Transcript NW_WK9 - carrieclasses

Objectives
•
•
•
•
Wireless Access
IPSec
Discuss Network Access Protection
Install Network Access Protection
1
Wireless Access Configuration in
Windows Server 2008
• 802.1x standard
– Network access control provides an authentication
mechanism to allow or deny network access based on
port connection
– WPA2-EAP (Wi-Fi Protected Authentication 2 – EAP)
• More secure than both PSK and WEP that use static key
• EAP  Use Certificate
2
Wireless Access Configuration in
Windows Server 2008 (continued)
• Categories of EAP implementations
– EAP over local area network (LAN)
• EAP-TLS
– EAP over wireless
• PEAP: Protected Extensible Authentication Protocol
• 802.1x uses a three-component model for
authenticating access to networks
– Supplicant: Wireless client/device
– Authenticator: Wireless Access Point
– Authentication server: NPS/RADIUS server
3
4
Internet Protocol Security
• An open-standards framework for securing network
communications
• IPSec meets three basic goals
– Authentication
– Integrity
– Confidentiality
5
IPSec Threats
• Depending on the configuration of IPSec, it
provides protection from the following threats
–
–
–
–
–
–
Data tampering
Denial of service
Identity spoofing
Man-in-the-middle attacks
Repudiation (rootkit)
Network traffic sniffing
6
How IPSec Works
• IPSec modes of operation
– Transport mode
– Tunnel mode
• IPSec Security Methods
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
• Scenarios available when deploying IPSec
– Site to site
– Client to client
– Client to site
7
Transport Mode
• Used between two hosts (Client-to-Client or Client to Site)
• Both communication ends must support IPSec
Tunnel Mode
• Used between two routers (Site-to-Site)
• Two hosts communicating through the routers do not
need to support IPSec
• Computers taking part in the conversation are not
authenticated
AH Method
• Provides authentication of the two endpoints and adds
a checksum to the packet
• Authentication guarantees that the two endpoints are
known and the checksum guarantees that the packet
is not modified in transit
• Payload of the packet is unencrypted
• Use whenever you are concerned about packets being
captured with a packet sniffer and replayed later
• Less processor intensive than ESP mode
11
ESP Method
• Provides authentication of the two endpoints which
guarantees that the two endpoints are known
• Adds a checksum to each packet
• Encrypts the data in the packet
• Most implementations of IPSec use ESP mode
because data encryption is desired
IPSec Authentication
• Authentication is for the devices at two IPSec end
points, NOT the users logged into the devices
• Internet Key Exchange is the process used by two
IPSec hosts to negotiate their security
parameters/protocols
– IKE generates the encryption and authentication
keys used by IPSec for the transaction
• When security parameters have been agreed upon,
this is referred to as security association
IPSec Connections Authentication Methods
• Pre-shared key – Simple. But have to move key in
advance
• Kerberos – Integrated with Windows Active
Directory. Only for Active Directory
• Certificates
– Issued by trusted organizations on the Internet
called certification authorities
– Certificate must be validated using the digital
signature of the certification authority
Enabling IPSec
• IPSec is enabled on Windows using IPSec policies
• Unlike 2003, Windows 2008 does not have default policy
• Policies can be configured manually on each server or
distributed through Group Policy
– Choose tunnel or transport mode, network type
– Specify IP filter and filter actions
• Can be managed with the following tools
–
–
–
–
WFAS Connection Security Rules
IP Security Policy snap-in
Netsh
gpme.msc
Assigning IPSec Policies
•
•
•
•
•
•
Multiple IPSec policies may be configured
Only assigned one is actually used
No policy is used until it is assigned
Only one policy can be assigned at a time per machine
Assignment does not take effect immediately
IPSec Policy Agent must be restarted for the change to
take effect
Troubleshooting IPSec
• Most common IPSec troubleshooting tools are:
–
–
–
–
–
Ping
IPSec Security Monitor – MMC Snap-in
Event Viewer – Security log
Resultant Set of Policy – Group Policy resultant set
Network Monitor
Using IPSec
Network Access Protection
• NAP can be broken into three parts
– Health policy validation
– Health policy compliance
– Access limitation
20
NAP Terminology
• Enforcement Client (Windows 7, 2008, Vista, XP SP3)
• Enforcement Server (2008 NPS Server)
• Host Credential Authorization Protocol (for 802.1x
client)
• Health Registration Authority
– Distribute Health Certificates.
– Required for IPSec enforcement
– A Role Services of NPS Server Role
• Network Policy Server
• Remediation Server (Updates clients)
• System Health Agent (a service on NAP client
monitoring status of Firewall and Antivirus)
• System Health Validator
21
NAP Enforcement Methods
• The five types of NAP enforcement methods used
by NAP
– 802.1x-authenticated connections (EAP)
– Dynamic Host Configuration Protocol (DHCP)
address configurations
– IPSec communications
• based on IP Address or Port numbers
• Require HRA and Certificates Service
– Terminal Services Gateway (TS Gateway)
connections
– Virtual Private Network (VPN) connections
22
Implementing NAP
23
Install, Configure and Enforce NAP
• Add NPS role and installed as part of the NPS role
– Add Roles Wizard or servermanagercmd.exe command
• Configure Windows Security Health Validator
– NPS  NAP  System Health Validators
• Create two new Health Policies
– One Compliant policy and one Non-compliant policy
– NPS  Policies  Health Policies
• Enable NAP Enforcement Method on client computers
– napclcfg command
– NAP Client Configuration snap-in
• Set Network Policies or Connection Security Rules
24
NAP Client Configuration
NAP Client Configuration (Continue)
• Turn-on Security Center in Local Computer Policy
– gpedit.msc or Group Policy Object Editor snap-in
– Computer Configuration  Administrative Templates 
Windows Components  Security Center
– Needed to work with standard Windows SHV
• Start Network Access Protection Agent service
NAP Monitoring
• Log Files
– On NAP Enforcement Server:
• Windows Logs\Security log: non-compliant clients
– On Vista or 2008 NAP Enforcement Clients:
• Applications and Services log\Microsoft\Windows
\Network Access Protection\Operational log
– On XP SP3 NAP Enforcement Client:
• System log