Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.
Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Defining Network Infrastructure and Security
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Adwait JoshiJim Harrison Sr. Product ManagerProgram Manager Microsoft Corporation SESSION CODE: SIA308.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Module 5: Configuring Access to Internal Resources.
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Microsoft Windows 7 Security Ronen Gottlib, CISSP Information Security Lead Microsoft.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,
Course 201 – Administration, Content Inspection and SSL VPN
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Access Gateway Operation
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
1. Collision domains are unsecure 2. The employees often need to remote access to corporate network resources  The Internet traffic is much more vulnerable.
Federation and Federated Identity: Part 2 Building Federated Identity Solutions with Forefront Unified Access Gateway (UAG) and ADFS v2 John Craddock Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Bezpečnost Windows pro pokročilé: uživatelské účty GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
StoneGate SSL VPN 1.2 Technical Overview
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 11: Remote Access Fundamentals
Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.
Passwords Everywhere GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP:
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Module 8: Managing Terminal Services. Overview Use and manage Terminal Services RemoteApp programs Use and manage Terminal Services Gateway Optimize and.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Bezpečnost Windows pro pokročilé: zajímavosti a UAC GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community
More Power Out: Empowering your mobile workforce Damir Bersinic IT Pro Advisor Microsoft Canada Rick.
Dominik Zemp Microsoft Switzerland Ltd Liab. Co. Install and Configure Remote Access for SharePoint (and RemoteApp and DirectAccess)
Bezpečnost Windows pro pokročilé: protokoly a sledování přihlášení GOPAS: | | Ing. Ondřej Ševeček.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Edge Security with Forefront Sandeep Modhvadia Security Specialist.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Passwords.
Objavljanje aplikacij preko UAG portala Varnost oddaljenih dostopov in Windows Security Gorazd Šemrov Microsoft Corporation.
Securely delivering Microsoft applications Paul Dignan F5 Networks.
Ondrej Sevecek | GOPAS a.s. MCSM:Directory Services | MVP:Enteprise Security | CISA | CEH | CHFI | facebook: ondrej.sevecek.official.
Implementing SSTP VPN and 802.1x with RADIUS on Windows 2012 Ing. Ondřej Ševeček | Product Manager Windows Server | GOPAS a.s. MCM: Directory | MVP: Security.
An Analysis on NAT Security
6NPS Session 1 Introduction and Planning for Microsoft Forefront Threat Management Gateway (TMG)
Module 3: Enabling Access to Internet Resources
Enabling Secure Internet Access with TMG
Implementing TMG Server Publishing
Server-to-Client Remote Access and DirectAccess
SharePoint and IIS core integration
GOPAS TechEd 2012 Kerberos Delegation
Presentation transcript:

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | | |

Web Application Proxy

Threat Management Gateway  Forward HTTP/S proxy  Kerberos SSO authentication  user/group based rules and logging  HTTPS inspection  Reverse HTTP/S proxy  TLS/SSL endpoint  HTTPS inspection  Basic, Forms, TLS certificate, AD FS authentication  Kerberos constrained delegation  Stateful firewall  IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP

Web Application Proxy  Forward HTTP/S proxy  Kerberos SSO authentication  user/group based rules and logging  HTTPS inspection  Reverse HTTP/S proxy  TLS/SSL endpoint  HTTPS inspection  Basic, Forms, TLS certificate, AD FS authentication  Kerberos constrained delegation  Stateful firewall  IP/ICMP/TCP/UDP/GRE/AH/ESP/FTP

HTTP/S Client TMG forward proxy HTTP/S Server TMG Proxy DC HTTP/S Client HTTP/S Client NAT HTTP/S Client

Exchange OWA TMG/WAP reverse proxy Browser HTTP/S Client TMG DC Web CRM Share Point GUI HTTP/S Client NAT TLS Cert

Exchange OWA Perimeter authentication + auth. forwarding Browser HTTP/S Client TMG DC Web CRM Share Point GUI HTTP/S Client NAT

TLS client certificate authentication  TLS session establishes first  Without client certificate no HTTP inside  No password guessing  Certificates mapped to user accounts

Web Application Proxy

Network Access Technologies  VPN  SMB/SQL/LDAP/DCOM sensitive to RTT  Remote Desktop  no clipboard, no file proliferation  limited malware surface  802.1x  WiFi or Ethernet  no encryption, authorization only  DirectAccess  GPO managed IPSec tunnel over IPv6  Web Application Proxy  HTTPS reverse proxy for web applications

RDP VPN Scenario VPN Client VPN Gateway DC FS SQL RADIUS NAT Share Point

RDP DA Scenario DA Client DA Server DC FS SQL RADIUS NAT Share Point

Wks RDP RDP Scenario RDP Client RDP Gateway DC FS SQL RADIUS NAT Share Point Wks

RDP 802.1x WiFi Scenario WiFi Client DC FS SQL RADIUS WiFi AP Share Point

RDP 802.1x Ethernet Scenario Wks DC FS SQL RADIUS Switch Share Point Wks Printer

AD FS Proxy Exchange WAP Scenario Web Browser or GUI client Web Application Proxy DC Web Lync AD FS NAT Share Point

VPN Compared ProtocolTransportClientRRAS Server Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer- - L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000 and newer IPSec certificate public name Public IP IPSec machine certificate SSTP TCP 443 TLS Vista/2008 and newer 2008 and newer TLS certificate public name - IKEv2 UDP 500, 4500 IP ESP 7/2008 R2 and newer 2008 R2 and newer IPSec certificate public name Public IP IPSec machine certificate

VPN Compared ProtocolTransportClientRRAS Server Server Requirements RD Gateway TCP 443 TLS RDP Client 6.0 and newer 2008 and newer TLS certificate public name - DirectAccess IPSec inside IPv6 inside TCP 443 TLS or Teredo/6-to-4 7/2008 R2 Enteprise IPv6 enabled, GPO 2012 and newer IPSec certificate TLS certificate public name IPSec machine certificate Web Application Proxy HTTPS web browser GUI web client (office) 2012 R2 and newer WAP and AD FS server TLS certificate public name TLS certificate for AD FS public name

Web Application Proxy

AD FS Proxy Names and certificates Web Browser or GUI client Web Application Proxy DC AD FS Share Point NAT

AD FS Proxy Service accounts Web Browser or GUI client Web Application Proxy DC AD FS Share Point sp-intranet-web Network Service svc-adfs Network Service NAT

AD FS Proxy Windows authentication with passwords - overview Web Browser or GUI client Web Application Proxy DC AD FS Share Point Forms Basic POST Cookie NAT Kerberos Exchange

AD FS Proxy Windows authentication with passwords - #1 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT Redirect 307

AD FS Proxy Windows authentication with passwords - #2 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange Forms Basic POST NAT

AD FS Proxy Windows authentication with passwords - #3 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT Claims Redirect 302

AD FS Proxy Windows authentication with passwords - #4 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT Claims Kerberos Cookie

AD FS Proxy Windows authentication with passwords - #5 Web Browser or GUI client Web Application Proxy DC AD FS Share Point Exchange NAT 200 OK Cookie

AD FS Proxy Windows authentication with TLS client certificate Web Browser or GUI client Web Application Proxy DC AD FS Share Point Cookie NAT TLS Client Certificate Kerberos Exchange TLS Client Certificate TCP 49443

AD FS Proxy Claims authentication Web Browser or GUI client Web Application Proxy DC AD FS Share Point Forms Cookie NAT Claims Exchange Basic POST TLS Client Certificate Cookie Claims

Web Application Proxy

Long journey yet?  Basic only with pass-through  deprecated since AD FS 2.0  no Basic fallback (GUI clients)  No selection intranet/extranet  No persistent cookies  always the web page regardless of client (GUI)  AD FS native support since Exchange 2013 SP1  AD FS native support since SharePoint 2010  no WebDAV support  No inspection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.