Deploying a Secure Deploying a Secure Network Access Network Access Infrastructure Infrastructure Part 2 Part 2 Romano Jerez Romano Jerez Support Professional Support Professional Directory Services Directory Services Microsoft Corporation Microsoft Corporation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Deploying a Secure Network Deploying a Secure Network Access Infrastructure Access Infrastructure Part 2Part 2
Romano JerezRomano JerezSupport ProfessionalSupport ProfessionalDirectory ServicesDirectory ServicesMicrosoft CorporationMicrosoft Corporation
2
ObjectivesObjectives
Provide information about Microsoft® Provide information about Microsoft® Windows® .NET networking components that Windows® .NET networking components that you must consider when deploying a secure you must consider when deploying a secure network access infrastructurenetwork access infrastructure
3
AgendaAgenda
Technologies and key conceptsTechnologies and key concepts Before you startBefore you start Directory and authentication modelsDirectory and authentication models Securing wireless and wired linksSecuring wireless and wired links Securing against rogue systemsSecuring against rogue systems VPN deploymentVPN deployment Updating proprietary VPN deploymentsUpdating proprietary VPN deployments
4
Technologies and ConceptsTechnologies and ConceptsThe PartsThe Parts
Making correct choicesMaking correct choices InteractionsInteractions DependenciesDependencies ArchitectureArchitecture SecuritySecurity
Technologies and ConceptsTechnologies and ConceptsTrust and AuthorizationTrust and Authorization
Authentication types and methodsAuthentication types and methods Single versus multifactorSingle versus multifactor Passwords (shared secrets) Passwords (shared secrets)
versus tokens versus tokens versus certificates versus certificates versus biometrics (users)versus biometrics (users)
Technologies and Concepts Technologies and Concepts (2)(2)
Trust and AuthorizationTrust and Authorization
Examples of supported trusts:Examples of supported trusts: RADIUS – computer trust with shared secrets RADIUS – computer trust with shared secrets
onlyonly IPSec – computer trust with single certificate, IPSec – computer trust with single certificate,
Kerberos ticket, and shared secretKerberos ticket, and shared secret PPTP, Dial – single method user trustPPTP, Dial – single method user trust L2TP – single method user trust and IPSec trustL2TP – single method user trust and IPSec trust 802.1x – user trust or computer trust802.1x – user trust or computer trust
7
Technologies and ConceptsTechnologies and ConceptsUsing and Protecting Shared SecretsUsing and Protecting Shared Secrets
Strong channels versus offline attacksStrong channels versus offline attacks CHAP models alone are not encryptedCHAP models alone are not encrypted Need mutual authentication to be part of modelNeed mutual authentication to be part of model MS-CHAP inside PEAP or L2TP/IPSec is protected MS-CHAP inside PEAP or L2TP/IPSec is protected
and includes mutual authenticationand includes mutual authentication
DistributionDistribution Users – think of their own secretsUsers – think of their own secrets
UserID provides clue to secretUserID provides clue to secret Computers – require transfer and protectionComputers – require transfer and protection
WEP, IPSec – no user hints for multiple secrets WEP, IPSec – no user hints for multiple secrets without compromising securitywithout compromising security
Refreshing is difficult to manageRefreshing is difficult to manage
8
Technologies and ConceptsTechnologies and ConceptsUsing Certificates for Secure Network Using Certificates for Secure Network InfrastructureInfrastructure
Secure deployment models definedSecure deployment models defined Auto-enrollmentAuto-enrollment PKCSPKCS Users versus computersUsers versus computers
Use if possible: stronger storage modelsUse if possible: stronger storage models Smart cards versus user store on computerSmart cards versus user store on computer
Conceptual contentsConceptual contents Identity – who the user/computer isIdentity – who the user/computer is Purpose – what this certificate is good forPurpose – what this certificate is good for
Not all systems treat purpose the sameNot all systems treat purpose the same Interoperability issuesInteroperability issues
Extensible Authentication Protocol (EAP)Extensible Authentication Protocol (EAP) Generalized authentication “framework” protocolGeneralized authentication “framework” protocol Carrier for one or more authentication methodsCarrier for one or more authentication methods Can establish session keysCan establish session keys
Driven by authentication methodDriven by authentication method Transport Layer Security (TLS) services can Transport Layer Security (TLS) services can
encrypt channelencrypt channel Driven by authentication methodDriven by authentication method
Standard bindings for PPP and 802 (802.1x)Standard bindings for PPP and 802 (802.1x) Protected EAP (PEAP)Protected EAP (PEAP)
EAP authentication methodEAP authentication method Tunnel for EAP method(s) after thatTunnel for EAP method(s) after that Establishes protected channel and keyingEstablishes protected channel and keying
10
Infrastructure TechnologiesInfrastructure TechnologiesLink and Network Layer SecurityLink and Network Layer Security
Weak preshared key authenticationWeak preshared key authentication Weak encryption model because of keying and Weak encryption model because of keying and
modelmodel 802.1x: EAP authentication to solve weaknesses802.1x: EAP authentication to solve weaknesses
Link layer (PPP+GRE) tunneled connection with Link layer (PPP+GRE) tunneled connection with authentication and encryptionauthentication and encryption User trust (passwords, smart cards, and so on)User trust (passwords, smart cards, and so on) Encryption keys partially from authentication credentialEncryption keys partially from authentication credential
Client-to-gateway and gateway-to-gatewayClient-to-gateway and gateway-to-gateway
Layer 2 Tunneling ProtocolLayer 2 Tunneling Protocol Link layer (PPP) tunneled connection with Link layer (PPP) tunneled connection with
authenticationauthentication User trust (passwords, smart cards, and so on)User trust (passwords, smart cards, and so on)
Relies on network layer wrapper (IPSec) for Relies on network layer wrapper (IPSec) for integrity and encryptionintegrity and encryption IPSec delivers computer trustIPSec delivers computer trust
Client-to-gateway and gateway-to-gatewayClient-to-gateway and gateway-to-gateway
12
Before You StartBefore You Start
Must start with clean infrastructureMust start with clean infrastructurein corporate networkin corporate network Well-managed DHCP scopesWell-managed DHCP scopes Functional DNSFunctional DNS Clean routing infrastructureClean routing infrastructure
No address conflicts between connected No address conflicts between connected networksnetworks
13
Directory and Authentication ModelDirectory and Authentication ModelSingle Forest DomainSingle Forest Domain
ADSI withLSA log on
ADSI withLSA log on
RADIUS
Use when:Use when:
• Gateways are Gateways are Windows-basedWindows-based
• There are few There are few gatewaysgateways
• Gateway has Gateway has integratedintegratedaccess policies access policies (example: (example: RRAS withRRAS withIAS engine)IAS engine)
Use when:Use when:
• Gateways are not Gateways are not Windows-basedWindows-based
• There are many There are many gatewaysgateways
• Gateway has no Gateway has no integrated access integrated access policiespolicies
Access Point to DirectoryAccess Point to Directory Access Point to RADIUSAccess Point to RADIUS
14
Directory and Authentication ModelDirectory and Authentication ModelSecuring RADIUS AuthenticationSecuring RADIUS Authentication
RADIUS is an encrypted channelRADIUS is an encrypted channel Requires shared secret to access pointsRequires shared secret to access points
TrustTrust KeyingKeying
Establish management model for updatesEstablish management model for updates
RADIUS can be protected by IPSecRADIUS can be protected by IPSec Do this where possibleDo this where possible
ProxiesProxies RADIUS server to Active Directory®RADIUS server to Active Directory® RADIUS server to RRASRADIUS server to RRAS
15
Directory and Authentication ModelDirectory and Authentication ModelMultidomain Single ForestMultidomain Single Forest
ADAD ADADCross domain trustCross domain trust
IASIAS
Conditions:Conditions: Two-way cross domain trust within single forestTwo-way cross domain trust within single forest
What to do:What to do: IAS member of one of the domainsIAS member of one of the domains Enable IAS: member of IAS servers groupEnable IAS: member of IAS servers group Scale out as required by access pointsScale out as required by access points
IAS can run on DCIAS can run on DCIAS can run on DCIAS can run on DC
16
Directory and Authentication ModelDirectory and Authentication ModelMultiforest DomainMultiforest Domain
ADAD ADAD
IASIAS
Conditions:Conditions: Multiple forestsMultiple forests Want geographic failoverWant geographic failover Outsourced network accessOutsourced network access Very high scale—distributed RADIUS trust managementVery high scale—distributed RADIUS trust management
What to do:What to do: IAS member in each forestIAS member in each forest Enable IAS: member of IAS servers groupEnable IAS: member of IAS servers group IAS proxy need not be domain memberIAS proxy need not be domain member Scale out as required by access pointsScale out as required by access points
IASIASIASIAS
ProxyProxy
IAS can run on DCIAS can run on DCIAS can run on DCIAS can run on DC
17
Directory and Authentication ModelDirectory and Authentication ModelSelecting Authentication MethodsSelecting Authentication Methods
VPN and dialVPN and dial EAP if possibleEAP if possible
Smart cards, user certificates, third-party Smart cards, user certificates, third-party plug-inplug-in
MS-CHAP if passwords are requiredMS-CHAP if passwords are required
WirelessWireless PEAP if possible (supports all methods)PEAP if possible (supports all methods) EAP if PEAP is not possibleEAP if PEAP is not possible Computer versus user trustComputer versus user trust
User if no computer trust or user policy is User if no computer trust or user policy is requiredrequired Use same credential as VPN and dialUse same credential as VPN and dial
Never use 802.11 without Never use 802.11 without 802.1x and WEP802.1x and WEP
Try to use 802.1x in new Try to use 802.1x in new wired deploymentswired deployments No WEP hereNo WEP here
Use PEAP if passwordsUse PEAP if passwordsare requiredare required
Corpnet
802.11 AP802.11 AP• 802.1x802.1x• WEPWEP
User versus computer authenticationUser versus computer authenticationCertificate versus password credential Certificate versus password credential
IASIAS
ADAD
802.1x 802.1x SwitchSwitch
AP vendors:AP vendors:Support RADIUS/IPSec and helpSupport RADIUS/IPSec and helpimprove authentication channel securityimprove authentication channel security
Switch vendors: move to 802.1xSwitch vendors: move to 802.1x
AP vendors:AP vendors:Support RADIUS/IPSec and helpSupport RADIUS/IPSec and helpimprove authentication channel securityimprove authentication channel security
Switch vendors: move to 802.1xSwitch vendors: move to 802.1x
19
Securing Against Rogue SystemsSecuring Against Rogue SystemsEavesdropping / Unauthorized AccessEavesdropping / Unauthorized Access
Rogue issues – not everything is 802.1x todayRogue issues – not everything is 802.1x today Undetected clear wireless APUndetected clear wireless AP Rogue computer on non-802.1x portRogue computer on non-802.1x port
Solution 1: IPSec transport modeSolution 1: IPSec transport mode Pros:Pros:
Can block all nonsecured communicationCan block all nonsecured communication Strong integrity and encryptionStrong integrity and encryption Simple credential model (Kerberos or auto-enroll)Simple credential model (Kerberos or auto-enroll) User transparencyUser transparency
Cons:Cons: Limited to IPSec-capable systemsLimited to IPSec-capable systems Domain trust work in multiforest deploymentsDomain trust work in multiforest deployments Policy requires careful thoughtPolicy requires careful thought No firewall inspection with ESP unless on end systemNo firewall inspection with ESP unless on end system
AP Vendors:AP Vendors:Deprecate non-802.1xDeprecate non-802.1xAPs and help end roguesAPs and help end rogues
AP Vendors:AP Vendors:Deprecate non-802.1xDeprecate non-802.1xAPs and help end roguesAPs and help end rogues
20
Solution 2: Secure critical systems with VPNSolution 2: Secure critical systems with VPN Put critical systems in network secured by RAS-VPN Put critical systems in network secured by RAS-VPN
Broader end-system supportBroader end-system support Firewall inspection possible in secure server zoneFirewall inspection possible in secure server zone Strong integrity and encryptionStrong integrity and encryption Simple credential model (Kerberos or auto-enroll)Simple credential model (Kerberos or auto-enroll)
Cons:Cons: Significant network re-architectureSignificant network re-architecture Scalability consideration for very large deploymentsScalability consideration for very large deployments Concurrent peer-to-peer and secure server accessConcurrent peer-to-peer and secure server access Less transparent to userLess transparent to user
Can integrate using WinLoginCan integrate using WinLogin
Securing Against Rogue SystemsSecuring Against Rogue Systems (2)(2)
Site-to-siteSite-to-site Recommend L2TP/IPSec if using RRASRecommend L2TP/IPSec if using RRAS IPSec tunnel mode for IP-unicast only trafficIPSec tunnel mode for IP-unicast only traffic Computer trust is enoughComputer trust is enough
RAS VPN (client to gateway)RAS VPN (client to gateway) Internet connectivity architecturesInternet connectivity architectures Authentication architecturesAuthentication architectures Multihoming and scaling modelsMultihoming and scaling models Address managementAddress management VPN protocol selectionVPN protocol selection Certificate deploymentCertificate deployment Client deployment modelClient deployment model Split tunnels or notSplit tunnels or not Updating earlier VPN deploymentsUpdating earlier VPN deployments
Internet firewall before VPN is unnecessaryInternet firewall before VPN is unnecessary Requires firewall port opening planRequires firewall port opening plan
Options: RADIUS or Active Directory Options: RADIUS or Active Directory (if no central policy is required)(if no central policy is required)
Options: Active Directory? (exposes domain in DMZ), Options: Active Directory? (exposes domain in DMZ), RADIUS, RADIUS with IPSec protection (if gateway can do this)RADIUS, RADIUS with IPSec protection (if gateway can do this)
24
RAS VPN DeploymentRAS VPN DeploymentMultihoming and Scaling ModelsMultihoming and Scaling Models
Private
Single HomeSingle HomeGatewayGateway
Dual HomeDual HomeGatewayGateway
Private
Offload NICs – watch limits on concurrent SAsOffload NICs – watch limits on concurrent SAs
Connections and throughput function of egress performanceConnections and throughput function of egress performanceSessions for 10 percent of authorized RAS usersSessions for 10 percent of authorized RAS users
25
Private
Single HomeSingle HomeGatewayGateway
Dual HomeDual HomeGatewayGateway
Private
MultihomeMultihome(throughput)(throughput)
GatewayGateway
Private
MultihomeMultihome(availability)(availability)
GatewayGateway
NLBNLB
Private
Consolidate “back-side” NICs (routing considerations)Consolidate “back-side” NICs (routing considerations)Scale up and out for “server area/client area” network partitioningScale up and out for “server area/client area” network partitioning
RRAS snap-in considerations for scale upRRAS snap-in considerations for scale up
RAS VPN DeploymentRAS VPN DeploymentMultihoming and Scaling ModelsMultihoming and Scaling Models
Private network DHCP assigned Private network DHCP assigned - - BestBest Offers more than IP addressesOffers more than IP addresses
Pooled addresses from gateway Pooled addresses from gateway - - OkayOkay Static using Active Directory Static using Active Directory
user properties user properties - - AvoidAvoid Static configured on clientStatic configured on client - - NeverNever Make sure it is routable/consistentMake sure it is routable/consistent
Look out for default private addressesLook out for default private addressesat corporate and remote networksat corporate and remote networks
L2TP/IPSecL2TP/IPSec First recommendation for best securityFirst recommendation for best security Requires computer trust infrastructureRequires computer trust infrastructure
(PKI or shared secrets)(PKI or shared secrets) Use PKI instead of shared secretsUse PKI instead of shared secrets
PPTPPPTP Second recommendation understandingSecond recommendation understanding
Use with strong user authenticationUse with strong user authentication Passwords may be workable if PEAP can be completed Passwords may be workable if PEAP can be completed
for VPN scenariosfor VPN scenarios
Least cost because trust model is based on user Least cost because trust model is based on user identityidentity No computer trust infrastructure to deployNo computer trust infrastructure to deploy
(PKI or share secrets)(PKI or share secrets)
28
RAS VPN DeploymentRAS VPN DeploymentCertificate DeploymentCertificate Deployment For computer authentication when For computer authentication when
L2TP/IPSec is usedL2TP/IPSec is used Gateway and client have common trusted root CAGateway and client have common trusted root CA GatewayGateway
Auto-enroll if possibleAuto-enroll if possible Domain accessible to perimeter network (also known Domain accessible to perimeter network (also known
as DMZ, demilitarized zone, and screened subnet) as DMZ, demilitarized zone, and screened subnet) serversservers
Gateway is RRAS instead of third partyGateway is RRAS instead of third party PKCS if gateway supports itPKCS if gateway supports it SCEP if PKCS is not supportedSCEP if PKCS is not supported
ClientClient Auto-enroll if possibleAuto-enroll if possible PKCS if client never connects to domain before PKCS if client never connects to domain before
requiring a VPNrequiring a VPN Certificate must be in local computer certificate storeCertificate must be in local computer certificate store Must have administrative privileges to installMust have administrative privileges to install
29
For user authenticationFor user authentication Certificate is recognized in Active DirectoryCertificate is recognized in Active Directory Use smart cards if possibleUse smart cards if possible Use local user certificates if not using smart Use local user certificates if not using smart
cardscards Certificate must be in local USER certificate storeCertificate must be in local USER certificate store Install using log on script bootstrap if possibleInstall using log on script bootstrap if possible Install using Web or PKCS if log on scripts are not Install using Web or PKCS if log on scripts are not
Connection Manager Administration KitConnection Manager Administration Kit Use where possibleUse where possible
Sequenced connectionsSequenced connections Managed phonebooksManaged phonebooks Bootstrap certificates and toolsBootstrap certificates and tools Support for earlier platformsSupport for earlier platforms Client configuration setupClient configuration setup
New Connection WizardNew Connection Wizard Automatic protocol setupAutomatic protocol setup
31
RAS VPN DeploymentRAS VPN DeploymentSplit Tunnels or NotSplit Tunnels or Not
Only deploy with ICF on client public Only deploy with ICF on client public interfaceinterface
Managing client routesManaging client routes Administrators should control themAdministrators should control them Use DHCP classless static routesUse DHCP classless static routes
Permits update at connection timePermits update at connection time Support in Windows XPSupport in Windows XP
Use Connection Manager for down-level onlyUse Connection Manager for down-level only Updates only at client reprovisioningUpdates only at client reprovisioning
Consider Internet and private addressesConsider Internet and private addresses Printing to home printer and Internet while connectedPrinting to home printer and Internet while connected
32
RAS VPN Deployment RAS VPN Deployment (2)(2)
Split Tunnels or NotSplit Tunnels or Not
Cannot split to home if corporate addresses Cannot split to home if corporate addresses conflictconflict Resource address conflicts between home and Resource address conflicts between home and
corporatecorporate Default gateway conflicts between home NAT and Default gateway conflicts between home NAT and
corporatecorporate Non-split connections will still workNon-split connections will still work
IPSec authenticates with userIDIPSec authenticates with userID• Trust user so trust computerTrust user so trust computer• If preshared keyIf preshared key• Separate distribution modelSeparate distribution model
• If certificate-based authenticationIf certificate-based authentication• Certificate enrolled using WebCertificate enrolled using Web• Certificate contains LDAP userIDCertificate contains LDAP userID
•Gateway verifies certificate revocationGateway verifies certificate revocationand presence of userID in LDAPand presence of userID in LDAP
Gateway local authorizationGateway local authorization
IPSec authenticates with userIDIPSec authenticates with userID• Trust user so trust computerTrust user so trust computer• If preshared keyIf preshared key• Separate distribution modelSeparate distribution model
• If certificate-based authenticationIf certificate-based authentication• Certificate enrolled using WebCertificate enrolled using Web• Certificate contains LDAP userIDCertificate contains LDAP userID
•Gateway verifies certificate revocationGateway verifies certificate revocationand presence of userID in LDAPand presence of userID in LDAP
Gateway local authorizationGateway local authorization
• Use Windows XP built-in L2TP/IPSec Use Windows XP built-in L2TP/IPSec VPN clientVPN client
• Move to AD for certificate deploymentMove to AD for certificate deployment• Integrate CA with AD for auto-enrollIntegrate CA with AD for auto-enroll• Issue computer certificatesIssue computer certificates• Microsoft CA can reduce certificate license costMicrosoft CA can reduce certificate license cost• Alternate: out of computer certificateAlternate: out of computer certificate• Ideally, use smart cardsIdeally, use smart cards
•Alternate 1: user store certificatesAlternate 1: user store certificates•Alternate 2: user passwordsAlternate 2: user passwords
• Add IAS to Windows infrastructureAdd IAS to Windows infrastructure• Point gateway to IASPoint gateway to IAS
• Requires EAP if certificates for userRequires EAP if certificates for user
• Use Windows XP built-in L2TP/IPSec Use Windows XP built-in L2TP/IPSec VPN clientVPN client
• Move to AD for certificate deploymentMove to AD for certificate deployment• Integrate CA with AD for auto-enrollIntegrate CA with AD for auto-enroll• Issue computer certificatesIssue computer certificates• Microsoft CA can reduce certificate license costMicrosoft CA can reduce certificate license cost• Alternate: out of computer certificateAlternate: out of computer certificate• Ideally, use smart cardsIdeally, use smart cards
•Alternate 1: user store certificatesAlternate 1: user store certificates•Alternate 2: user passwordsAlternate 2: user passwords
• Add IAS to Windows infrastructureAdd IAS to Windows infrastructure• Point gateway to IASPoint gateway to IAS
• Requires EAP if certificates for userRequires EAP if certificates for user