Client-6.5-7.1.docx
Document Details
Uploaded by ExtraordinaryMars
Anoka-Ramsey Community College
Full Transcript
**Audit Policies** In Windows, auditing records system events and other system changes. Auditing is enabled by configuring audit policies on a local system or through Group Policy. An audit policy is either enabled or disabled. When enabled, you choose to: - Audit Success to identify who has gai...
**Audit Policies** In Windows, auditing records system events and other system changes. Auditing is enabled by configuring audit policies on a local system or through Group Policy. An audit policy is either enabled or disabled. When enabled, you choose to: - Audit Success to identify who has gained access or who was able to exercise a right or privilege. - Audit Failure to identify patterns of attempted access. Account Logon auditing tracks when a user account is used to authenticate to a computer. Account logon auditing generates an event on the system where the user account exists. - When a local user account is used, the local computer records the logon event. - When a domain user account is used, the domain controller records the logon event. In a multiple domain controller environment, you do not know the domain controller that will authenticate a user. Event log subscriptions allow you to centralize the event log by collecting copies of specified events from multiple computers. Account Management auditing tracks changes to user accounts, including: - Create - Rename - Disable/enable - Delete - Change the password DS access auditing tracks changes to Active Directory objects. Beginning with Windows Server 2008, DS access auditing capabilities are integrated with Group Policy. The Audit Directory Service access policy is divided into four subcategories: - Directory Service Access - Directory Service Changes - Directory Service Replication - Detailed Directory Service Replication When you enable DS Access auditing, auditing for all four subcategories is enabled. To enable auditing for individual categories, use the Auditpol /set / *subcategory* command. When configuring DS auditing, enable auditing on the domain or OU, then identify the users and objects to audit. Enabling auditing using a GPO will be insufficient.\ \ To record the old and new values for changed objects, use Audit Directory Service Changes. Auditing the DS Access subcategory creates a log entry when a change is made, but doesn\'t log the actual values that were changed. Logon auditing tracks logon or log off on the local system or when a network connection is made to a system. For logon auditing, an audit event is recorded in the audit log of the local system regardless of the type of user account used. For example, when a user logs on to a computer using a domain account, a logon event is recorded on the local workstation while an account logon event is recorded on the domain controller. Object Access auditing tracks access to files, folders, or printers. You can also audit actions taken by a certificate authority, access to specific registry settings, or access to specific IIS metabase settings. For file auditing to occur, the files must be on NTFS partitions. In addition to enabling auditing in the audit policy, you must configure auditing on the specific objects you want to track. Policy Change auditing tracks changes to user rights, trust relationships, IPsec and Kerberos policies, or audit policies. Privilege Use auditing tracks when: - A user exercises a user right. - An administrator takes ownership of an object. Process Tracking auditing records actions taken by applications. You use Process Tracking auditing mainly for program debugging and tracking. System events auditing tracks system shutdown, restart, or the starting of system services. It also tracks events that affect security or the security log. Be aware of the following when configuring auditing: - Auditing requires system resources. - You view audit entries in the event viewer security log. - In Windows Server 2012, you can set up conditional auditing. - Both DS Access and Object Access auditing require two steps for configuration: 1. Enable auditing in the local security policy or Group Policy. 2. Configure auditing on the specific objects. View the System Access Control List (SACL) of the Active Directory object or the NTFS file or folder to identify the users, groups, or actions to track. - In addition to tracking the necessary events, make sure the logs are properly configured to save all the necessary information. 1. Use the Event Log policies in Group Policy to configure the Security log size and retention method. 2. Configure logs to not overwrite events you want to preserve. When logs are not configured to clear automatically, you must periodically save and clear the logs to make room for additional events. 3. Enable the Audit: Shut down system immediately if unable to log security audits security option to prevent the system from being used if the log is full. This setting is also referred to as CrashOnAuditFail. Beginning with Windows Server 2008 R2, advanced auditing capabilities were integrated with Group Policy. Advanced auditing offers 53 settings that allows you to eliminate unwanted data and specifically target data important for system management and security. Advanced auditing settings can be used in place of the nine basic auditing settings. - If you use advanced audit policy configuration settings, enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy under Local Policies\\Security Options. - This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. This lesson covers the following topics: - User Account Control (UAC) - UAC concepts - UAC levels **User Account Control** User Account Control is a tool that generates an alert when a task or operation needs administrative privileges. To understand how UAC works, be aware of the following: - A standard user account has the minimum amount of user rights and privileges required to perform most basic tasks. - An administrator account can perform any action on the computer. For example, administrators can turn off firewalls, configure security policies, and install software for the entire computer. Remember the following about administrator accounts: - Administrators are members of the local Administrators group. - Each computer has a built-in administrator account that is disabled by default. - During a new installation, the first user account created is automatically a member of the Administrators group. Subsequent user accounts are created as standard users. - The built-in administrator account is enabled for upgrades if it is the only user account with administrative privileges. Otherwise, it is disabled. - If the system has at least one administrator account, the built-in administrator account cannot be used to log on in Safe mode. Safe mode logon using the built-in administrator account is never allowed for computers that are members of a domain. **UAC Concepts** Administrators should log on using a standard user account for security reasons. For applications and processes that require administrator-level access to complete tasks, UAC can elevate privileges to the system. Privilege elevation increases the privilege level of a standard user to that of an administrator. Admin Approval Mode requires the explicit approval of elevation by responding to the UAC prompt. - If the user is a standard user, then UAC prompts for credentials. The user must provide the username and password of an administrative user account. - When logged on as an administrator, the user must confirm approval for the action that requires privilege elevation. When a user logs on to the system, an access token is generated. The access token controls the type of actions that the user can perform on the system. - The access token identifies the user account as either a standard user or an administrator. - A standard user access token generates when a standard user logs on. - Two access tokens generate when an administrator logs on. One is a standard user token; the other is an administrator token. - The standard user token is used to attempt to perform all tasks for both standard users and administrators. - If a standard user access token is insufficient to perform the task, the system requests privilege elevation. - The standard user is prompted to provide administrator user credentials (username and password). - The administrative user must confirm that the administrative token should be used to perform the task. UAC Levels Use the UAC settings in Control Panel to configure the sensitivity of UAC. You can adjust the UAC level of notifications to reduce constant or unnecessary UAC prompts. Notification-level settings include the following: Always notify A UAC prompt and the secure desktop display for 150 seconds. The user must respond to the prompt to perform any actions. After 150 seconds without a response, UAC automatically denies the request. Always notify is the recommended configuration because it is the most secure. Notify me only when apps try to make changes to my computer The user is prompted only when programs try to change the computer or Windows settings. A UAC prompt and the secure desktop display for 150 seconds. The user must respond to the prompt to perform any actions. After 150 seconds without a response, UAC automatically denies the request. Notify me only when apps try to make changes to my computer (do not dim the desktop) The user is prompted only when a program tries to change the computer, or a program not included with Windows attempts to modify Windows settings. The secure desktop is not displayed. Never notify All actions are executed without UAC prompts or the secure desktop if logged on as an administrator. All actions requiring privilege elevation are automatically denied if logged on as a standard user. You turn UAC off when you select Never notify. Turning UAC off requires a system reboot. The following table describes the equivalent Group Policy settings for each notification level. Always notify Use the following Group Policies for the equivalent of Always Notify: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode---Prompt for consent on the Secure Desktop. User Account Control: Switch to the secure desktop when prompting for elevation---Enabled. Notify me only when programs try to make changes to my computer Use the following Group Policies for the equivalent of Notify me only when programs try to make changes to my computer: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode---Prompt for consent for non-Windows binaries. User Account Control: Switch to the secure desktop when prompting for elevation---Enabled. Notify me only when programs try to make changes to my computer (do not dim the desktop) Use the following Group Policies for the equivalent of Notify me only when programs try to make changes to my computer (do not dim the desktop): User Account Control: Behavior of the elevation prompt for administrators Admin Approval Mode---Prompt for consent for non-Windows binaries. User Account Control: Switch to the secure desktop when prompting for elevation---Disabled. User Account Control: Behavior of the elevation prompt for standard users---Prompt for credentials. Never notify Use the following Group Policies for the equivalent of Never notify: User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode---Elevate without prompting. User Account Control: Switch to the secure desktop when prompting for elevation---Disabled. User Account Control: Run all administrators in Admin Approval Mode---Disabled. UAC is disabled. If you use Group Policies to turn off UAC, reboot the system for changes to take effect. On a local device, User Account Control (UAC) is commonly managed using the interface provided within Control Panel. This tool is appropriate for standalone systems or when managing only a few computers. If an organization\'s network contains many Windows systems and they are all members of a domain, then the process of managing UAC settings can be optimized using Group Policy settings. This lesson covers the following topics: Managing UAC with Group Policies UAC Group Policy settings Managing UAC with Group Policies Using Group Policy to manage UAC settings eliminates the need to manually manage configuration settings on each individual system. Instead, the system administrator configures the appropriate settings using a domain Group Policy object (GPO). These policy settings are then automatically pushed down to each Windows workstation. To access UAC settings on Windows Server 2019: Open Server Manager and select: Tools \> Group Policy Management Expand: Forest: YourForest \> Domains \> YourDomain \> Group Policy Objects Right-click the desired group policy object and select Edit. Expand and select: Computer Configuration \> Policies \> Windows Settings \> Security Settings \> Local Policies \> Security Options The Application Information Service component must be running in order for the UAC to work correctly. If you disable this service, you will receive Access Denied errors because the applications cannot request admin-level approval. User Account Control: Admin Approval Mode for the built-in Administrator account This policy setting configures how Admin Approval Mode functions for the built-in Administrator account. You can configure the following options: When set to Enabled , the built-in Administrator account uses Admin Approval Mode. In this mode, the user will be prompted to approve any operation that requires privilege elevation. When set to Disabled , the built-in Administrator user runs applications with full administrative privileges. User Account Control: Allow User Interface Accessibility (UIA) applications to prompt for elevation without using the secure desktop This policy setting controls whether UIA applications (e.g., Remote Assistance) can automatically disable Secure Desktop. You can configure the following options: When set to Enabled , UIA applications are allowed to automatically disable Secure Desktop when prompting for privilege elevation. When set to Disabled , Secure Desktop can be disabled only by the end user. Even if this policy is enabled, a UIA program must be digitally signed before it will be allowed to respond to the UAC elevation prompt. By default, UIA programs can be run only from the following protected folders: C:\\Program Files (including all subfolders) C:\\Program Files (x86) (including all subfolders) C:\\Windows\\System32 You can use the User Account Control: Elevate only UIAccess applications installed in secure locations policy setting to allow UIA applications to be run from any folder, not just from protected folders. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. You can configure the following options: Elevate without prompting allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Prompt for credentials on the secure desktop causes the user to be prompted to enter an administrative user name and password on the secure desktop when an operation requires privilege elevation. Prompt for consent on the secure desktop causes the user to be prompted on the secure desktop to select either Permit or Deny when an operation requires elevation of privilege. Prompt for credentials causes the user to be prompted to enter an administrative user name and password when an operation requires privilege elevation. Prompt for consent causes the user to be prompted to select either Permit or Deny when an operation requires privilege elevation. Prompt for consent for non-Windows binaries cause the user to be prompted to select either Permit or Deny on the secure desktop when an operation for a non-Microsoft application requires privilege elevation. User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. You can configure the following options: Automatically deny elevation requests causes an Access Denied error message to be displayed when an operation requests privilege elevation. Prompt for credentials on the secure desktop causes the user to be prompted to enter an administrative user name and password on the secure desktop when an operation requires privilege elevation. Prompt for credentials causes the user to be prompted to enter an administrative user name and password when an operation requires privilege elevation. User Account Control: Detect application installations and prompt for elevation This policy setting configures the system to detect new application installations. You can configure the following options: When set to Enabled , the user is prompted to enter an administrative user name and password when an application installation is detected that requires privilege elevation. When set to Disabled , application installations are not detected and prompted for elevation. User Account Control: Only elevate executables that are signed and validated This policy setting enforces PKI signature checks for applications that request elevation of privilege. You can control the applications allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. You can configure the following options: When set to Enabled , PKI validation must occur for a given executable file before it is permitted to run. When set to Disabled , PKI validation is not required for a given executable file before it is permitted to run. User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a UIAccess integrity level must reside in a secure location in the file system. Secure locations are limited to the following:...\\Program Files\\, including subfolders...\\Windows\\system32\\...\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows You can configure the following options: When set to Enabled (Default), if an application resides in a secure location in the file system, it runs only with UIAccess integrity. When set to Disabled , an application runs with UIAccess integrity even if it does not reside in a secure location in the file system. User Account Control: Run all administrators in Admin Approval Mode This policy setting controls the behavior of all UAC policy settings. You can configure the following options: When set to Enabled , Admin Approval Mode is enabled. In this configuration, all related UAC policy settings must also be configured to allow the built-in Administrator account and all other administrative users (who are members of the Administrators group) to run in Admin Approval Mode. When set to Disabled , Admin Approval Mode is disabled, along with all other UAC policy settings. If you change this policy setting, you must restart the computer. User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the user\'s standard desktop or the secure desktop. You can configure the following options: When set to Enabled , all elevation requests are displayed on the secure desktop regardless of other policy settings that may have been configured for administrative and standard users. When set to Disabled , all elevation requests are displayed on the user\'s standard desktop. In this configuration, the policy settings configured for UAC prompt behavior for both administrative and standard users are used. When this policy setting is enabled, it overrides the User Account Control behavior of the elevation prompt for administrators in Admin Approval Mode policy setting. User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. You can configure the following options: When set to Enabled (Default), application write failures are redirected at run time to defined user locations for both the file system and registry. When set to Disabled , applications that write data to protected locations fail. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Term** **Definition** ------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Octet An 8-bit binary number. An IPv4 address consists of four octets separated by a dot. Subnet mask A 32-bit number that defines the network address portion of an IPv4 address. It also identifies the portion of the network address that defines the host address. Public IP An IP address that is used to access the internet. Private IP An IP address that is used only on an internal network. These IP addresses do not go out on the internet. Automatic Private IP Addressing (APIPA)\ A feature that allows a device to automatically assign itself an IP address on the 169.254.0.0 network when a DHCP server or manual configuration is unavailable. (APIPA) Loopback address This address is reserved by each network interface card (NIC) and is used for testing purposes. It is also known as the home or localhost address. Broadcast address The IP address used to send messages to all devices on the network. This is the last valid IP address on a network. Network address The identifier (within the IP address) of a physical or logical location for a node on a network. This address is used for routing purposes to identify the network. Subnetting The process of dividing a large network into smaller networks. Fixed-Length Subnet Mask\ A subnetting method in which each created subnet has an equal number of addresses. (FLSM) Variable-Length Subnet Mask\ A subnetting method in which each subnet can be a different size. (VLSM) Classless Inter-Domain Routing\ A method for allocating IP addresses and for IP routing. CIDR notation is a simplified method of writing a network address with a slash followed by the number of bits in the network ID. (CIDR) ANDing The process used to determine the network address or ID. Supernetting The process of combining two or more networks. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- A numbering system is how we define or represent numbers. Networking uses three numbering systems. Network technicians must be familiar with all three. This lesson covers the following topics: - Decimal numbering system - Binary numbering system - Hexadecimal numbering system - Binary to decimal conversion - Decimal to binary conversion - Binary to hexadecimal conversion - Hexadecimal to binary conversion **Decimal Numbering System** The decimal numbering system is the most used number system across the world. Decimal comes from the Latin root word decim, which means ten. The decimal numbering system consists of ten digits, 0,1,2,3,4,5,6,7,8,9. This is known as a base-10 numbering system. This means that every place in a number is a power of ten. For example: - In the number 6,789, each place is a power of 10. - This is the equivalent of (6 x 10 ^4^ ) + (7 x 10 ^3^ ) + (8 x 10 ^2^ ) + (9 x 10 ^1^ ) = 6,000 + 700 + 80 + 9 = 6,789 All decimal numbers can be calculated using powers of ten to generate larger numbers. **Binary Numbering System** Binary is the number system that computers and most electronic systems use. Because these systems work using electricity, there are only two states, on and off. This is represented using the numbers 1 and 0. Binary is considered a base-2 number system because only two numbers are used. Each 1 or 0 is referred to as a bit. Because binary is a base-2 number system, binary numbers are expressed in terms of powers of two. Powers of 2 are calculated by multiplying 2 by itself the number of times as the power: - 2 ^0^ = 1 (anything to the power of 0 will always equal 1) - 2 ^1^ = 2 (2 x 1 = 2) - 2 ^2^ = 4 (2 x 2 = 4) - 2 ^3^ = 8 (2 x 2 x 2 = 8) - 2 ^4^ = 16 (2 x 2 x 2 x 2 = 16) - 2 ^5^ = 32 (2 x 2 x 2 x 2 x 2 = 32) - 2 ^6^ = 64 (2 x 2 x 2 x 2 x 2 x 2 = 64) - 2 ^7^ = 128 (2 x 2 x 2 x 2 x 2 x 2 x 2 = 128) These decimal values represent the number of possible combinations of 1s and 0s. For example, 2 ^2^ has 4 possible combinations of 1 and 0: - 00 - 01 - 10 - 11 Networking often uses 8-bit binary numbers. It is a good idea to memorize the first 8 powers of 2, as shown in the following table. **2 ^7^** 2 ^6^ 2 ^5^ 2 ^4^ 2 ^3^ 2 ^2^ 2 ^1^ 2 ^0^ ----------- ------- ------- ------- ------- ------- ------- ------- **128** 64 32 16 8 4 2 1 You will find memorizing these powers of 2 helpful in converting between binary and decimal. **Hexadecimal Numbering System** The word hexadecimal is a combination of the Latin prefix hex for 6 and decim for 10. There are 16 values in this numbering system, making it a base-16 numbering system. The hexadecimal numbering system consists of the decimal numbers 0-9 and letters to represent values 10-15. - A = 10 - B = 11 - C = 12 - D = 13 - E = 14 - F = 15 A hexadecimal value combines letters and numbers to simplify or shorten longer binary numbers. Each hexadecimal value is equal to four bits. This is known as a *nibble.* **Binary to Decimal Conversion** To convert binary to decimal, follow these steps: - Line up the binary value with the powers of 2. - Bring down the matching decimal value for each 1 in the binary value. - Ignore any 0. - Add the decimal values together. In the following example, the binary string is on top, and the first 8 powers of 2 are below. **1** 1 0 0 0 1 1 0 --------- ---- ---- ---- --- --- --- --- **128** 64 32 16 8 4 2 1 The decimal values of the 1s in the binary string are brought down and then added together: - 128 + 64 + 4 + 2 = 198 **Decimal to Binary Conversion** Converting a decimal value into binary involves subtracting the highest power of 2 from the decimal value until 0 is reached. For every power of 2 that can be subtracted, a 1 is put in that place. For example, to convert 241 into binary: - Can 128 be subtracted from 241? YES (241 - 128 = 113)\ A 1 is put in the first position, starting on the left. - Can 64 be subtracted from 113? YES (113 - 64 = 49)\ A 1 is put in the next position. - Can 32 be subtracted from 49? YES (49-32 = 17)\ A 1 is put in the next position. - Can 16 be subtracted from 17? YES (17-16 = 1)\ A 1 is put in the next position. - Can 8 be subtracted from 1? NO\ A 0 is put in the next position. - Can 4 be subtracted from 1? NO\ A 0 is put in the next position. - Can 2 be subtracted from 1? NO\ A 0 is put in the next position. - Can 1 be subtracted from 1? YES (1-1=0)\ A 1 is put in the last position. Based on the subtraction of each value, the binary equivalent of 241 is 11110001. **Binary to Hexadecimal Conversion** When converting binary to hexadecimal, the first step is to break the binary string into 4-bit sections (nibbles). Then convert the nibbles. For example, to convert the binary string 11000111: - Split the string into two nibbles. - 1100 - 0111 - Solve for each nibble using the first four values starting from the right on the binary to the decimal conversion chart. - 1100 = 12 - 0111 = 7 - If either value falls between 10 - 15, replace that with the corresponding letter. - 12 \--\> C - Combine the two values in the proper order to get the hexadecimal value. - 11000111 = C7 **Hexadecimal to Binary Conversion** Converting hexadecimal to binary is the same process as converting decimal to binary. The only difference is that any letter must first be converted to its decimal equivalent. Each decimal value is then converted to the 4-bit binary value. For example, to convert DF into binary: - Convert each letter to its decimal value. - D = 13 - F = 15 - Convert each decimal to binary: - 13 = 1101 - 15 = 1111 - Combine the binary strings in the proper order to get the binary conversion. - DF = 11011111 Most networks today use the Internet Protocol (IP) for communication. Each device on an IP network must have a unique identifier called an IP address. This is a Layer 3 logical address that identifies and locates each device. There are two formats of IP addresses, IP version 4 (IPv4) and IP version 6 (IPv6). This lesson focuses on IPv4. This lesson covers the following topics: - IPv4 address format - Subnet masks - IPv4 address classes - Special IPv4 addresses **IPv4 Address Format** An IPv4 address consists of four decimal numbers separated by a dot. Each place in the address is known as an *octet* because it consists of an 8-bit value (a grouping of eight 1s or 0s). IPv4 addresses can be represented in two ways: - Decimal (e.g., 131.107.2.200). In decimal notation, each octet must be between 0 and 255. This is the most common method of writing IPv4 addresses. - Binary (e.g., 10000011.01101011.00000010.11001000). In binary notation, each octet is an 8-character number. **Subnet Masks** In an IP address, a *subnet mask* is a 32-bit number that identifies the network portion from the host portion of the IPv4 address. In binary form, the subnet mask is always a series of 1s followed by a series of 0s (1s and 0s are never mixed in sequence in the mask). A simple mask might be 255.255.255.0 (11111111.11111111.11111111.00000000). In the subnet mask: - The 1s identify the network ID. - The 0s identify the host ID. The network ID stays the same for all IP addresses in the network, and the host ID changes for each IP address. For example, in the IP address 192.168.5.42 with a subnet mask of 255.255.255.0: - The network ID is 192.168.5.0 - The host ID is.42. **IPv4 Address Classes** IP addresses have a default class. The address class identifies the range of IP addresses and the default subnet mask used for the range. The following table shows the default address class for each IP address range: -------------------------------------------------------------------------------------------------------------------------------------------------------- **Class** **Address Range** **First Octet Range (Binary)** **Subnet Mask** **Number of Addresses** **Private Reserved IP Range** ----------- ------------------------------ -------------------------------- ----------------- ------------------------- -------------------------------- **A** 1.0.0.0 to 126.255.255.255 1--126\ 255.0.0.0 16,777,216\ 10.0.0.1 -- 10.255.255.255 (00000001--01111110) (2 ^24^ ) **B** 128.0.0.0 to 191.255.255.255 128--191\ 255.255.0.0 65,536\ 172.16.0.0 -- 172.32.255.255 (10000000--10111111) (2 ^16^ ) **C** 192.0.0.0 to 223.255.255.255 192--223\ 255.255.255.0 256\ 192.168.0.0 -- 192.168.255.255 (11000000--11011111) (2 ^8^ ) **D** 224.0.0.0 to 239.255.255.255 224--239\ N/A N/A Used for multicast (11100000--11101111) **E** 240.0.0.0 to 255.255.255.255 240--255\ N/A N/A Experimental/Research (11110000--11111111) -------------------------------------------------------------------------------------------------------------------------------------------------------- Because IP addresses assigned to hosts must be unique, the use of IP addresses on the internet is controlled by organizations that ensure that each organization is given its own range of IP addresses to assign to hosts. - The Internet Assigned Numbers Authority (IANA) manages the assignment of IP addresses on the internet. IANA is operated by the Internet Corporation for Assigned Names and Numbers (ICANN). - IANA allocates blocks of IP addresses to Regional Internet Registries (RIRs). An RIR has authority over IP addresses in a specific region of the world. - An RIR assigns blocks of addresses to internet service providers (ISPs). - An ISP assigns one or more IP addresses to individual computers or organizations connecting to the internet. Each IP class has a reserved range for private IP addresses. This is due to the following two factors: - Each IP address on any network, including the internet, must be unique. - There is a finite number of IP addresses using IPv4. Public and private addresses work as follows: - Public IP addresses are those that are used on the internet. These are typically assigned by the ISP. - Private IP addresses are used only on internal networks and are not used on the internet. - When a device on the internal network accesses the internet, that data traffic is sent using the public IP address of the network. - Because private IP addresses are never used on the internet, users in one private network of a company can have the same IP addresses as users in the private network of another company. **Special IPv4 Addresses** The following table describes special IP addresses network technicians must be aware of. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **IP Address / Example** **Description** -------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Automatic Private IP Addressing (APIPA)\ APIPA is a feature that allows a device to automatically assign itself an IP address on the 169.254.0.0 network when a DHCP server or manual configuration is unavailable. 169.254.0.0** **Loopback\ This special address is also known as home or localhost. This address is reserved by each network interface card (NIC) and is used for testing purposes.\ 127.0.0.1** \ Ping requests can be sent to this address and, if returned, indicates that the NIC can send and receive data packets. **Network\ The first valid IP address on the network is the network address. This address is used for routing purposes to identify the network. This example is the network ID for a Class C subnet. \*.\*.\*.0** **Broadcast\ The last valid IP address on a network is reserved for broadcast functions. Any packet sent to this address is sent to all devices on the network. This example is the broadcast address for a Class C subnet. \*.\*.\*.255** ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Because the network and broadcast address reserve the first and last valid IP addresses, no host ID can end in a 0 or 255. For a Class C subnet, the first usable or assignable IP address is.1, and the last usable or assignable is.254. *Subnetting* is the process of dividing a large network into smaller networks called subnets. When you subnet a network, each network segment has a different network address (subnet address). In practice, the terms network and subnet are used interchangeably to describe a physical network segment with a unique network address. This lesson covers the following topics: - Subnetting - Classless Inter-Domain Routing (CIDR) - Variable-length subnet mask (VLSM) - Network address ANDing process - Supernetting **Subnetting** Breaking a network into smaller networks (subnetting) provides some benefits, including: - Increased security - Easier network management - Improved network performance - Separation of departments You can subnet a network using IP addressing. To do this, you borrow bits from the host ID and add them to the network ID. For example, the following network needs to be subnetted into seven smaller networks: **Network ID** 192.168.5.0 11000000.10101000.00000101.00000000 ----------------- --------------- ------------------------------------- **Subnet mask** 255.255.255.0 11111111.11111111.11111111.00000000 The first step is to determine how many bits to borrow from the host portion by using the following formula: 2 ^x^\ x = number of bits borrowed When you move bits from the host ID to the network ID, the number of subnets is determined by the possible combinations of 1s and 0s of the borrowed bits. To create seven subnets in the above network, three bits must be borrowed in order to create enough subnets to solve the problem. In this case, it is 2 ^3^ to give you eight total subnets, enough to meet your needs. - 11111111.11111111.11111111. 000 00000 (network ID 192.168.5.0) - 11111111.11111111.11111111. 001 00000 (network ID 192.168.5.32) - 11111111.11111111.11111111. 010 00000 (network ID 192.168.5.64) - 11111111.11111111.11111111. 011 00000 (network ID 192.168.5.96) - 11111111.11111111.11111111. 100 00000 (network ID 192.168.5.128) - 11111111.11111111.11111111. 101 00000 (network ID 192.168.5.160) - 11111111.11111111.11111111. 110 00000 (network ID 192.168.5.192) - 11111111.11111111.11111111. 111 00000 (network ID 192.168.5.224) In this example, the fourth octet is known as the interesting octet. The *interesting octet* is the first octet whose subnet mask is not 255. It is the octet that bits are borrowed from and where the host ID starts. Subnetting reduces the number of hosts per subnet. To calculate the number of hosts per subnet, use the following formula: 2 ^y^ - 2\ y = number of bits in the host ID Two addresses are subtracted. The first IP in each subnet is the reserved network address, and the last IP is reserved for the broadcast address. In the above network, with the five 00000\'s, each subnet would have 2 ^5^ -2 number of hosts, which equals 30. The standard subnetting process like this is known as a fixed-length subnet mask (FLSM). Using this method, each subnet has the same number of hosts. FLSM is typically used in private networks as it requires less configuration and administration. **Classless Inter-Domain Routing** When subnets are created, the standard IP classes are no longer used. This is called Classless Inter-Domain Routing. To simplify writing the network address, you can use CIDR notation which is the network ID with a slash followed by the number of bits in the network ID. The above network\'s CIDR notation is 192.168.5.0/27. This means 27 bits are used to identify the network, and 5 bits identify the hosts, for a total of 32 bits. **Variable-Length Subnet Mask (VLSM)** Using the VLSM method, you can create subnets of different sizes to reduce IP address waste. The first step is to create a table showing the subnets and possible host addresses. For example: **CIDR Notation** **Hosts Per Subnet** ------------------- ---------------------- **/24** 254 **/25** 126 **/26** 62 **/27** 30 **/28** 14 **/29** 6 **/30** 2 The second step is to list the subnets ranked from the most addresses needed down to the least number needed. Each subnet is then assigned the network address that will provide the needed addresses with minimal waste. Keep in mind that for VLSM to work, the network must be using advanced routing protocols such as OSPF, BGP, and others. VLSM is typically used by ISPs and larger public networks as it requires complex configuration. **Network Address ANDing Process** When given a network IP address, you might have to determine the network (or subnet) it belongs to. You do this using a process called ANDing. ANDing multiplies each bit of the binary versions of the IP address and its subnet mask with each other and calculates the results. Each bit can have the following results: - 0 and 0 = 0 - 1 and 0 = 0 - 0 and 1 = 0 - 1 and 1 = 1 The result of the ANDing process is the network ID that the IP address belongs to. The following table shows the ANDing process for the IP address 172.16.77.54/21: **Component** **Value** ---------------- ----------------------------------------- **IP address** **10101100.00010000.01001101.00110110** **Subnet** **11111111.11111111.11111000.00000000** **ANDing** **10101100.00010000.01001000.00000000** After converting the ANDing results string into decimal, the network ID to which the IP address belongs is 172.16.72.0. **Supernetting** When routers talk to each other, they share their routing tables. As networks become more complex, these routing tables can get quite large and complicated. Supernetting is the process of combining several subnets. This reduces the number of entries in a routing table. Supernetting has many advantages, including: - Reducing the size of routing tables. - Simplifying the network overview. - Decreasing CPU and RAM resources on the routers. - Improving network performance. The main thing to keep in mind when supernetting is that the networks must be in sequence. If they are not in sequence, you cannot combine the networks. When a device connects to a network, it must have a unique IP address and be configured with IP information such as a DNS server, default gateway, subnet mask, etc. Depending on the network configuration, there are several methods you can use to assign this IP information. This lesson covers the following topics: - Static assignment - Dynamic Host Configuration Protocol (DHCP) assignment **Static Assignment** With static addressing, you manually configure IP information on each host. Static addressing is best used in the following situations: - Networks with a small number of hosts. - Networks that do not change devices often. - Devices that must always have the same address (e.g., servers, printers, and routers). You assign permanent IP addresses to these devices. Static assignment works great in small networks but poses challenges such as: - Inefficiency - Manually assigning an address means that it is reserved, even if the device is not being used at that time. - Difficult to change - If a server, printer, router, or other device needs a new address, you must manually update that address on every device connected. **DHCP Assignment** An administrator configures a DHCP server with the IP addressing information such as the IP addresses, DNS server, default gateway, subnet mask, etc. The DHCP server assigns the IP information to clients based on that configuration. This ensures that each device is assigned a unique IP address. - When a DHCP client system boots, it contacts the DHCP server for IP configuration information. *Scopes* are the range of IP addresses the DHCP server can assign to hosts. You can configure the DHCP server to: - Prevent specific addresses in the range from being assigned to clients. This is called exclusion. - Deliver the same address to a specific host each time it requests an address. This is called a reservation. - You can configure the DHCP server to assign other IP configuration information, such as the default gateway and DNS server addresses. - The DHCP server assigns the IP address and other information to the client. The assignment is called a lease. A lease includes a lease time that identifies how long the client can use the IP address. - Periodically, the client contacts the DHCP server to renew the lease on the IP address. The client will attempt to renew the lease on the same IP address if it reboots. - The DHCP lease process uses broadcast frames at Layer 2. By default, DHCP requests do not pass through routers to other subnets. To enable DHCP broadcasts between subnets, enable IP helper or DHCP relay on the appropriate routers. - When the lease expires, the DHCP server releases the reserved IP address. This is known as the expired IP address. - Any client configured to use DHCP can get an IP address from any server configured for DHCP, regardless of its operating system.