certificates.
  • Certificate Enrollment Procedures:
    1. Generate keys.
    2. Collect required information.
    3. Request the certificate.
    4. Verify the information.
    5. Create the certificate.
    6. Send or post the certificate.
  • Autoenrollment: Requires configuring Read, Enroll, and Autoenroll permissions.
  • RAID (Redundant Array of Independent Disks):
    • RAID 1 (Disk Mirroring): Data is mirrored on two drives for fault tolerance.
    • RAID 5 (Striping with Parity): Data is striped across multiple drives with parity for fault tolerance.
    • RAID 10 (Stripe of Mirrors): Combines mirroring and striping for performance and fault tolerance.
    • RAID 01 (Mirror of Stripes): Mirrors striped sets of disks.
  • Network-Attached Storage (NAS): A file-level storage device connected to a network.
  • Storage Area Network (SAN): A high-performance network for connecting servers to storage devices.