Deploying a Secure Network Access Infrastructure


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Deploying a Secure Network Access Infrastructure

  1. 1. Deploying a Secure Network Access Infrastructure Part 2 Romano Jerez Support Professional Directory Services Microsoft Corporation
  2. 2. Objectives <ul><li>Provide information about Microsoft® Windows® .NET networking components that you must consider when deploying a secure network access infrastructure </li></ul>
  3. 3. Agenda <ul><li>Technologies and key concepts </li></ul><ul><li>Before you start </li></ul><ul><li>Directory and authentication models </li></ul><ul><li>Securing wireless and wired links </li></ul><ul><li>Securing against rogue systems </li></ul><ul><li>VPN deployment </li></ul><ul><li>Updating proprietary VPN deployments </li></ul>
  4. 4. Technologies and Concepts The Parts <ul><li>Making correct choices </li></ul><ul><ul><li>Interactions </li></ul></ul><ul><ul><li>Dependencies </li></ul></ul><ul><ul><li>Architecture </li></ul></ul><ul><ul><li>Security </li></ul></ul>Goals: Transparency Minimize complexity IAS Active Directory Client 802.11 AP RRAS MS CA
  5. 5. Technologies and Concepts Trust and Authorization <ul><li>Authentication types and methods </li></ul><ul><ul><li>Single versus multifactor </li></ul></ul><ul><ul><li>Passwords (shared secrets) versus tokens versus certificates versus biometrics (users) </li></ul></ul><ul><li>Secure deployment models required </li></ul><ul><li>Minimize trust models (simplicity) </li></ul>
  6. 6. Technologies and Concepts (2) Trust and Authorization <ul><li>Examples of supported trusts: </li></ul><ul><ul><li>RADIUS – computer trust with shared secrets only </li></ul></ul><ul><ul><li>IPSec – computer trust with single certificate, Kerberos ticket, and shared secret </li></ul></ul><ul><ul><li>PPTP, Dial – single method user trust </li></ul></ul><ul><ul><li>L2TP – single method user trust and IPSec trust </li></ul></ul><ul><ul><li>802.1x – user trust or computer trust </li></ul></ul>
  7. 7. Technologies and Concepts Using and Protecting Shared Secrets <ul><li>Strong channels versus offline attacks </li></ul><ul><ul><li>CHAP models alone are not encrypted </li></ul></ul><ul><ul><li>Need mutual authentication to be part of model </li></ul></ul><ul><ul><li>MS-CHAP inside PEAP or L2TP/IPSec is protected and includes mutual authentication </li></ul></ul><ul><li>Distribution </li></ul><ul><ul><li>Users – think of their own secrets </li></ul></ul><ul><ul><ul><li>UserID provides clue to secret </li></ul></ul></ul><ul><ul><li>Computers – require transfer and protection </li></ul></ul><ul><ul><ul><li>WEP, IPSec – no user hints for multiple secrets without compromising security </li></ul></ul></ul><ul><ul><ul><li>Refreshing is difficult to manage </li></ul></ul></ul>
  8. 8. Technologies and Concepts Using Certificates for Secure Network Infrastructure <ul><li>Secure deployment models defined </li></ul><ul><ul><li>Auto-enrollment </li></ul></ul><ul><ul><li>PKCS </li></ul></ul><ul><ul><li>Users versus computers </li></ul></ul><ul><li>Use if possible: stronger storage models </li></ul><ul><ul><li>Smart cards versus user store on computer </li></ul></ul><ul><li>Conceptual contents </li></ul><ul><ul><li>Identity – who the user/computer is </li></ul></ul><ul><ul><li>Purpose – what this certificate is good for </li></ul></ul><ul><li>Not all systems treat purpose the same </li></ul><ul><ul><li>Interoperability issues </li></ul></ul>
  9. 9. Infrastructure Technologies Strong Authentication Protocols <ul><li>Extensible Authentication Protocol (EAP) </li></ul><ul><ul><li>Generalized authentication “framework” protocol </li></ul></ul><ul><ul><li>Carrier for one or more authentication methods </li></ul></ul><ul><ul><li>Can establish session keys </li></ul></ul><ul><ul><ul><li>Driven by authentication method </li></ul></ul></ul><ul><ul><li>Transport Layer Security (TLS) services can encrypt channel </li></ul></ul><ul><ul><ul><li>Driven by authentication method </li></ul></ul></ul><ul><ul><li>Standard bindings for PPP and 802 (802.1x) </li></ul></ul><ul><li>Protected EAP (PEAP) </li></ul><ul><ul><li>EAP authentication method </li></ul></ul><ul><ul><li>Tunnel for EAP method(s) after that </li></ul></ul><ul><ul><li>Establishes protected channel and keying </li></ul></ul>
  10. 10. Infrastructure Technologies Link and Network Layer Security <ul><li>Secure wireless </li></ul><ul><ul><li>802.11: encrypted (WEP) wireless link </li></ul></ul><ul><ul><ul><li>Weak preshared key authentication </li></ul></ul></ul><ul><ul><ul><li>Weak encryption model because of keying and model </li></ul></ul></ul><ul><ul><li>802.1x: EAP authentication to solve weaknesses </li></ul></ul><ul><li>IP Security Protocol </li></ul><ul><ul><li>Network layer authentication, integrity, encryption </li></ul></ul><ul><ul><ul><li>Computer trust (certificates, “preshared key”) </li></ul></ul></ul><ul><ul><ul><li>Encryption keys using Diffie-Hellman </li></ul></ul></ul><ul><ul><li>End-to-end – transport mode </li></ul></ul><ul><ul><li>Gateway-to-gateway – tunnel mode </li></ul></ul>
  11. 11. Infrastructure Technologies Secure Remote Access (VPN) Protocols <ul><li>Point-to-Point Tunneling Protocol </li></ul><ul><ul><li>Link layer (PPP+GRE) tunneled connection with authentication and encryption </li></ul></ul><ul><ul><ul><li>User trust (passwords, smart cards, and so on) </li></ul></ul></ul><ul><ul><ul><li>Encryption keys partially from authentication credential </li></ul></ul></ul><ul><ul><li>Client-to-gateway and gateway-to-gateway </li></ul></ul><ul><li>Layer 2 Tunneling Protocol </li></ul><ul><ul><li>Link layer (PPP) tunneled connection with authentication </li></ul></ul><ul><ul><ul><li>User trust (passwords, smart cards, and so on) </li></ul></ul></ul><ul><ul><li>Relies on network layer wrapper (IPSec) for integrity and encryption </li></ul></ul><ul><ul><ul><li>IPSec delivers computer trust </li></ul></ul></ul><ul><ul><li>Client-to-gateway and gateway-to-gateway </li></ul></ul>
  12. 12. Before You Start <ul><li>Must start with clean infrastructure in corporate network </li></ul><ul><ul><li>Well-managed DHCP scopes </li></ul></ul><ul><ul><li>Functional DNS </li></ul></ul><ul><ul><li>Clean routing infrastructure </li></ul></ul><ul><ul><ul><li>No address conflicts between connected networks </li></ul></ul></ul>
  13. 13. Directory and Authentication Model Single Forest Domain <ul><li>Use when: </li></ul><ul><li>Gateways are Windows-based </li></ul><ul><li>There are few gateways </li></ul><ul><li>Gateway has integrated access policies (example: RRAS with IAS engine) </li></ul><ul><li>Use when: </li></ul><ul><li>Gateways are not Windows-based </li></ul><ul><li>There are many gateways </li></ul><ul><li>Gateway has no integrated access policies </li></ul>Access Point to Directory Access Point to RADIUS ADSI with LSA log on ADSI with LSA log on RADIUS
  14. 14. Directory and Authentication Model Securing RADIUS Authentication <ul><li>RADIUS is an encrypted channel </li></ul><ul><ul><li>Requires shared secret to access points </li></ul></ul><ul><ul><ul><li>Trust </li></ul></ul></ul><ul><ul><ul><li>Keying </li></ul></ul></ul><ul><ul><li>Establish management model for updates </li></ul></ul><ul><li>RADIUS can be protected by IPSec </li></ul><ul><ul><li>Do this where possible </li></ul></ul><ul><ul><ul><li>Proxies </li></ul></ul></ul><ul><ul><ul><li>RADIUS server to Active Directory® </li></ul></ul></ul><ul><ul><ul><li>RADIUS server to RRAS </li></ul></ul></ul>
  15. 15. Directory and Authentication Model Multidomain Single Forest <ul><li>Conditions: </li></ul><ul><ul><li>Two-way cross domain trust within single forest </li></ul></ul><ul><li>What to do: </li></ul><ul><ul><li>IAS member of one of the domains </li></ul></ul><ul><ul><li>Enable IAS: member of IAS servers group </li></ul></ul><ul><ul><li>Scale out as required by access points </li></ul></ul>AD AD Cross domain trust IAS IAS can run on DC
  16. 16. Directory and Authentication Model Multiforest Domain <ul><li>Conditions: </li></ul><ul><ul><li>Multiple forests </li></ul></ul><ul><ul><li>Want geographic failover </li></ul></ul><ul><ul><li>Outsourced network access </li></ul></ul><ul><ul><li>Very high scale—distributed RADIUS trust management </li></ul></ul><ul><li>What to do: </li></ul><ul><ul><li>IAS member in each forest </li></ul></ul><ul><ul><li>Enable IAS: member of IAS servers group </li></ul></ul><ul><ul><li>IAS proxy need not be domain member </li></ul></ul><ul><ul><li>Scale out as required by access points </li></ul></ul>AD AD IAS IAS IAS Proxy IAS can run on DC
  17. 17. Directory and Authentication Model Selecting Authentication Methods <ul><li>VPN and dial </li></ul><ul><ul><li>EAP if possible </li></ul></ul><ul><ul><ul><li>Smart cards, user certificates, third-party plug-in </li></ul></ul></ul><ul><ul><li>MS-CHAP if passwords are required </li></ul></ul><ul><li>Wireless </li></ul><ul><ul><li>PEAP if possible (supports all methods) </li></ul></ul><ul><ul><li>EAP if PEAP is not possible </li></ul></ul><ul><ul><li>Computer versus user trust </li></ul></ul><ul><ul><ul><li>User if no computer trust or user policy is required </li></ul></ul></ul><ul><ul><ul><ul><li>Use same credential as VPN and dial </li></ul></ul></ul></ul>
  18. 18. Securing Wireless/Wired Links <ul><li>Never use 802.11 without 802.1x and WEP </li></ul><ul><li>Try to use 802.1x in new wired deployments </li></ul><ul><ul><li>No WEP here </li></ul></ul><ul><li>Use PEAP if passwords are required </li></ul><ul><li>802.11 AP </li></ul><ul><li>802.1x </li></ul><ul><li>WEP </li></ul>User versus computer authentication Certificate versus password credential IAS AD 802.1x Switch AP vendors: Support RADIUS/IPSec and help improve authentication channel security Switch vendors: move to 802.1x Corpnet
  19. 19. Securing Against Rogue Systems Eavesdropping / Unauthorized Access <ul><li>Rogue issues – not everything is 802.1x today </li></ul><ul><ul><li>Undetected clear wireless AP </li></ul></ul><ul><ul><li>Rogue computer on non-802.1x port </li></ul></ul><ul><li>Solution 1: IPSec transport mode </li></ul><ul><ul><li>Pros: </li></ul></ul><ul><ul><ul><li>Can block all nonsecured communication </li></ul></ul></ul><ul><ul><ul><li>Strong integrity and encryption </li></ul></ul></ul><ul><ul><ul><li>Simple credential model (Kerberos or auto-enroll) </li></ul></ul></ul><ul><ul><ul><li>User transparency </li></ul></ul></ul><ul><ul><li>Cons: </li></ul></ul><ul><ul><ul><li>Limited to IPSec-capable systems </li></ul></ul></ul><ul><ul><ul><li>Domain trust work in multiforest deployments </li></ul></ul></ul><ul><ul><ul><li>Policy requires careful thought </li></ul></ul></ul><ul><ul><ul><li>No firewall inspection with ESP unless on end system </li></ul></ul></ul>AP Vendors: Deprecate non-802.1x APs and help end rogues
  20. 20. <ul><li>Solution 2: Secure critical systems with VPN </li></ul><ul><ul><li>Put critical systems in network secured by RAS-VPN gateway (with optional firewall) </li></ul></ul><ul><ul><li>Pros: </li></ul></ul><ul><ul><ul><li>Broader end-system support </li></ul></ul></ul><ul><ul><ul><li>Firewall inspection possible in secure server zone </li></ul></ul></ul><ul><ul><ul><li>Strong integrity and encryption </li></ul></ul></ul><ul><ul><ul><li>Simple credential model (Kerberos or auto-enroll) </li></ul></ul></ul><ul><ul><li>Cons: </li></ul></ul><ul><ul><ul><li>Significant network re-architecture </li></ul></ul></ul><ul><ul><ul><li>Scalability consideration for very large deployments </li></ul></ul></ul><ul><ul><ul><li>Concurrent peer-to-peer and secure server access </li></ul></ul></ul><ul><ul><ul><li>Less transparent to user </li></ul></ul></ul><ul><ul><ul><ul><li>Can integrate using WinLogin </li></ul></ul></ul></ul>Securing Against Rogue Systems (2) Eavesdropping / Unauthorized Access
  21. 21. VPN Deployment Deployment Models <ul><li>Site-to-site </li></ul><ul><ul><li>Recommend L2TP/IPSec if using RRAS </li></ul></ul><ul><ul><li>IPSec tunnel mode for IP-unicast only traffic </li></ul></ul><ul><ul><li>Computer trust is enough </li></ul></ul><ul><li>RAS VPN (client to gateway) </li></ul><ul><ul><li>Internet connectivity architectures </li></ul></ul><ul><ul><li>Authentication architectures </li></ul></ul><ul><ul><li>Multihoming and scaling models </li></ul></ul><ul><ul><li>Address management </li></ul></ul><ul><ul><li>VPN protocol selection </li></ul></ul><ul><ul><li>Certificate deployment </li></ul></ul><ul><ul><li>Client deployment model </li></ul></ul><ul><ul><li>Split tunnels or not </li></ul></ul><ul><ul><li>Updating earlier VPN deployments </li></ul></ul>
  22. 22. RAS VPN Deployment Internet Connectivity Architectures <ul><li>Internet firewall before VPN is unnecessary </li></ul><ul><li>Requires firewall port opening plan </li></ul>VPN VPN VPN Private Network Internet
  23. 23. RAS VPN Deployment Authentication Architectures       Options: RADIUS or Active Directory (if no central policy is required) Options: Active Directory? (exposes domain in DMZ), RADIUS, RADIUS with IPSec protection (if gateway can do this) VPN VPN VPN
  24. 24. RAS VPN Deployment Multihoming and Scaling Models Single Home Gateway Offload NICs – watch limits on concurrent SAs Connections and throughput function of egress performance Sessions for 10 percent of authorized RAS users VPN Private VPN Dual Home Gateway Private
  25. 25. Single Home Gateway Consolidate “back-side” NICs (routing considerations) Scale up and out for “server area/client area” network partitioning RRAS snap-in considerations for scale up RAS VPN Deployment Multihoming and Scaling Models VPN Private VPN Dual Home Gateway Private VPN Multihome (throughput) Gateway Private Multihome (availability) Gateway VPN VPN NLB Private
  26. 26. RAS VPN Deployment Address Management Architectures <ul><li>Private network DHCP assigned - Best </li></ul><ul><ul><li>Offers more than IP addresses </li></ul></ul><ul><li>Pooled addresses from gateway - Okay </li></ul><ul><li>Static using Active Directory user properties - Avoid </li></ul><ul><li>Static configured on client - Never </li></ul><ul><li>Make sure it is routable/consistent </li></ul><ul><ul><li>Look out for default private addresses at corporate and remote networks </li></ul></ul>
  27. 27. RAS VPN Deployment VPN Protocol Selection <ul><li>L2TP/IPSec </li></ul><ul><ul><li>First recommendation for best security </li></ul></ul><ul><ul><li>Requires computer trust infrastructure (PKI or shared secrets) </li></ul></ul><ul><ul><li>Use PKI instead of shared secrets </li></ul></ul><ul><li>PPTP </li></ul><ul><ul><li>Second recommendation understanding </li></ul></ul><ul><ul><ul><li>Use with strong user authentication </li></ul></ul></ul><ul><ul><ul><li>Passwords may be workable if PEAP can be completed for VPN scenarios </li></ul></ul></ul><ul><ul><li>Least cost because trust model is based on user identity </li></ul></ul><ul><ul><ul><li>No computer trust infrastructure to deploy (PKI or share secrets) </li></ul></ul></ul>
  28. 28. RAS VPN Deployment Certificate Deployment <ul><li>For computer authentication when L2TP/IPSec is used </li></ul><ul><ul><li>Gateway and client have common trusted root CA </li></ul></ul><ul><ul><li>Gateway </li></ul></ul><ul><ul><ul><li>Auto-enroll if possible </li></ul></ul></ul><ul><ul><ul><ul><li>Domain accessible to perimeter network (also known as DMZ, demilitarized zone, and screened subnet) servers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Gateway is RRAS instead of third party </li></ul></ul></ul></ul><ul><ul><ul><li>PKCS if gateway supports it </li></ul></ul></ul><ul><ul><ul><li>SCEP if PKCS is not supported </li></ul></ul></ul><ul><ul><li>Client </li></ul></ul><ul><ul><ul><li>Auto-enroll if possible </li></ul></ul></ul><ul><ul><ul><li>PKCS if client never connects to domain before requiring a VPN </li></ul></ul></ul><ul><ul><ul><li>Certificate must be in local computer certificate store </li></ul></ul></ul><ul><ul><ul><li>Must have administrative privileges to install </li></ul></ul></ul>
  29. 29. <ul><li>For user authentication </li></ul><ul><ul><li>Certificate is recognized in Active Directory </li></ul></ul><ul><ul><li>Use smart cards if possible </li></ul></ul><ul><ul><li>Use local user certificates if not using smart cards </li></ul></ul><ul><ul><ul><li>Certificate must be in local USER certificate store </li></ul></ul></ul><ul><ul><ul><li>Install using log on script bootstrap if possible </li></ul></ul></ul><ul><ul><ul><li>Install using Web or PKCS if log on scripts are not possible </li></ul></ul></ul>RAS VPN Deployment (2) Certificate Deployment
  30. 30. RAS VPN Deployment Client Deployment Models <ul><li>Connection Manager Administration Kit </li></ul><ul><ul><li>Use where possible </li></ul></ul><ul><ul><ul><li>Sequenced connections </li></ul></ul></ul><ul><ul><ul><li>Managed phonebooks </li></ul></ul></ul><ul><ul><ul><li>Bootstrap certificates and tools </li></ul></ul></ul><ul><ul><ul><li>Support for earlier platforms </li></ul></ul></ul><ul><ul><ul><li>Client configuration setup </li></ul></ul></ul><ul><li>New Connection Wizard </li></ul><ul><ul><li>Automatic protocol setup </li></ul></ul>
  31. 31. RAS VPN Deployment Split Tunnels or Not <ul><li>Only deploy with ICF on client public interface </li></ul><ul><li>Managing client routes </li></ul><ul><ul><li>Administrators should control them </li></ul></ul><ul><ul><li>Use DHCP classless static routes </li></ul></ul><ul><ul><ul><li>Permits update at connection time </li></ul></ul></ul><ul><ul><ul><li>Support in Windows XP </li></ul></ul></ul><ul><ul><li>Use Connection Manager for down-level only </li></ul></ul><ul><ul><ul><li>Updates only at client reprovisioning </li></ul></ul></ul><ul><ul><li>Consider Internet and private addresses </li></ul></ul><ul><ul><ul><li>Printing to home printer and Internet while connected </li></ul></ul></ul>
  32. 32. RAS VPN Deployment (2) Split Tunnels or Not <ul><li>Cannot split to home if corporate addresses conflict </li></ul><ul><ul><li>Resource address conflicts between home and corporate </li></ul></ul><ul><ul><li>Default gateway conflicts between home NAT and corporate </li></ul></ul><ul><ul><li>Non-split connections will still work </li></ul></ul>
  33. 33. Updating Proprietary VPNs <ul><li>Gateway Authentication/Encryption Models </li></ul><ul><li>IPSec tunnel mode </li></ul><ul><ul><li>Requires gateway specific client </li></ul></ul><ul><ul><li>Preshared IPSec trust (aggressive mode) </li></ul></ul><ul><ul><li>Certificate-based IPSec trust </li></ul></ul><ul><li>L2TP/IPSec </li></ul><ul><ul><li>No EAP for PPP user authentication </li></ul></ul><ul><ul><li>Passwords are best (if any user authentication) </li></ul></ul>LDAP File Print Database E-mail Web ERP Third-Party CA Third-Party Directory VPN Gateway Active Directory or Windows NT 4.0 Domain
  34. 34. Updating Proprietary VPNs (2) Third-Party CA Third-Party Directory VPN Gateway LDAP File Print Database E-mail Web ERP <ul><li>IPSec authenticates with userID </li></ul><ul><ul><li>Trust user so trust computer </li></ul></ul><ul><ul><li>If preshared key </li></ul></ul><ul><ul><ul><li>Separate distribution model </li></ul></ul></ul><ul><ul><li>If certificate-based authentication </li></ul></ul><ul><ul><ul><li>Certificate enrolled using Web </li></ul></ul></ul><ul><ul><ul><li>Certificate contains LDAP userID </li></ul></ul></ul><ul><ul><li>Gateway verifies certificate revocation and presence of userID in LDAP </li></ul></ul><ul><li>Gateway local authorization </li></ul>Active Directory or Windows NT 4.0 Domain
  35. 35. Updating Proprietary VPNs (3) Third-Party CA Third-Party Directory LDAP File Print Database E-mail Web ERP VPN Gateway <ul><li>VPN userID is separate from IT infrastructure userID, wireless, and dial </li></ul><ul><li>DoS risk to gateway </li></ul><ul><li>No central access policy </li></ul><ul><ul><li>Separate administrator for wireless and dial </li></ul></ul><ul><li>Group membership policies require replicating Active Directory groups </li></ul><ul><li>Blind computer trust if there is user identity theft </li></ul>Active Directory or Windows NT 4.0 Domain
  36. 36. Updating Proprietary VPNs (4) Active Directory or Windows NT 4.0 Domain Third-Party CA File Print Database E-mail Web ERP VPN Gateway Add IAS AD Auto-enroll <ul><li>Use Windows XP built-in L2TP/IPSec VPN client </li></ul><ul><li>Move to AD for certificate deployment </li></ul><ul><ul><li>Integrate CA with AD for auto-enroll </li></ul></ul><ul><ul><li>Issue computer certificates </li></ul></ul><ul><ul><li>Microsoft CA can reduce certificate license cost </li></ul></ul><ul><ul><li>Alternate: out of computer certificate </li></ul></ul><ul><ul><li>Ideally, use smart cards </li></ul></ul><ul><ul><ul><li>Alternate 1: user store certificates </li></ul></ul></ul><ul><ul><ul><li>Alternate 2: user passwords </li></ul></ul></ul><ul><li>Add IAS to Windows infrastructure </li></ul><ul><li>Point gateway to IAS </li></ul><ul><ul><li>Requires EAP if certificates for user </li></ul></ul>
  37. 37. Additional Resources <ul><li> vpn / </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  38. 38. <ul><li>Thank you for joining today’s Microsoft Support </li></ul><ul><li>WebCast. </li></ul><ul><li>For information about all upcoming Support WebCasts, </li></ul><ul><li>and access to the archived content (streaming media </li></ul><ul><li>files, PowerPoint ® slides, and transcripts), visit: </li></ul><ul><li>http:// / </li></ul><ul><li>Your feedback is sincerely appreciated. Please send any </li></ul><ul><li>comments or suggestions about the Support </li></ul><ul><li>WebCasts to [email_address] . </li></ul>