Title: Deploying a Secure Network Access Infrastructure Part 1 Romano Jerez Support Professional Directory
1Deploying a Secure Network Access
InfrastructurePart 1 Romano JerezSupport
ProfessionalDirectory ServicesMicrosoft
Corporation
2Objectives
- Introduction to Microsoft Windows .NET Server
concepts and technologies that permit you to
deploy a secure network access infrastructure
3Agenda
- Secure network access infrastructure
- Evolution
- Why integrate network and applications security?
- How do you integrate network and applications
security? - Microsoft .NET Server goals
- Microsoft .NET network infrastructure features
- DCHP, IPSec, IAS, 802.11, Routing and Remote
Access, VPN
4Network Access Evolution
How can you get modemaccess while away?
Static IP
Secured Building
Local experience? User authentication?
5Network Access Evolution (2)
Static IP
(servers)
DHCP options
Secured Building
How do you solve IP assignment complexity?
6Network Access Evolution (3)
How can youcentralize user authentication
fordial-up and Internet?
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How do you fix clear-text passwords?
RADIUS Proxy
PAP-CHAP
7Network Access Evolution (4)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How can you use Internet link for remote access?
PPTP Goals
Secure Corpnetaccess over Internet Support
existingdial infrastructure
PPTP remote access VPN
Microsoft 1996
8Network Access Evolution (5)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How do you do two-way authentication?
PAP CHAP MS-CHAP
How can you strengthen encryption?
IPSec-based VPNs
9Network Access Evolution (6)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
PPTP low cost simple
L2TP/IPSec increased security complex
IPSec Tunnel Mode N proprietary modified
security model complex
10Network Access Evolution (7)
DHCP
RADIUS
Static IP
(servers)
Dynamic IP
DHCP options
Secured Building
How can you protectagainst eavesdropping?
WEP
How do you do secure authenticationand improve
keying?
How should security applyto wired connections?
802.1x
11Network Access Evolution (8)
E-mail
Web
File
Print
ERP
Database
Each is Just a Part Of Secure Network
Infrastructure
12Network Access Evolution (9)
What if Network Infrastructure Is Independent?
E-mail
Directory
Web
How can you
File
- use one STRONG credential of your choice?
Print
- log in a single step for everything?
ERP
Database
- encrypt across all these models?
- verify client configuration before access?
- retain compatibility across operating
systemupgrade?
- support employees, partners, and customers?
- centralize all network access policy?
- update access security withoutaffecting access
gear?
- support multivendor gear?
13Authentication Model
File, Print, VPN, Wireless, Database
Client
Service
Directory System
Authenticate tell and prove who you are Trust
authenticated member of known domain Authorize
grant zero or more access to trusted users
14Authentication Model Variations
IT Service
NetworkService
Authentication should beend-to-end! Protect
fromidentity theft!
?
?
Possible ticket-based trust after authentication
(Kerberos)
15Network Identity and Trust
- What constitutes user identity?
- Username, password,token card,
certificate,group membership, all? - If I trust the person,do I trust the computer?
- What constitutes computer identity?
- Token, operating system, connection, domain
membership, system configuration? - If I trust the computer, do I trust the user?
Authentication models must be rich
16Access Model Summary
- Identity more than person
- Group membership, attributes
- Authentication end-to-end
- Client to authentication service
- Service may proxy
- Identity secured end-to-end avoid identity theft
17Access Model Summary (2)
- Network access authorization requiresrichness
beyond yes/no - Filters, quality of service
- Authorization requires change over time
- Quarantine until provisioned, and then expand
- Parameters for policy may be device/link-specific
- Architecture requires extensibility
- Authentication methods will evolve
- Authorization (particularly networking) are very
rich - Model should integrate with IT service
infrastructure
18Integrating IT and Network Service Access
Directory system
Network accesscontrol
Content/service
Access point
Address/name domainscoordinated(non-conflicting)
Example remote access
Client
19Integrating IT and Network Service Access (2)
Requirement interoperable standardsand open
systems
Directory system
Plug-in authenticationmodel Kerberos and PKI
Authenticate todirectory
Network accesscontrol
SecureAAA channel
End-to-end link neutral encryption asappropriate
Content/service
Link specificencryption as appropriate
Access point
Integrated network connectivity with network and
services single sign-on integration and
plug-in authentication model
Extensible strong authentication protocol
Client
20Microsoft Secure Network Access Infrastructure
Interoperable standardsand open systems
Directory system
Windows InternetAuthentication Service
Active Directory,Microsoft CA
ADSI withLSA login
Network accesscontrol
RADIUS
IPSec Transport Mode
Content/service
Any interoperablestandards-based access point or
Windows Routing and Remote Access
Link encryption PPTP, L2TP/IPSec, WEP
Access point
Extensible authenticationprotocol with transport
layersecurity services (EAP-TLS and PEAP)
Windows 2000,Windows XP
Client
21Authenticated Access Recap
- IT service and network access evolved separately
- Common authentication infrastructure simplifies
administrator and user experience - End-to-end authentication required
- Do not replicate identity infrastructure
- Infrastructure requires flexibility
- Future technologies
- Richness for network access requirements
- Interoperable standards exist now
- Windows integrates them
22IPv4 Reachability Model
- NAT
- Translates Net 1 address to shared public net
address - Uses source, destination address, and port
mappings
- Remote Access Server
- Provides remote client with a second network
identity on Net 2 - Client has its private address identity and
address identity on Net 2 - Security boundary between networks
Address and name space translation due to IPv4
limitations
23IPv4 Reachability Issues
- NAT
- Blocks reachability of Net 1 systems as
listeners - Breaks protocol integrity where packet interior
must be consistent with IP header - Blocks IPSec-based remote access
- Remote Access Server
- Requires special connectprocess by user
- Interferes with network service access
- Security risk of client as router
- Client configuration complexity
- Performance bottleneck
- Reachability conflicts for systems with
identical addresses if Net1Net2
24Reachability Solution
- Short term mitigation of IPv4 related issues
- Long term solution with IPv6
- Single IP address space for all networks
- Remove address constraints of IPv4
- Remove address conflicts associated with IPv4
- Preserve security boundary but minimize side
effects
25DHCP
- Whats new?
- Back-up and restore
- Command-line/UI parity
- Classes Static Routes (CSR)
- Impact
- Simplifies system recovery/duplication (network
administrator) - Simplifies split tunneling management (network
administrator) - Windows 2000 and Windows NT Interoperability
- Service works in both environments
- Requires Windows XP client to benefit from CSR
- Availability improvement
- Better back-up and replication
- 64-bit compatible
- Yes
26IPSec
- Whats new?
- Enhanced monitoring/logging
- Command-line tool improvements
- Active Directory policies for filters on dynamic
services - Certificate-based authorization
- 2048 bit Diffie-Hellman key strength
- Network Load Balancing support
- Performance enhancements
- DoS detection/protection
- IPSec policy versioning
- NAT traversal
27IPSec Policy Versioning
- Issue
- IPSec policies are attribute-value pairs
- Common engine for IKE policy negotiation and
client policy local store - Clients discard unknown policies
- IKE negotiation and local policy store
- New IPSec versions get new policies
- Old clients discard new policies when found
- For example, Windows 2000 client managing policy
for .NET/XP systems - Solution
- When storing a policy, save unknown policies even
if not interpreted in IKE - Requires Windows 2000 update
28IPSec NAT TraversalRemote Access VPN
Client
Gateway
NAT
NAT
- No NAT changes to support IPSec remote access
- Overcome IPSec aware NAT challenges
- Overcome IKE fragmenting
- IETF NAT traversal standard in progress
- Microsoft driven Cisco in agreement
- How it works (zero-configuration solution)
- IKE negotiation detects NAT presence and peer
capability - If NAT and NAT-T support on both end-points
- Encapsulates IPSec in a UDP header
- Connectivity verified by remote access client
- Certificate okay? Firewall blocking UDP port?
- What is updated IPSec, Routing and Remote
Access, remote access client
29Internet Authentication ServiceRemote
Authentication Dial-In User Service (RADIUS)
- Authentication, authorization, and accounting
service for network access - Central access policy and accounting management
- Extensible authorization model
- Authenticated and encrypted UDP channel
- Shared key authentication
- Client-to-server (gateway to server) session
- End-to-end authentication computer to RADIUS
server - Proxy (gateway to proxyto server)
RADIUSClient
RADIUS Proxies
RADIUS Server
30Internet Authentication Service (2)Remote
Authentication Dial-In User Service (RADIUS)
- Whats new?
- Secure wireless deployment
- 802.1x
- Certificate object identifier (also known as OID)
checking for wireless use - Password-based wireless authentication
- XML-SQL database logging
- Cross-forest support without RADIUS proxy
- Proxy capability
- RADIUS attribute filtering
- Client policy check/quarantine access
31Internet Authentication ServiceSecure Wireless
Deployment
- Barriers to effective 802.11 security management
- Access control (who accesses the network)
- Static keys are vulnerable to theft
- Management of static WEP keys
- Static keys make WEP vulnerable
- Windows .NET and Windows XP solution
- 802.1x bind EAP to 802.11
- Authentication and key generation
- Add 802.1x authentication to IAS
- Wireless connection type, object identifier
checking
32Internet Authentication Service (2)Secure
Wireless Deployment
- Issue not all customers deploy PKI
- MS-CHAPv2 over protected EAP
- PEAP new EAP method
- One encrypted channel to host multiple EAP
authentications - Establishes keys for encryption use
- Access point requires certificate to prevent
man-in-middle (client can verify gateway) - MS-CHAPv2 used through PEAP
- Encrypts MS-CHAPv2 authentication between client
and RADIUS server - Prevents offline dictionary attacks
- Updates to IAS, Windows XP client
33Internet Authentication ServiceXML-SQL Logging
RADIUS Events Using XML-SQL
SQL Consolidation
IAS Servers
SQL Servers
Wireless Access Points
Event Main (index) Event Data (records)
- High-Scale Query Capable Logging
- Discover hackers vs. password failure
- Identify session behavior
- Identify deployment blockers/issues
- Customizable reports
34Internet Authentication ServiceCross-Forest and
Proxy Support
IAS (RADIUS)
Active Directory
Active Directory
Dev.corp Forest
Hr.corp Forest
tsmith_at_hr.corp
sdavis_at_dev.corp
jpeters_at_dev.corp
- Use proxy when
- Forests do not have a trust
- You have a geographic failover
- Using EAP-TLS (certificates) in multiforest
environments
35Internet Authentication ServiceQuarantined
Client Policy Check
36Internet Authentication Service (2)Quarantined
Client Policy Check
- CM Profile
- Runs customizablepost connect script
- Script runs RQC notifierwith results string
- Listener
- RQS receives Notifierresults string
- Compares results topossible results
- Removes time-out ifresponse received butclient
out of date - Removes quarantine filterif client is up-to-date
- Quarantine VSAs
- Timer limits timewindow to receive notify before
auto disconnect - Q-filter sets temporary route filter to
quarantine access
- IASAll VSA features
- RRASVSA support and API to remove quarantine
- Resource KitRQC, RQS
37Internet Authentication Service (3)Quarantined
Client Policy Check
Internet
Corpnet
Client
RRAS
IAS
38Routing and Remote Access ServiceScale Out and Up
Gateway with NLB
Internet
Corpnet
Client
Single IP ICF protected
- Network Load Balancing updates
- Aware of IPSec SAs and PPTP as sessions
- Routing and Remote Access updates
- Integrates with Network Load Balancing to track
new and old sessions - Stop-drain function
39Remote Access Client for Windows XP
- Whats new?
- Split tunneling (enabled through server-side
release) - Remote access diagnostics (new client update)
- Preshared key (enabled through server-side
release) - Impact
- Reduced Internet egress load (network
administrator) - VPN plus home peripheral access (end-user)
- Proactively diagnose remote access issues from
client side (network administrator) - No-cert L2TP/IPSec deployment (network
administrator)
40Remote Access Client for Windows XP (2)
- Windows 2000 and Windows NT interoperability
- Environment yes
- Not supported on Windows 2000 and Windows NT
clients - Availability improvement
- Faster diagnosis of infrastructure issues
increases remote access service availability - 64-bit compatible
- Yes
41VPN Deployment ScenariosWithout Split Tunneling
Gateway
Internet
Corpnet
Client
- All traffic must pass through tunnelincluding
traffic destined for Internet or local net - Benefit of no split tunneling
- Assures client is protected by corporate firewall
- Issues with no split tunneling
- Increases corporate Internet egress load
- Decreases response time for client
42VPN Deployment ScenariosWith Split Tunneling
Gateway
Internet
Corpnet
Client
- Internet
- Client route provisioning (server tools managed)
- Defaults to no split tunnel
- DHCP options (enabled by DHCP CSR update)
- Connection Manager Profile (supported for all
clients) - Recommend ICF on client if split tunneling is
enabled
43VPN Deployment ScenariosRemote Access
Diagnostics and Preshared Key
Internet
Corpnet
Client
- RASDIAG (Windows XP client update with .NET
Server) - Appears on error or by CM profile
- Logs all client activity
- Can self-mail to administrator
- Preshared key (Windows XP client update with
.NET Server) - One key for all clients
44Wrap Up
- Network authentication, authorization, and
accounting must be integrated with directory - Networks evolved out of connectivity needs
- Authentication/authorization models for networks
and information services developed independently - Resulting in redundant identity infrastructures
- User identity and group membership should be
centralized - Network authentication is an end-to-end problem
that requires more richness and extensibility
than a certificate or ticket
45Additional Resources
- http//www.microsoft.com/vpn/
- http//www.microsoft.com/security/
- http//www.microsoft.com/ipv6/
- http//www.microsoft.com/net/
46- Thank you for joining todays Microsoft Support
- WebCast.
- For information about all upcoming Support
WebCasts, - and access to the archived content (streaming
media - files, PowerPoint slides, and transcripts),
visit - http//support.microsoft.com/webcasts/
- Your feedback is sincerely appreciated. Please
send any - comments or suggestions about the Support
- WebCasts to supweb_at_microsoft.com.