Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Similar presentations

Presentation on theme: "1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection."— Presentation transcript:

1 1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection

2 Wireless Access Configuration in Windows Server 2008 802.1x standard –Network access control provides an authentication mechanism to allow or deny network access based on port connection –WPA2-EAP (Wi-Fi Protected Authentication 2 – EAP) More secure than both PSK and WEP that use static key EAP  Use Certificate 2

3 Wireless Access Configuration in Windows Server 2008 (continued) Categories of EAP implementations –EAP over local area network (LAN) EAP-TLS –EAP over wireless PEAP: Protected Extensible Authentication Protocol 802.1x uses a three-component model for authenticating access to networks –Supplicant: Wireless client/device –Authenticator: Wireless Access Point –Authentication server: NPS/RADIUS server 3

4 4

5 Internet Protocol Security An open-standards framework for securing network communications IPSec meets three basic goals –Authentication –Integrity –Confidentiality 5

6 IPSec Threats Depending on the configuration of IPSec, it provides protection from the following threats –Data tampering –Denial of service –Identity spoofing –Man-in-the-middle attacks –Repudiation (rootkit) –Network traffic sniffing 6

7 How IPSec Works IPSec modes of operation –Transport mode –Tunnel mode IPSec Security Methods –Authentication Header (AH) –Encapsulating Security Payload (ESP) Scenarios available when deploying IPSec –Site to site –Client to client –Client to site 7

8 Transport Mode Used between two hosts (Client-to-Client or Client to Site) Both communication ends must support IPSec

9 Tunnel Mode Used between two routers (Site-to-Site) Two hosts communicating through the routers do not need to support IPSec Computers taking part in the conversation are not authenticated

10 AH Method Provides authentication of the two endpoints and adds a checksum to the packet Authentication guarantees that the two endpoints are known and the checksum guarantees that the packet is not modified in transit Payload of the packet is unencrypted Use whenever you are concerned about packets being captured with a packet sniffer and replayed later Less processor intensive than ESP mode

11 11

12 ESP Method Provides authentication of the two endpoints which guarantees that the two endpoints are known Adds a checksum to each packet Encrypts the data in the packet Most implementations of IPSec use ESP mode because data encryption is desired


14 IPSec Authentication Authentication is for the devices at two IPSec end points, NOT the users logged into the devices Internet Key Exchange is the process used by two IPSec hosts to negotiate their security parameters/protocols –IKE generates the encryption and authentication keys used by IPSec for the transaction When security parameters have been agreed upon, this is referred to as security association

15 Pre-shared key – Simple. But have to move key in advance Kerberos – Integrated with Windows Active Directory. Only for Active Directory Certificates –Issued by trusted organizations on the Internet called certification authorities –Certificate must be validated using the digital signature of the certification authority IPSec Connections Authentication Methods

16 Enabling IPSec IPSec is enabled on Windows using IPSec policies Unlike 2003, Windows 2008 does not have default policy Policies can be configured manually on each server or distributed through Group Policy – Choose tunnel or transport mode, network type – Specify IP filter and filter actions Can be managed with the following tools –WFAS Connection Security Rules –IP Security Policy snap-in –Netsh –gpme.msc

17 Assigning IPSec Policies Multiple IPSec policies may be configured Only assigned one is actually used No policy is used until it is assigned Only one policy can be assigned at a time per machine Assignment does not take effect immediately IPSec Policy Agent must be restarted for the change to take effect

18 Troubleshooting IPSec Most common IPSec troubleshooting tools are: –Ping –IPSec Security Monitor – MMC Snap-in –Event Viewer – Security log –Resultant Set of Policy – Group Policy resultant set –Network Monitor

19 Using IPSec

20 Network Access Protection NAP can be broken into three parts –Health policy validation –Health policy compliance –Access limitation 20

21 NAP Terminology Enforcement Client (Windows 7, 2008, Vista, XP SP3) Enforcement Server (2008 NPS Server) Host Credential Authorization Protocol (for 802.1x client) Health Registration Authority –Distribute Health Certificates. –Required for IPSec enforcement –A Role Services of NPS Server Role Network Policy Server Remediation Server (Updates clients) System Health Agent (a service on NAP client monitoring status of Firewall and Antivirus) System Health Validator 21

22 NAP Enforcement Methods The five types of NAP enforcement methods used by NAP –802.1x-authenticated connections (EAP) –Dynamic Host Configuration Protocol (DHCP) address configurations –IPSec communications based on IP Address or Port numbers Require HRA and Certificates Service –Terminal Services Gateway (TS Gateway) connections –Virtual Private Network (VPN) connections 22

23 23 Implementing NAP

24 Install, Configure and Enforce NAP Add NPS role and installed as part of the NPS role –Add Roles Wizard or servermanagercmd.exe command Configure Windows Security Health Validator –NPS  NAP  System Health Validators Create two new Health Policies –One Compliant policy and one Non-compliant policy –NPS  Policies  Health Policies Enable NAP Enforcement Method on client computers –napclcfg command –NAP Client Configuration snap-in Set Network Policies or Connection Security Rules 24

25 NAP Client Configuration

26 NAP Client Configuration (Continue) Turn-on Security Center in Local Computer Policy –gpedit.msc or Group Policy Object Editor snap-in –Computer Configuration  Administrative Templates  Windows Components  Security Center –Needed to work with standard Windows SHV Start Network Access Protection Agent service

27 NAP Monitoring Log Files –On NAP Enforcement Server: Windows Logs\Security log: non-compliant clients –On Vista or 2008 NAP Enforcement Clients : Applications and Services log\Microsoft\Windows \Network Access Protection\Operational log –On XP SP3 NAP Enforcement Client: System log

Download ppt "1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection."

Similar presentations

Ads by Google