module 8: designing network access solutions. module overview securing and controlling network...
TRANSCRIPT
Module 8:Designing Network
Access Solutions
Module Overview
• Securing and Controlling Network Access
• Designing Remote Access Services
• Designing RADIUS Authentication with Network Policy Services
• Designing Wireless Access
Lesson: Securing and Controlling Network Access
• Authentication Methods
• Encryption Methods
• Network Policies
• Network Policy Processing
Authentication Methods
Authentication Method Description
Unauthenticated access • Does not provide security
Password Authentication Protocol (PAP)
• Uses cleartext passwords
Shiva Password Authentication Protocol (SPAP)
• Use for a SHIVA LAN rover remote access device
Challenge Handshake Authentication Protocol (CHAP)
• Secures passwords, but MS-CHAPv2 is preferred.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2)
• Stronger security than CHAP
Extensible Authentication Protocol (EAP)
• Allows the use of plug-in modules for authentication. EAP-TLS requires certificates and is used for smart cards.
Protected Extensible Authentication Protocol (PEAP)
• Supports wireless authentication through RADIUS
Encryption Methods
IPSec (L2TP over IPSec):
Is used by L2TP connections
Requires additional authenticationconfiguration
• Is used by PPTP connections
MPPE:
• Is used by SSTP connections• Is firewall friendly
SSL:
Network Policies
Network Policy component Description
Conditions• Determine whether this policy is used to evaluate a
connection request.
Access permission• Determine whether access is allowed, denied, or
determined by user dial-in properties.
Authentication methods
• Determine the authentication methods that can be negotiated.
Constraints• Limits on the connection such as idle time or
maximum connection time.
Settings• Set characteristics of the connection such as
encryption or IP filters.
• Control remote access requests
• Replace remote access policies in previous versions of Windows
Network Policies:
Network Policy Processing
• The default network policies deny access
• Policies are ordered for evaluation
• If a policy with matching conditions is found, no additional policies are processed
The following process is used:
1. Locate the first policy with matching conditions
2. Allow or deny permission in the policy
3. If allowed, attempt to authenticate
4. Apply constraints to the connection, if a constraint cannot be met, then reject
5. Apply settings to the connection
Lesson 3: Designing Remote Access Services
• Remote Access Methods
• VPN Tunnelling Protocols
Remote Access Methods
Method Advantages Limitations
Dial-up Networking
• Convenient direct dial-up connectivity
• A potential secure data path
• Expensive• Subject to the maximum
speed limit that is supported by the connection medium (typically 56 Kbps)
VPN
• Reduced costs• Sufficient
security• Flexibility
• Less private
RPC over HTTP
• Allows RPC-based applications to traverse firewalls
• Applications must be specifically designed to use RPC over HTTP
VPN Tunnelling Protocols
Protocol Description
PPTP
• Allowed by most firewalls
• Supported by all Windows clients
• No data integrity
L2TP
• Blocked by NAT in some cases
• Supported by Windows 2000/XP/Vista clients
• Provides data integrity and machine authentication
SSTP
• Firewall friendly
• Supported by Windows Vista SP1 and Windows Server 2008
• Provides data integrity
Lesson 4: Designing RADIUS Authentication with Network Policy Services
• What Is RADIUS?
• RADIUS Roles
• How RADIUS Works for Remote Access
• What Is a RADIUS Proxy?
What Is RADIUS?
RADIUS Server
RADIUS Server
RADIUS Client
RADIUS Client
Remote Access Client
Remote Access Client
DirectoryServer
DirectoryServer
Remote Access Server
• Remote Authentication Dial In User Service (RADIUS) is a protocol for controlling authentication, authorization, and accounting
RADIUS Roles
• RADIUS Client
Routing and Remote Access Server can be configured as a:
• RADIUS Server
• RADIUS Proxy
NPS can be configured as a:
What Is a RADIUS Proxy?
RADIUS Client
Remote Access Client
RADIUS Proxy RADIUS
Server
Company ACompany A
ISPISP
RADIUSServer
CompanyBCompanyB
• A RADIUS proxy distributes RADIUS requests to the appropriate RADIUS server
Lesson 5: Designing Wireless Access
• Wireless Networking Standards
• Wireless Security Threats
• Strategies for Wireless Security
Wireless Networking Standards
Standard Description
802.11• Original specification for wireless LANs• Speed of either 1 or 2 megabits per second
802.11b• 11 megabits per second• Good range, but susceptible to radio signal interference
802.11a• Transmissions speeds as high as 54 Mbps• Works well in densely populated areas• Is not interoperable with 802.11, 802.11b, 802.11g
802.11g• Enhancement to and compatible with 802.11b• 54 Mbps but at shorter ranges than 802.11b
802.11n• Greater range and reduced interference• Speed up to 248 Mbps
Wireless Security Threats
• Eavesdropping
• Interception and modification of data
• Spoofing
• Freeloading
• Denial of service
• Rogue WAPs
Common wireless security threats are:
Strategies for Wireless Security
Technology Description
Wired Equivalent Privacy (WEP)
• Original encryption method for wireless networks
• Considered insecure due to small key size and lack of key changes
WiFi Protected Access (WPA)
• Stronger encryption than WEP and includes key changes
• Can use certificates
• Partial implementation of 802.11i specification
WPA2 • Full implementation of the 802.11i specification
802.1x• Uses RADIUS to authenticate
• Can be used with WEP and WPA
Restrict by MAC
• Limit connections by MAC address
• MAC addresses can be spoofed
Monitoring • Find rogue access points
VPN • Secure and authenticate communication on a wireless network