Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.

Module 8:Designing Network

Access Solutions

Module Overview

• Securing and Controlling Network Access

• Designing Remote Access Services

• Designing RADIUS Authentication with Network Policy Services

• Designing Wireless Access

Lesson: Securing and Controlling Network Access

• Authentication Methods

• Encryption Methods

• Network Policies

• Network Policy Processing

Authentication Methods

Authentication Method Description

Unauthenticated access • Does not provide security

Password Authentication Protocol (PAP)

• Uses cleartext passwords

Shiva Password Authentication Protocol (SPAP)

• Use for a SHIVA LAN rover remote access device

Challenge Handshake Authentication Protocol (CHAP)

• Secures passwords, but MS-CHAPv2 is preferred.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2)

• Stronger security than CHAP

Extensible Authentication Protocol (EAP)

• Allows the use of plug-in modules for authentication. EAP-TLS requires certificates and is used for smart cards.

Protected Extensible Authentication Protocol (PEAP)

• Supports wireless authentication through RADIUS

Encryption Methods

IPSec (L2TP over IPSec):

Is used by L2TP connections

Requires additional authenticationconfiguration

• Is used by PPTP connections

MPPE:

• Is used by SSTP connections• Is firewall friendly

SSL:

Network Policies

Network Policy component Description

Conditions• Determine whether this policy is used to evaluate a

connection request.

Access permission• Determine whether access is allowed, denied, or

determined by user dial-in properties.

Authentication methods

• Determine the authentication methods that can be negotiated.

Constraints• Limits on the connection such as idle time or

maximum connection time.

Settings• Set characteristics of the connection such as

encryption or IP filters.

• Control remote access requests

• Replace remote access policies in previous versions of Windows

Network Policies:

Network Policy Processing

• The default network policies deny access

• Policies are ordered for evaluation

• If a policy with matching conditions is found, no additional policies are processed

The following process is used:

1. Locate the first policy with matching conditions

2. Allow or deny permission in the policy

3. If allowed, attempt to authenticate

4. Apply constraints to the connection, if a constraint cannot be met, then reject

5. Apply settings to the connection

Lesson 3: Designing Remote Access Services

• Remote Access Methods

• VPN Tunnelling Protocols

Remote Access Methods

Method Advantages Limitations

Dial-up Networking

• Convenient direct dial-up connectivity

• A potential secure data path

• Expensive• Subject to the maximum

speed limit that is supported by the connection medium (typically 56 Kbps)

VPN

• Reduced costs• Sufficient

security• Flexibility

• Less private

RPC over HTTP

• Allows RPC-based applications to traverse firewalls

• Applications must be specifically designed to use RPC over HTTP

VPN Tunnelling Protocols

Protocol Description

PPTP

• Allowed by most firewalls

• Supported by all Windows clients

• No data integrity

L2TP

• Blocked by NAT in some cases

• Supported by Windows 2000/XP/Vista clients

• Provides data integrity and machine authentication

SSTP

• Firewall friendly

• Supported by Windows Vista SP1 and Windows Server 2008

• Provides data integrity

Lesson 4: Designing RADIUS Authentication with Network Policy Services

• What Is RADIUS?

• RADIUS Roles

• How RADIUS Works for Remote Access

• What Is a RADIUS Proxy?

What Is RADIUS?

RADIUS Server

RADIUS Server

RADIUS Client

RADIUS Client

Remote Access Client

Remote Access Client

DirectoryServer

DirectoryServer

Remote Access Server

• Remote Authentication Dial In User Service (RADIUS) is a protocol for controlling authentication, authorization, and accounting

RADIUS Roles

• RADIUS Client

Routing and Remote Access Server can be configured as a:

• RADIUS Server

• RADIUS Proxy

NPS can be configured as a:

What Is a RADIUS Proxy?

RADIUS Client

Remote Access Client

RADIUS Proxy RADIUS

Server

Company ACompany A

ISPISP

RADIUSServer

CompanyBCompanyB

• A RADIUS proxy distributes RADIUS requests to the appropriate RADIUS server

Lesson 5: Designing Wireless Access

• Wireless Networking Standards

• Wireless Security Threats

• Strategies for Wireless Security

Wireless Networking Standards

Standard Description

802.11• Original specification for wireless LANs• Speed of either 1 or 2 megabits per second

802.11b• 11 megabits per second• Good range, but susceptible to radio signal interference

802.11a• Transmissions speeds as high as 54 Mbps• Works well in densely populated areas• Is not interoperable with 802.11, 802.11b, 802.11g

802.11g• Enhancement to and compatible with 802.11b• 54 Mbps but at shorter ranges than 802.11b

802.11n• Greater range and reduced interference• Speed up to 248 Mbps

Wireless Security Threats

• Eavesdropping

• Interception and modification of data

• Spoofing

• Freeloading

• Denial of service

• Rogue WAPs

Common wireless security threats are:

Strategies for Wireless Security

Technology Description

Wired Equivalent Privacy (WEP)

• Original encryption method for wireless networks

• Considered insecure due to small key size and lack of key changes

WiFi Protected Access (WPA)

• Stronger encryption than WEP and includes key changes

• Can use certificates

• Partial implementation of 802.11i specification

WPA2 • Full implementation of the 802.11i specification

802.1x• Uses RADIUS to authenticate

• Can be used with WEP and WPA

Restrict by MAC

• Limit connections by MAC address

• MAC addresses can be spoofed

Monitoring • Find rogue access points

VPN • Secure and authenticate communication on a wireless network