1 / 27

Objectives

Objectives. Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection. Wireless Access Configuration in Windows Server 2008. 802.1x standard Network access control provides an authentication mechanism to allow or deny network access based on port connection

shaun
Download Presentation

Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Objectives • Wireless Access • IPSec • Discuss Network Access Protection • Install Network Access Protection

  2. Wireless Access Configuration in Windows Server 2008 802.1x standard Network access control provides an authentication mechanism to allow or deny network access based on port connection WPA2-EAP (Wi-Fi Protected Authentication 2 – EAP) More secure than both PSK and WEP that use static key EAP  Use Certificate 2

  3. Wireless Access Configuration in Windows Server 2008 (continued) Categories of EAP implementations EAP over local area network (LAN) EAP-TLS EAP over wireless PEAP: Protected Extensible Authentication Protocol 802.1x uses a three-component model for authenticating access to networks Supplicant: Wireless client/device Authenticator: Wireless Access Point Authentication server: NPS/RADIUS server 3

  4. 4

  5. Internet Protocol Security An open-standards framework for securing network communications IPSec meets three basic goals Authentication Integrity Confidentiality 5

  6. IPSec Threats Depending on the configuration of IPSec, it provides protection from the following threats Data tampering Denial of service Identity spoofing Man-in-the-middle attacks Repudiation (rootkit) Network traffic sniffing 6

  7. How IPSec Works IPSec modes of operation Transport mode Tunnel mode IPSec Security Methods Authentication Header (AH) Encapsulating Security Payload (ESP) Scenarios available when deploying IPSec Site to site Client to client Client to site 7

  8. Transport Mode • Used between two hosts (Client-to-Client or Client to Site) • Both communication ends must support IPSec

  9. Tunnel Mode • Used between two routers (Site-to-Site) • Two hosts communicating through the routers do not need to support IPSec • Computers taking part in the conversation are not authenticated

  10. AH Method • Provides authentication of the two endpoints and adds a checksum to the packet • Authentication guarantees that the two endpoints are known and the checksum guarantees that the packet is not modified in transit • Payload of the packet is unencrypted • Use whenever you are concerned about packets being captured with a packet sniffer and replayed later • Less processor intensive than ESP mode

  11. 11

  12. ESP Method • Provides authentication of the two endpoints which guarantees that the two endpoints are known • Adds a checksum to each packet • Encrypts the data in the packet • Most implementations of IPSec use ESP mode because data encryption is desired

  13. IPSec Authentication • Authentication is for the devices at two IPSec end points, NOT the users logged into the devices • Internet Key Exchange is the process used by two IPSec hosts to negotiate their security parameters/protocols • IKE generates the encryption and authentication keys used by IPSec for the transaction • IPSec performs transactions in two phases • Main mode/Phase 1 • Quick mode/Phase 2 • When security parameters have been agreed upon, this is referred to as security association

  14. IPSec Connections Authentication Methods • Pre-shared key – Simple. But have to move key in advance • Kerberos – Integrated with Windows Active Directory. Only for Active Directory • Certificates • Issued by trusted organizations on the Internet called certification authorities • Certificate must be validated using the digital signature of the certification authority

  15. Enabling IPSec • IPSec is enabled on Windows using IPSec policies • Unlike 2003, Windows 2008 does not have default policy • Policies can be configured manually on each server or distributed through Group Policy • Choose tunnel or transport mode, network type • Specify IP filter and filter actions • Can be managed with the following tools • WFAS Connection Security Rules • IP Security Policy snap-in • Netsh • GPME

  16. Assigning IPSec Policies • Multiple IPSec policies may be configured • Only assigned one is actually used • No policy is used until it is assigned • Only one policy can be assigned at a time per machine • Assignment does not take effect immediately • IPSec Policy Agent must be restarted for the change to take effect

  17. Troubleshooting IPSec • Most common IPSec troubleshooting tools are: • Ping • IPSec Security Monitor – MMC Snap-in • Event Viewer – Security log • Resultant Set of Policy – Group Policy resultant set • Network Monitor

  18. Using IPSec

  19. Network Access Protection • NAP can be broken into three parts • Health policy validation • Health policy compliance • Access limitation

  20. NAP Terminology • Enforcement Client (Windows 7, 2008, Vista, XP SP3) • Enforcement Server (2008 NPS Server) • Host Credential Authorization Protocol (for 802.1x client) • Health Registration Authority • Distribute Health Certificates. • Required for IPSec enforcement • A Role Services of NPS Server Role • Network Policy Server • Remediation Server (Updates clients) • System Health Agent (a service on NAP client monitoring status of Firewall and Antivirus) • System Health Validator

  21. NAP Enforcement Methods • The five types of NAP enforcement methods used by NAP • 802.1x-authenticated connections (EAP) • Dynamic Host Configuration Protocol (DHCP) address configurations • IPSec communications • based on IP Address or Port numbers • Require HRA and Certificates Service • Terminal Services Gateway (TS Gateway) connections • Virtual Private Network (VPN) connections

  22. Implementing NAP

  23. Install, Configure and Enforce NAP • Add NPS role and installed as part of the NPS role • Add Roles Wizard or servermanagercmd.exe command • Configure Windows Security Health Validator • NPS  NAP  System Health Validators • Create two new Health Policies • One Compliant policy and one Non-compliant policy • NPS  Policies  Health Policies • Enable NAP Enforcement Method on client computers • napclcfg command • NAP Client Configuration snap-in • Set Network Policies or Connection Security Rules

  24. NAP Client Configuration

  25. NAP Client Configuration (Continue) • Turn-on Security Center in Local Computer Policy • gpedit.msc or Group Policy Object Editor snap-in • Computer Configuration  Administrative Templates  Windows Components  Security Center • Needed to work with standard Windows SHV • Start Network Access Protection Agent service

  26. NAP Monitoring • Log Files • On NAP Enforcement Server: • Windows Logs\Security log: non-compliant clients • On Vista or 2008 NAP Enforcement Clients: • Applications and Services log\Microsoft\Windows \Network Access Protection\Operational log • On XP SP3 NAP Enforcement Client: • System log

More Related