1

Objectives

• Wireless Access

• IPSec

• Discuss Network Access Protection

• Install Network Access Protection

Wireless Access Configuration in Windows Server 2008

• 802.1x standard– Network access control provides an authentication

mechanism to allow or deny network access based on port connection

– WPA2-EAP (Wi-Fi Protected Authentication 2 – EAP)• More secure than both PSK and WEP that use static key• EAP Use Certificate

2

Wireless Access Configuration in Windows Server 2008 (continued)

• Categories of EAP implementations– EAP over local area network (LAN)

• EAP-TLS

– EAP over wireless • PEAP: Protected Extensible Authentication Protocol

• 802.1x uses a three-component model for authenticating access to networks– Supplicant: Wireless client/device – Authenticator: Wireless Access Point– Authentication server: NPS/RADIUS server

3

4

Internet Protocol Security

• An open-standards framework for securing network communications

• IPSec meets three basic goals– Authentication– Integrity– Confidentiality

5

IPSec Threats

• Depending on the configuration of IPSec, it provides protection from the following threats– Data tampering– Denial of service– Identity spoofing– Man-in-the-middle attacks– Repudiation (rootkit)– Network traffic sniffing

6

How IPSec Works

• IPSec modes of operation– Transport mode– Tunnel mode

• IPSec Security Methods– Authentication Header (AH)– Encapsulating Security Payload (ESP)

• Scenarios available when deploying IPSec– Site to site– Client to client– Client to site

7

Transport Mode• Used between two hosts (Client-to-Client or Client to Site)

• Both communication ends must support IPSec

Tunnel Mode

• Used between two routers (Site-to-Site)

• Two hosts communicating through the routers do not need to support IPSec

• Computers taking part in the conversation are not authenticated

AH Method

• Provides authentication of the two endpoints and adds a checksum to the packet

• Authentication guarantees that the two endpoints are known and the checksum guarantees that the packet is not modified in transit

• Payload of the packet is unencrypted

• Use whenever you are concerned about packets being captured with a packet sniffer and replayed later

• Less processor intensive than ESP mode

11

ESP Method

• Provides authentication of the two endpoints which guarantees that the two endpoints are known

• Adds a checksum to each packet

• Encrypts the data in the packet

• Most implementations of IPSec use ESP mode because data encryption is desired

IPSec Authentication• Authentication is for the devices at two IPSec end

points, NOT the users logged into the devices

• Internet Key Exchange is the process used by two IPSec hosts to negotiate their security parameters/protocols– IKE generates the encryption and authentication

keys used by IPSec for the transaction

• When security parameters have been agreed upon, this is referred to as security association

• Pre-shared key – Simple. But have to move key in advance

• Kerberos – Integrated with Windows Active Directory. Only for Active Directory

• Certificates– Issued by trusted organizations on the Internet called

certification authorities– Certificate must be validated using the digital

signature of the certification authority

IPSec Connections Authentication Methods

Enabling IPSec• IPSec is enabled on Windows using IPSec policies

• Unlike 2003, Windows 2008 does not have default policy

• Policies can be configured manually on each server or distributed through Group Policy– Choose tunnel or transport mode, network type– Specify IP filter and filter actions

• Can be managed with the following tools– WFAS Connection Security Rules– IP Security Policy snap-in– Netsh – gpme.msc

Assigning IPSec Policies

• Multiple IPSec policies may be configured

• Only assigned one is actually used

• No policy is used until it is assigned

• Only one policy can be assigned at a time per machine

• Assignment does not take effect immediately

• IPSec Policy Agent must be restarted for the change to take effect

Troubleshooting IPSec

• Most common IPSec troubleshooting tools are:– Ping– IPSec Security Monitor – MMC Snap-in– Event Viewer – Security log– Resultant Set of Policy – Group Policy resultant set– Network Monitor

Using IPSec

Network Access Protection

• NAP can be broken into three parts– Health policy validation– Health policy compliance– Access limitation

20

NAP Terminology

• Enforcement Client (Windows 7, 2008, Vista, XP SP3)• Enforcement Server (2008 NPS Server)• Host Credential Authorization Protocol (for 802.1x

client)• Health Registration Authority

– Distribute Health Certificates. – Required for IPSec enforcement– A Role Services of NPS Server Role

• Network Policy Server • Remediation Server (Updates clients)• System Health Agent (a service on NAP client

monitoring status of Firewall and Antivirus)• System Health Validator 21

NAP Enforcement Methods

• The five types of NAP enforcement methods used by NAP– 802.1x-authenticated connections (EAP)

– Dynamic Host Configuration Protocol (DHCP) address configurations

– IPSec communications

• based on IP Address or Port numbers• Require HRA and Certificates Service

– Terminal Services Gateway (TS Gateway) connections

– Virtual Private Network (VPN) connections22

23

Implementing NAP

Install, Configure and Enforce NAP

• Add NPS role and installed as part of the NPS role– Add Roles Wizard or servermanagercmd.exe command

• Configure Windows Security Health Validator– NPS NAP System Health Validators

• Create two new Health Policies– One Compliant policy and one Non-compliant policy– NPS Policies Health Policies

• Enable NAP Enforcement Method on client computers– napclcfg command– NAP Client Configuration snap-in

• Set Network Policies or Connection Security Rules24

NAP Client Configuration

NAP Client Configuration (Continue)

• Turn-on Security Center in Local Computer Policy– gpedit.msc or Group Policy Object Editor snap-in– Computer Configuration Administrative Templates

Windows Components Security Center– Needed to work with standard Windows SHV

• Start Network Access Protection Agent service

NAP Monitoring

• Log Files– On NAP Enforcement Server:

• Windows Logs\Security log: non-compliant clients

– On Vista or 2008 NAP Enforcement Clients:

• Applications and Services log\Microsoft\Windows \Network Access Protection\Operational log

– On XP SP3 NAP Enforcement Client:• System log