Windows Networking & TCP/IP

1)   Basic networking definitions

• Network infrastructure – set of physical and logical components that allow for, among other futures, security, management and connectivity
• Physical infrastructure – is also known as network’s topology, the physical layout of hardware components and the type of hardware as well as the technology used with hardware for data transmission.
• Logical infrastructure – is the software that allows for communication over physical infrastructure, it includes services that run on the network like DNS
• Network connection – is a logical interface between software and hardware layers
• Network protocol – is the language used for communication between networked computers
• Network service – is a program that provides features to hosts or protocols on the network
• Network client – is a program that allows a computer to connect to a network operating system
• Addressing – is the practice of maintaining a coherent system of addresses within organization’s network that allow all computer to communicate
• Name resolution – is the process of translating a computer name into an address and the other way around
• Workgroup – is a simple grouping of resources which by default uses NetBIOS naming system. NetBIOS is used together with Common Internet File System (CIFS), an extension of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized security in a workgroup environment. The default workgroup name is WORKGROUP. In the absence of a WINS server the NetBIOS names are resolved using broadcasts to local network segment.
• Domain – is a collection of computers that share a common directory, security policies and relationships with other domains. The name ‘domain’ is used both by grouping of computers in AD and as names in DNS, they are different things.
• Active directory – is a distributed database that provides directory service
• Remote access – is a connection that is configured for users that want to access resources from non-local site. There are two types, VPN and dial-up.
• Network Address Translation (NAT) – is the system which allows computers with private addresses to communicate with computers on the internet
• NWLink – Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks
• Certificate – is used for public key cryptography
• NetBT – NetBIOS over TCP/IP, provides for higher level communications such as SMB (Server Message Blocks) and CIFS
• CIFS – an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
• TCP/IP – most popular, scalable, routable and based on open standards protocol.
• Redirector – client component that decides whatever the request is to be serviced locally or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses SMB/CIFS for communication.

• Components that make up a connection: network clients, services and protocols
• Connections by themselves don’t provide communication, it occurs through components bound to the connection
• Client for Microsoft Networks is by default bound to all local area connections, it allows client computers to perform CIFS related tasks
• TCP/IP protocol is bound to all connections by default
• File and printer sharing for Microsoft Windows is installed and bound to all connections by default
• Advanced connection settings allow administrator to change the priority of each connection
• Provider order tab in advanced settings dialog box allows administrator to change the network providers order. This setting is for all connections. By default, Microsoft Terminal Services is given priority over the Microsoft Network because Terminal Services are meant to be used in place of all other connections.
• In the provider tab one also finds print provider order, by default LanMan Print Services is given priority over HTTP Print Services

• APIPA stands for automatic private IP addressing
• By default the IP address and DNS servers are to be obtained automatically from the DHCP server
• If the computer cannot get address automatically it uses APIPA to assign itself one
• APIPA assigns PC address from the range 169.241.0.1 to 169.254.255.254, in use since Windows 98
• Administrators can combine APIPA with alternate configuration, when IP can be obtained from DHCP, APIPA turns itself off – no one can override DHCP obtained address with APIPA
• To disable APIPA administrator can either configure alternative IP address or edit registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot
• An all zero address might indicate that the IP has been released and never renewed
• When a computer fails to obtain APIPA address in the absence of DHCP server and static address, the administrator should look for a hardware problem

• Connection Manager – allows creation of customized remote access connections
• Connection Point Services – Phone Book Service that needs IIS
• Network Monitor – pocket analyzer
• SNMP – Simple network management protocol, agents that monitor activity in network devices and report to network management console. For use with both Windows and UNIX, works with almost any network device.
• WMI SNMP Provider – lets client applications to access static and dynamic SNMP information through WMI

• The TCP/IP model is the newer networking model, OSI Open System Interconnection model is an older model
• Network interface – is the layer in the communications process that describes standards for physical media, for example ethernet. In OSI model it is both Physical layer and Data link layer.
• Internet – is the layer in the communications process during which information is packaged, addressed and routed to other network destinations. ARP is used for address resolution, IP for addressing and routing data and ICMP for reporting errors and exchanging limited control/status information. In OSI model this layer is called the Network layer.
• Transport – is the layer in the communications process during which the standards of data transport are determined. TCP protocol with its guarantees of delivery and connectionless unguaranteed but fast UDP protocol. This layer has the same name in the OSI model.
• Application – is the layer in the communications process during which end user data is changed, packaged and sent to and from transport layer, for example telenet. In OSI we have three layers, Session, Presentation and Application.

• OSI stands for Open System Interconnection model, it is an older networking model
• 7 Application layer
• 6 Presentation layer
• 5 Session layer
• 4 Transport layer
• 3 Network layer
• 2 Data link layer
• 1 Physical layer
• Layers 7, 6, and 5 correspond to Application layer in TCP/IP model
• Layer 4 correspond to Transport layer in TCP/IP model
• Layer 3 corresponds to Internet layer in TCP/IP model
• Layer 2 and 1 correspond to Network Interface layer in TCP/IP model
• Protocols that were not originally part of the TCP/IP specifications are referred not by position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5) protocol.

• Protocol number – is used to define a stream of data associated with a specific service
• The transport is provided by TCP and UDP protocols
• Internet layer protocols are ARP, IP and ICMP
• HTTP – hypertext transfer protocol TCP port 80 (application layer)
• SSL – Secure socket layers TCP port 443
• SMTP – TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
• SNMP – simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
• FTP – only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot (application layer)
• POP – TCP port 110
• DNS – UDP port 53 (query) TCP port 53 (zone transfer)
• NNTP – TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
• PPTP – Point to point tunneling protocol TCP port 1723; protocol number 47
• L2TP/IPSec – UDP ports 500, 1701 and 4500; protocol number 50
• ARP, ICMP and IP (internet layer)

• Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IP address space
• IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP
• Private addresses are in ranges 10.0.0.0 – 10.255.255.254, 172.16.0.0 – 172.31.255.254, 192.168.0.0 – 192.168.255.254
• IP addresses are just a representation of a 32 bit number broken into 8 bit parts for ease of visualization by the administrator
• IP address is made up of two parts, network address and host address. Network prefix is the number of bits in network id.
• IP class assignments
  • Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
  • Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
  • Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
  • Class D 224-239.x.x.x, reserved for multicast addressing
  • Class E 240-254.x.x.x, reserved for experimental use
• Subnet mask is used to determine whatever the packet is destined for the current network or not. It does that by masking the network part of the IP address. The PC proceeds by finding his own network address using his IP and subnet mask in a bitwise AND operation. Then the PC does a bitwise AND operation on the destination IP and his subnet mask to determine foreign network address. If the addresses match then the packet is to travel on the local network, if the don’t then the packet is destined to a foreign address.
• CIDR – this is a shorthand notation for a subnet mask, classless interdomain routing notation. It counts the number of 1′s in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1′s in the subnet mask. It is not compatible with RIP v.1. It is the name administrators commonly refer to when talking about supernetting since CIDR is used to shorten routing tables.
• Default gateway is the IP address of a routing device that accepts packets destined to other networks. Other networks are subnets that are not within the broadcast range of the PC that contacts default gateway (itself it is within broadcast range).
• Follow these simple steps to spot an IP address that is invalid:
  • Host without a subnet mask
  • No unique network ID (per WAN) or no unique host name per LAN
  • Neither network ID nor host ID can be all 1 (since that is the broadcast address)

• Subnetting – occurs when one needs to divide default A,B or C class address space into smaller spaces. The logical division is accomplished by extending the string of 1′s in the subnet mask.
• Subnetting is used for: accommodating security needs, physical topology, limitation of broadcasting
• Number of hosts on a subnet = 2^(32-subnets # of 1′s)-2. We subtract 2 since one address is needed for network ID and one for network broadcast
• Host ID with all 0′s is the network ID and host ID with all 1′s is broadcast address
• Supernetting – occurs when one wants to combine default A, B or C class address spaces into one large space. This method allows for more efficient allocation of network address space.
• In supernetting’s major difference from subnetting is the removal of 1′s from the network address. Thus one might have /23 /22 /21 /20 supernet masks.
• Conversion from binary to decimal and back is based on the power each system uses, 2 for binary 10 for decimal and so on. The position of a digit in a number, starting from zero, determines to which power the base is raised. The value of the digit is the number by which the base to the power is multiplied by. Sum all the digits to get the number in decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To minimize errors it is best to use a calculator.
• Variable length subnet masks (VLSMs) – allow for subnets to be subnetted themselves making the use in large organizations of network address space more efficient. They allow administrators to create subnets of varying sizes.
• Classless Inter-Domain Routing (CIDR – defined in RFC 1519) using variable length subnet masks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow for the accelerating expansion of the Internet.
• VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with old routing protocols like RIP 1

• Administrator can install on a computer file and print services for Macintosh but only print services for Unix
• TCP/IP is installed by default by Windows setup
• The following are installed as part of simple TCP/IP services: Character Generator, Daytime, Discard, Echo, Quote of the day
• The MAC address cache on a computer can be cleared manually (it refreshes itself every 2 minutes) by issuing arp -d command
• Most computers on the network use DHCP for addressing as it produces less human error than static addressing. Static addressing is used by servers.