|
|
|
||||
| Windows Networking Reworked for Enterprises | ||||
|
||||
|
By Michael Cherry [bio]
The following is the full text of an article published by Directions on Microsoft, an independent research firm focused exclusively on Microsoft strategy & technology. More samples of our content, as well as a list of upcoming articles and reports are also available. Windows Vista and "Longhorn" Server both include substantial changes to their networking components, including complete redesigns of the TCP/IP and Server Message Block (SMB) protocol stacks, which should improve the performance, security, and management of Windows networking. Although most of the networking changes occur deep within the OS, Windows Vista includes significant changes to the user interface in an attempt to make it easier for users to find and manage networked resources. Microsoft will also make a small subset of the changes, such as hardware acceleration, available for Windows Server 2003, but these features may require new high-end networking hardware. Performance Changes intended to improve network performance include improving how the TCP/IP protocol stack sends and receives network packets and adding support for offloading some network processing to specialized hardware. Compound TCP. The new TCP protocol stack uses a new approach developed by Microsoft Research called compound TCP (CTCP) to monitor bandwidth delay, delay variations, and packet loss, in order to increase the amount of data it sends at one time. TCP receive-window auto-tuning. The new TCP protocol stack on the receiving computer continually monitors the network delay (called latency) and the application retrieve rate to automatically optimize the receive window (a memory buffer for incoming data). This vastly improves the performance of TCP over WAN connections and the Internet, especially in conjunction with updates to the SMB protocol. TCP hardware offload. Both Vista and Longhorn Server (the code name for the next version of Windows Server, due in late 2007) support TCP Chimney Offload. This technology offloads the processing of TCP packets, including packet segmentation and reassembly, to a specialized network adapter with a TCP offload engine (TOE). For long-lived connections that move large amounts of data, like those associated with Web, file, and storage servers, the technology not only speeds up the processing of network packets but also frees up the main processor in the server or workstation for other applications. This hardware offload support became available for Windows Server 2003 via the Scalable Networking Pack in May 2006. Receive-side scaling. The Receive-side Scaling feature dynamically balances processing of inbound traffic across all available processors or processor cores, significantly improving the performance of Web and file servers or workstations that receive a significant amount of inbound traffic. In previous versions of Windows, all inbound traffic was bound to a single processor or core, even if other processors or cores were available. With multicore CPUs becoming common even on workstations and desktops, the ability to balance all workloads across all available processing resources becomes even more important. Receive-side scaling support is also available for Windows Server 2003 in the Scalable Networking Pack. Server Message Block (SMB) 2.0. The existing SMB 1.0 protocol, which was designed for sharing files and printers, is based on networking assumptions that are out of date. Since the original design, there have only been minor changes and tweaks to the protocol to support some new functionality. With Windows Vista and Longhorn Server, Microsoft will introduce a new version of the protocol that supports compounding operations in order to reduce round trips and overhead per operation, and that enables larger buffer sizes. The new SMB also improves scalability by lifting limits on several resources, including the number of concurrent open file handles and shares on a server. Security Improvements to networking components that increase the security of Windows Vista and Longhorn Server include support for multiple routing compartments, improved wireless security, and support for network access protection in the future. Multiple routing compartments. Routing compartments are used to prevent the unwanted forwarding of traffic between network adapters and interfaces for virtual private network (VPN) and terminal server connections. Windows XP, for example, can be configured so that when a user initiates a VPN connection to a private intranet across the Internet, the user's computer enables traffic to be forwarded between the Internet and the VPN connection, possibly compromising corporate security. Windows Vista and Longhorn Server, in contrast, provide separate sets of IP routing tables for each set of network adapters and user sessions, eliminating the risk that a user can manually create a routing table entry that allows unwanted forwarding. Improved Wireless Security. The native Wi-Fi support in Windows Vista and Longhorn Server supports the latest wireless security protocols including:
By supporting these protocols, Windows will work with almost any wireless infrastructure, and Vista will choose the most secure protocol by default. Network Access Protection (NAP). Windows Vista and Longhorn Server will provide policy enforcement components to ensure that computers connecting to a network comply with administrator-defined requirements for system health. Those that do not comply can be quarantined or kept off the network, or routed to another location to get the necessary software or updates to comply with the policy. For example, the requirements for system health might necessitate that all computers connecting to the network have the latest OS updates and antivirus signature files installed. NAP can enforce such policies when a computer requests a new IP address or renews the lease on an existing IP address from a DHCP server, when a computer attempts to connect to the network by a VPN connection, or when a computer attempts to authenticate with an 802.1x-based Ethernet switch or wireless access point. NAP will also provide IP Security (IPSec)-based support for wireless and wired network access control. Although the client code for NAP is included with Windows Vista, customers will have to use the existing quarantine features of Windows Server 2003 until Longhorn Server ships in 2007 when they will be able to deploy NAP completely. Network Policy Server. Network Policy Server (NPS) replaces the Internet Authentication Service (IAS) in Windows Server 2003 to provide Remote Authentication Dial-In User Service (RADIUS) and authentication services for VPN and 802.1x-based wireless and wired connections to Longhorn Server. NPS, a part of Longhorn Server, also evaluates the security health of NAP clients (already in Vista) and determines when to grant them full access versus when to grant them only limited access or quarantine them until the policy is met. Management Management improvements in Windows Vista and Longhorn Server include native support for Internet Protocol version 6 (IPv6), a new wireless architecture, a new network diagnostic framework, and the ability to use Group Policy to manage the network configuration of Windows Vista centrally and consistently. Integrated IPv4 and IPv6 The new TCP protocol support integrates the formerly separate IPv4 and IPv6 protocol stacks into a dual-IP layer architecture that shares common framing and transport layers, making the creation of applications that can work with both IPv4 and IPv6 easier. Deployment and management of IPv6 will be simpler because IPv6 is enabled by default, and both IPv4 and IPv6 are configured by a single configuration dialog box. New Wireless Architecture In Windows Server 2003 and Windows XP, the software infrastructure for wireless connections was built to emulate an Ethernet connection. In Longhorn Server and Vista, the software infrastructure for IEEE 802.11 (Wi-Fi) wireless connections is now represented as a separate media type from IEEE 802.3, used for wired connections, and includes components to perform authentication, authorization, and management of wireless connections. This means that wireless hardware vendors will no longer have to incorporate or duplicate these functions in their wireless network adapter drivers, and because more of the interface is provided by Microsoft, there is less need for specialized drivers and configuration tools from different manufacturers for different adapters. Network Diagnostics Framework Windows Vista and Longhorn Server use a new extensible diagnostic framework to help users troubleshoot and recover from problems with network connections. For TCP/IP-based communication, the framework prompts the user through a series of options to eliminate possible causes until the root cause of the problem is identified or all possibilities are eliminated. The Network Diagnosis Framework can diagnose over 200 root causes of problems including the following:
Policy-Based Network Management With Windows Longhorn Server and Vista, Group Policy can be used to centrally configure and manage the settings for the following: Quality of Service (QoS). QoS policy can throttle or limit the aggregate outgoing network traffic to a specified rate. To specify prioritized delivery, traffic can be marked with a Differentiated Services Code Point (DSCP) value so that routers in the network infrastructure can place DSCP-marked packets in different queues for differentiated delivery. Server and domain isolation. By using IPSec and Group Policy, organizations can create isolated servers and domains to prevent unauthorized computers and programs from gaining inappropriate access to resources. Requests from computers that are not part of the isolated network are ignored; therefore, IPSec-based isolation can protect high-value servers and data, as well as protect managed computers from unmanaged or rogue computers and users. Windows Firewall settings. To ensure that all computers and servers have the appropriate settings, Windows Vista and Longhorn Server can use Group Policy to facilitate the configuration of firewall ports for both inbound and outbound communications. Application Changes A new network location-awareness service and the Windows Filtering platform make it easier for developers to write programs that work with the networking components. Network Location Awareness (NLA). Because Windows allows computers to connect to several networks, the OS could have simultaneous connections available across wireless, wired, and dial-up networks. An application may not be aware of all of these available connections, and unless the developer has included routines in his application to evaluate the network, the application may not know which connection will offer the best communication. The NLA service uniquely identifies each network and exposes the network's attributes so that applications can determine the optimal network configuration—for example, an e-mail program could use NLA to find the best way to connect to the mail server. When an application registers for NLA notifications, the application will not only receive notifications about the availability of new network connections but will also receive notification if there is a change to an existing network connection. The Windows Firewall and Group Policy are examples of applications that will use the NLA platform starting with Windows Vista. Windows Filtering Platform (WFP). WFP is a new architecture in Windows Vista and Longhorn Server that allows unprecedented access to the TCP/IP packet processing path. This access can allow applications to examine and change outgoing and incoming packets before allowing them to be processed by any other applications. Being able to tap into the TCP/IP processing path makes it easier for software developers to create firewalls, antivirus software, diagnostic software, and other types of applications and services without the difficult task of having to write custom network drivers. The WFP interfaces are used by Microsoft for the Windows Firewall and the IPSec implementation in Windows Vista and Longhorn Server. Network and Sharing Center Windows Vista makes substantial changes to the user interface for finding, making, and managing network connections. New starting point. The starting point for networking is a new Network and Sharing Center which provides a single location where users can check the status of all network connections, visualize the network and any resources such as folders or printers they are sharing, and troubleshoot any connection problems. (For an illustration, see "Network and Sharing Center"). Fewer icons. Windows Vista also replaces the myriad networking-related icons that fill the earlier Windows system trays with a single network icon that shows overall connection status, including Internet connectivity. Clicking on the icon will show all active network connections. Dialog boxes for connecting to a network have also been streamlined, making it possible to create any type of network connection—local, wireless, VPN, or dial-up—from the network center. Network Map Still Needs Work Vista also delivers a new Network Map, a graphical view of all devices on the network and how they are connected. The goal of the Network Map, which is targeted at consumers and small business users, is to help users optimize their network for the best performance and easily locate any problems. But in its current (beta) form, too many devices on the network cannot be detected, or, if detected, cannot be placed in the appropriate location on the map. (For an illustration, see "Network Map".) These problems arose because Microsoft decided to provide limited support for NetBIOS and Universal Plug and Play (UPnP), as those protocols do not supply sufficient data to build a reliable map of the network. Instead, devices supporting these protocols may be shown in a list of discovered devices but not placed on the map. The Windows Vista Network Map really only supports its own discovery and configuration protocols, Windows Rally, a collection of technologies including Link Layer Topology Discovery and Windows Connect Now. Windows Rally protocols are available under a royalty-free license, but few existing devices support them. Microsoft says its new discovery and configuration protocol is extensible, so other OS and device manufacturers could create providers, and claims that providers for Windows XP and Windows Server 2003 will be available by the time Vista ships. But until the Network Map can correctly detect all the devices on a user's network, it is more likely to confuse users than help them. Removal of Technologies Support for the following technologies has been removed from Windows Vista and Longhorn Server, as they are rarely used anymore:
Availability and Resources All of the networking changes in Windows Vista and Longhorn Server are described at www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx. A Microsoft Research paper on Compound TCP is available at research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=940. A knowledgebase article on the Scalable Networking Pack, including how to download the pack, is available at support.microsoft.com/?kbid=912222. A white paper on Enterprise Networking with Windows Vista is available at www.microsoft.com/technet/windowsvista/network/entnet.mspx. An Introduction to Server and Domain Isolation using Group Policy and IPSec is available at www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch1.mspx. For background on IPv6, see "Windows Support for IPv6 Increases" on page 3 of the Apr. 2005 Update. Technical information on the Windows Filtering Platform is available at www.microsoft.com/whdc/device/network/WFP.mspx.
|
||||
