Deploying a Secure Network Access Infrastructure Part 1 Romano Jerez Support Professional Directory

1
Deploying a Secure Network Access
InfrastructurePart 1 Romano JerezSupport
ProfessionalDirectory ServicesMicrosoft
Corporation
2
Objectives

• Introduction to Microsoft Windows .NET Server
  concepts and technologies that permit you to
  deploy a secure network access infrastructure

3
Agenda

• Secure network access infrastructure
• Evolution
• Why integrate network and applications security?
• How do you integrate network and applications
  security?
• Microsoft .NET Server goals
• Microsoft .NET network infrastructure features
• DCHP, IPSec, IAS, 802.11, Routing and Remote
  Access, VPN

4
Network Access Evolution
How can you get modemaccess while away?
Static IP
Secured Building
Local experience? User authentication?
5
Network Access Evolution (2)
Static IP
(servers)
DHCP options
Secured Building
How do you solve IP assignment complexity?
6
Network Access Evolution (3)
How can youcentralize user authentication
fordial-up and Internet?
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How do you fix clear-text passwords?
RADIUS Proxy
PAP-CHAP
7
Network Access Evolution (4)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How can you use Internet link for remote access?
PPTP Goals
Secure Corpnetaccess over Internet Support
existingdial infrastructure
PPTP remote access VPN
Microsoft 1996
8
Network Access Evolution (5)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How do you do two-way authentication?
PAP CHAP MS-CHAP
How can you strengthen encryption?
IPSec-based VPNs
9
Network Access Evolution (6)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
PPTP low cost simple
L2TP/IPSec increased security complex
IPSec Tunnel Mode N proprietary modified
security model complex
10
Network Access Evolution (7)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How can you protectagainst eavesdropping?
WEP
How do you do secure authenticationand improve
keying?
How should security applyto wired connections?
802.1x
11
Network Access Evolution (8)
E-mail
Web
File
Print
ERP
Database
Each is Just a Part Of Secure Network
Infrastructure
12
Network Access Evolution (9)
What if Network Infrastructure Is Independent?
E-mail
Directory
Web
How can you
File

• use one STRONG credential of your choice?

Print

• log in a single step for everything?

ERP
Database

• encrypt across all these models?

• verify client configuration before access?

• retain compatibility across operating
  systemupgrade?

• support employees, partners, and customers?

• centralize all network access policy?

• update access security withoutaffecting access
  gear?

• support multivendor gear?

13
Authentication Model
File, Print, VPN, Wireless, Database
Client
Service
Directory System
Authenticate tell and prove who you are Trust
authenticated member of known domain Authorize
grant zero or more access to trusted users
14
Authentication Model Variations
IT Service
NetworkService
Authentication should beend-to-end! Protect
fromidentity theft!
?
?
Possible ticket-based trust after authentication
(Kerberos)
15
Network Identity and Trust

• What constitutes user identity?
• Username, password,token card,
  certificate,group membership, all?
• If I trust the person,do I trust the computer?

• What constitutes computer identity?
• Token, operating system, connection, domain
  membership, system configuration?
• If I trust the computer, do I trust the user?

Authentication models must be rich
16
Access Model Summary

• Identity more than person
• Group membership, attributes
• Authentication end-to-end
• Client to authentication service
• Service may proxy
• Identity secured end-to-end avoid identity theft

17
Access Model Summary (2)

• Network access authorization requiresrichness
  beyond yes/no
• Filters, quality of service
• Authorization requires change over time
• Quarantine until provisioned, and then expand
• Parameters for policy may be device/link-specific
• Architecture requires extensibility
• Authentication methods will evolve
• Authorization (particularly networking) are very
  rich
• Model should integrate with IT service
  infrastructure

18
Integrating IT and Network Service Access
Directory system
Network accesscontrol
Content/service
Access point
Address/name domainscoordinated(non-conflicting)
Example remote access
Client
19
Integrating IT and Network Service Access (2)
Requirement interoperable standardsand open
systems
Directory system
Plug-in authenticationmodel Kerberos and PKI
Authenticate todirectory
Network accesscontrol
SecureAAA channel
End-to-end link neutral encryption asappropriate
Content/service
Link specificencryption as appropriate
Access point
Integrated network connectivity with network and
services single sign-on integration and
plug-in authentication model
Extensible strong authentication protocol
Client
20
Microsoft Secure Network Access Infrastructure
Interoperable standardsand open systems
Directory system
Windows InternetAuthentication Service
Active Directory,Microsoft CA
ADSI withLSA login
Network accesscontrol
RADIUS
IPSec Transport Mode
Content/service
Any interoperablestandards-based access point or
Windows Routing and Remote Access
Link encryption PPTP, L2TP/IPSec, WEP
Access point
Extensible authenticationprotocol with transport
layersecurity services (EAP-TLS and PEAP)
Windows 2000,Windows XP
Client
21
Authenticated Access Recap

• IT service and network access evolved separately
• Common authentication infrastructure simplifies
  administrator and user experience
• End-to-end authentication required
• Do not replicate identity infrastructure
• Infrastructure requires flexibility
• Future technologies
• Richness for network access requirements
• Interoperable standards exist now
• Windows integrates them

22
IPv4 Reachability Model

• NAT
• Translates Net 1 address to shared public net
  address
• Uses source, destination address, and port
  mappings

• Remote Access Server
• Provides remote client with a second network
  identity on Net 2
• Client has its private address identity and
  address identity on Net 2
• Security boundary between networks

Address and name space translation due to IPv4
limitations
23
IPv4 Reachability Issues

• NAT
• Blocks reachability of Net 1 systems as
  listeners
• Breaks protocol integrity where packet interior
  must be consistent with IP header
• Blocks IPSec-based remote access

• Remote Access Server
• Requires special connectprocess by user
• Interferes with network service access
• Security risk of client as router
• Client configuration complexity
• Performance bottleneck
• Reachability conflicts for systems with
  identical addresses if Net1Net2

24
Reachability Solution

• Short term mitigation of IPv4 related issues
• Long term solution with IPv6
• Single IP address space for all networks
• Remove address constraints of IPv4
• Remove address conflicts associated with IPv4
• Preserve security boundary but minimize side
  effects

25
DHCP

• Whats new?
• Back-up and restore
• Command-line/UI parity
• Classes Static Routes (CSR)
• Impact
• Simplifies system recovery/duplication (network
  administrator)
• Simplifies split tunneling management (network
  administrator)
• Windows 2000 and Windows NT Interoperability
• Service works in both environments
• Requires Windows XP client to benefit from CSR
• Availability improvement
• Better back-up and replication
• 64-bit compatible
• Yes

26
IPSec

• Whats new?
• Enhanced monitoring/logging
• Command-line tool improvements
• Active Directory policies for filters on dynamic
  services
• Certificate-based authorization
• 2048 bit Diffie-Hellman key strength
• Network Load Balancing support
• Performance enhancements
• DoS detection/protection
• IPSec policy versioning
• NAT traversal

27
IPSec Policy Versioning

• Issue
• IPSec policies are attribute-value pairs
• Common engine for IKE policy negotiation and
  client policy local store
• Clients discard unknown policies
• IKE negotiation and local policy store
• New IPSec versions get new policies
• Old clients discard new policies when found
• For example, Windows 2000 client managing policy
  for .NET/XP systems
• Solution
• When storing a policy, save unknown policies even
  if not interpreted in IKE
• Requires Windows 2000 update

28
IPSec NAT TraversalRemote Access VPN
Client
Gateway
NAT
NAT

• No NAT changes to support IPSec remote access
• Overcome IPSec aware NAT challenges
• Overcome IKE fragmenting
• IETF NAT traversal standard in progress
• Microsoft driven Cisco in agreement
• How it works (zero-configuration solution)
• IKE negotiation detects NAT presence and peer
  capability
• If NAT and NAT-T support on both end-points
• Encapsulates IPSec in a UDP header
• Connectivity verified by remote access client
• Certificate okay? Firewall blocking UDP port?
• What is updated IPSec, Routing and Remote
  Access, remote access client

29
Internet Authentication ServiceRemote
Authentication Dial-In User Service (RADIUS)

• Authentication, authorization, and accounting
  service for network access
• Central access policy and accounting management
• Extensible authorization model
• Authenticated and encrypted UDP channel
• Shared key authentication
• Client-to-server (gateway to server) session
• End-to-end authentication computer to RADIUS
  server
• Proxy (gateway to proxyto server)

RADIUSClient
RADIUS Proxies
RADIUS Server
30
Internet Authentication Service (2)Remote
Authentication Dial-In User Service (RADIUS)

• Whats new?
• Secure wireless deployment
• 802.1x
• Certificate object identifier (also known as OID)
  checking for wireless use
• Password-based wireless authentication
• XML-SQL database logging
• Cross-forest support without RADIUS proxy
• Proxy capability
• RADIUS attribute filtering
• Client policy check/quarantine access

31
Internet Authentication ServiceSecure Wireless
Deployment

• Barriers to effective 802.11 security management
• Access control (who accesses the network)
• Static keys are vulnerable to theft
• Management of static WEP keys
• Static keys make WEP vulnerable
• Windows .NET and Windows XP solution
• 802.1x bind EAP to 802.11
• Authentication and key generation
• Add 802.1x authentication to IAS
• Wireless connection type, object identifier
  checking

32
Internet Authentication Service (2)Secure
Wireless Deployment

• Issue not all customers deploy PKI
• MS-CHAPv2 over protected EAP
• PEAP new EAP method
• One encrypted channel to host multiple EAP
  authentications
• Establishes keys for encryption use
• Access point requires certificate to prevent
  man-in-middle (client can verify gateway)
• MS-CHAPv2 used through PEAP
• Encrypts MS-CHAPv2 authentication between client
  and RADIUS server
• Prevents offline dictionary attacks
• Updates to IAS, Windows XP client

33
Internet Authentication ServiceXML-SQL Logging
RADIUS Events Using XML-SQL
SQL Consolidation
IAS Servers
SQL Servers
Wireless Access Points
Event Main (index) Event Data (records)

• High-Scale Query Capable Logging
• Discover hackers vs. password failure
• Identify session behavior
• Identify deployment blockers/issues
• Customizable reports

34
Internet Authentication ServiceCross-Forest and
Proxy Support
IAS (RADIUS)
Active Directory
Active Directory
Dev.corp Forest
Hr.corp Forest
tsmith_at_hr.corp
sdavis_at_dev.corp
jpeters_at_dev.corp

• Use proxy when
• Forests do not have a trust
• You have a geographic failover
• Using EAP-TLS (certificates) in multiforest
  environments

35
Internet Authentication ServiceQuarantined
Client Policy Check
36
Internet Authentication Service (2)Quarantined
Client Policy Check

• CM Profile
• Runs customizablepost connect script
• Script runs RQC notifierwith results string

• Listener
• RQS receives Notifierresults string
• Compares results topossible results
• Removes time-out ifresponse received butclient
  out of date
• Removes quarantine filterif client is up-to-date

• Quarantine VSAs
• Timer limits timewindow to receive notify before
  auto disconnect
• Q-filter sets temporary route filter to
  quarantine access

• IASAll VSA features
• RRASVSA support and API to remove quarantine
• Resource KitRQC, RQS

37
Internet Authentication Service (3)Quarantined
Client Policy Check
Internet
Corpnet
Client
RRAS
IAS
38
Routing and Remote Access ServiceScale Out and Up
Gateway with NLB
Internet
Corpnet
Client
Single IP ICF protected

• Network Load Balancing updates
• Aware of IPSec SAs and PPTP as sessions
• Routing and Remote Access updates
• Integrates with Network Load Balancing to track
  new and old sessions
• Stop-drain function

39
Remote Access Client for Windows XP

• Whats new?
• Split tunneling (enabled through server-side
  release)
• Remote access diagnostics (new client update)
• Preshared key (enabled through server-side
  release)
• Impact
• Reduced Internet egress load (network
  administrator)
• VPN plus home peripheral access (end-user)
• Proactively diagnose remote access issues from
  client side (network administrator)
• No-cert L2TP/IPSec deployment (network
  administrator)

40
Remote Access Client for Windows XP (2)

• Windows 2000 and Windows NT interoperability
• Environment yes
• Not supported on Windows 2000 and Windows NT
  clients
• Availability improvement
• Faster diagnosis of infrastructure issues
  increases remote access service availability
• 64-bit compatible
• Yes

41
VPN Deployment ScenariosWithout Split Tunneling
Gateway
Internet
Corpnet
Client

• All traffic must pass through tunnelincluding
  traffic destined for Internet or local net
• Benefit of no split tunneling
• Assures client is protected by corporate firewall
• Issues with no split tunneling
• Increases corporate Internet egress load
• Decreases response time for client

42
VPN Deployment ScenariosWith Split Tunneling
Gateway
Internet
Corpnet
Client

• Internet
• Client route provisioning (server tools managed)
• Defaults to no split tunnel
• DHCP options (enabled by DHCP CSR update)
• Connection Manager Profile (supported for all
  clients)
• Recommend ICF on client if split tunneling is
  enabled

43
VPN Deployment ScenariosRemote Access
Diagnostics and Preshared Key
Internet
Corpnet
Client

• RASDIAG (Windows XP client update with .NET
  Server)
• Appears on error or by CM profile
• Logs all client activity
• Can self-mail to administrator
• Preshared key (Windows XP client update with
  .NET Server)
• One key for all clients

44
Wrap Up

• Network authentication, authorization, and
  accounting must be integrated with directory
• Networks evolved out of connectivity needs
• Authentication/authorization models for networks
  and information services developed independently
• Resulting in redundant identity infrastructures
• User identity and group membership should be
  centralized
• Network authentication is an end-to-end problem
  that requires more richness and extensibility
  than a certificate or ticket

45
Additional Resources

• http//www.microsoft.com/vpn/
• http//www.microsoft.com/security/
• http//www.microsoft.com/ipv6/
• http//www.microsoft.com/net/

46

• Thank you for joining todays Microsoft Support
• WebCast.
• For information about all upcoming Support
  WebCasts,
• and access to the archived content (streaming
  media
• files, PowerPoint slides, and transcripts),
  visit
• http//support.microsoft.com/webcasts/
• Your feedback is sincerely appreciated. Please
  send any
• comments or suggestions about the Support
• WebCasts to supweb_at_microsoft.com.