Learning Objectives Dear Students, The learning objectives below ...
Objectives
description
Transcript of Objectives
![Page 1: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/1.jpg)
1
Objectives
• Wireless Access
• IPSec
• Discuss Network Access Protection
• Install Network Access Protection
![Page 2: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/2.jpg)
Wireless Access Configuration in Windows Server 2008
• 802.1x standard– Network access control provides an authentication
mechanism to allow or deny network access based on port connection
– WPA2-EAP (Wi-Fi Protected Authentication 2 – EAP)• More secure than both PSK and WEP that use static key• EAP Use Certificate
2
![Page 3: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/3.jpg)
Wireless Access Configuration in Windows Server 2008 (continued)
• Categories of EAP implementations– EAP over local area network (LAN)
• EAP-TLS
– EAP over wireless • PEAP: Protected Extensible Authentication Protocol
• 802.1x uses a three-component model for authenticating access to networks– Supplicant: Wireless client/device – Authenticator: Wireless Access Point– Authentication server: NPS/RADIUS server
3
![Page 4: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/4.jpg)
4
![Page 5: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/5.jpg)
Internet Protocol Security
• An open-standards framework for securing network communications
• IPSec meets three basic goals– Authentication– Integrity– Confidentiality
5
![Page 6: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/6.jpg)
IPSec Threats
• Depending on the configuration of IPSec, it provides protection from the following threats– Data tampering– Denial of service– Identity spoofing– Man-in-the-middle attacks– Repudiation (rootkit)– Network traffic sniffing
6
![Page 7: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/7.jpg)
How IPSec Works
• IPSec modes of operation– Transport mode– Tunnel mode
• IPSec Security Methods– Authentication Header (AH)– Encapsulating Security Payload (ESP)
• Scenarios available when deploying IPSec– Site to site– Client to client– Client to site
7
![Page 8: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/8.jpg)
Transport Mode• Used between two hosts (Client-to-Client or Client to Site)
• Both communication ends must support IPSec
![Page 9: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/9.jpg)
Tunnel Mode
• Used between two routers (Site-to-Site)
• Two hosts communicating through the routers do not need to support IPSec
• Computers taking part in the conversation are not authenticated
![Page 10: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/10.jpg)
AH Method
• Provides authentication of the two endpoints and adds a checksum to the packet
• Authentication guarantees that the two endpoints are known and the checksum guarantees that the packet is not modified in transit
• Payload of the packet is unencrypted
• Use whenever you are concerned about packets being captured with a packet sniffer and replayed later
• Less processor intensive than ESP mode
![Page 11: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/11.jpg)
11
![Page 12: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/12.jpg)
ESP Method
• Provides authentication of the two endpoints which guarantees that the two endpoints are known
• Adds a checksum to each packet
• Encrypts the data in the packet
• Most implementations of IPSec use ESP mode because data encryption is desired
![Page 13: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/13.jpg)
![Page 14: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/14.jpg)
IPSec Authentication• Authentication is for the devices at two IPSec end
points, NOT the users logged into the devices
• Internet Key Exchange is the process used by two IPSec hosts to negotiate their security parameters/protocols– IKE generates the encryption and authentication
keys used by IPSec for the transaction– IPSec performs transactions in two phases
• Main mode/Phase 1
• Quick mode/Phase 2
• When security parameters have been agreed upon, this is referred to as security association
![Page 15: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/15.jpg)
• Pre-shared key – Simple. But have to move key in advance
• Kerberos – Integrated with Windows Active Directory. Only for Active Directory
• Certificates– Issued by trusted organizations on the Internet called
certification authorities– Certificate must be validated using the digital
signature of the certification authority
IPSec Connections Authentication Methods
![Page 16: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/16.jpg)
Enabling IPSec• IPSec is enabled on Windows using IPSec policies
• Unlike 2003, Windows 2008 does not have default policy
• Policies can be configured manually on each server or distributed through Group Policy– Choose tunnel or transport mode, network type– Specify IP filter and filter actions
• Can be managed with the following tools– WFAS Connection Security Rules– IP Security Policy snap-in– Netsh – GPME
![Page 17: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/17.jpg)
Assigning IPSec Policies
• Multiple IPSec policies may be configured
• Only assigned one is actually used
• No policy is used until it is assigned
• Only one policy can be assigned at a time per machine
• Assignment does not take effect immediately
• IPSec Policy Agent must be restarted for the change to take effect
![Page 18: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/18.jpg)
Troubleshooting IPSec
• Most common IPSec troubleshooting tools are:– Ping– IPSec Security Monitor – MMC Snap-in– Event Viewer – Security log– Resultant Set of Policy – Group Policy resultant set– Network Monitor
![Page 19: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/19.jpg)
Using IPSec
![Page 20: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/20.jpg)
Network Access Protection
• NAP can be broken into three parts– Health policy validation– Health policy compliance– Access limitation
20
![Page 21: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/21.jpg)
NAP Terminology
• Enforcement Client (Windows 7, 2008, Vista, XP SP3)• Enforcement Server (2008 NPS Server)• Host Credential Authorization Protocol (for 802.1x
client)• Health Registration Authority
– Distribute Health Certificates. – Required for IPSec enforcement– A Role Services of NPS Server Role
• Network Policy Server • Remediation Server (Updates clients)• System Health Agent (a service on NAP client
monitoring status of Firewall and Antivirus)• System Health Validator 21
![Page 22: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/22.jpg)
NAP Enforcement Methods
• The five types of NAP enforcement methods used by NAP– 802.1x-authenticated connections (EAP)
– Dynamic Host Configuration Protocol (DHCP) address configurations
– IPSec communications
• based on IP Address or Port numbers• Require HRA and Certificates Service
– Terminal Services Gateway (TS Gateway) connections
– Virtual Private Network (VPN) connections22
![Page 23: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/23.jpg)
23
Implementing NAP
![Page 24: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/24.jpg)
Install, Configure and Enforce NAP
• Add NPS role and installed as part of the NPS role– Add Roles Wizard or servermanagercmd.exe command
• Configure Windows Security Health Validator– NPS NAP System Health Validators
• Create two new Health Policies– One Compliant policy and one Non-compliant policy– NPS Policies Health Policies
• Enable NAP Enforcement Method on client computers– napclcfg command– NAP Client Configuration snap-in
• Set Network Policies or Connection Security Rules24
![Page 25: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/25.jpg)
NAP Client Configuration
![Page 26: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/26.jpg)
NAP Client Configuration (Continue)
• Turn-on Security Center in Local Computer Policy– gpedit.msc or Group Policy Object Editor snap-in– Computer Configuration Administrative Templates
Windows Components Security Center– Needed to work with standard Windows SHV
• Start Network Access Protection Agent service
![Page 27: Objectives](https://reader035.fdocuments.in/reader035/viewer/2022062808/56815444550346895dc24fe1/html5/thumbnails/27.jpg)
NAP Monitoring
• Log Files– On NAP Enforcement Server:
• Windows Logs\Security log: non-compliant clients
– On Vista or 2008 NAP Enforcement Clients:
• Applications and Services log\Microsoft\Windows \Network Access Protection\Operational log
– On XP SP3 NAP Enforcement Client:• System log