09 increasing security for network communication
DESCRIPTION
windows 2008 trainingTRANSCRIPT
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Increasing Security for Network Communication
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Module Overview
• Configuring IPsec• Configuring Connection Security Rules• Configuring NAP with IPsec Enforcement• Monitoring and Troubleshooting IPsec
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Overview of IPsec
• Benefits of IPsec • Ways to Use IPsec • How Domain Isolation Works• Tools Used to Configure IPsec • Demonstration: How to Configure IPsec Settings
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Benefits of IPsec IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured networkIPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network
• IPsec has two goals: to protect IP packets and to defend against network attacks
• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other
• IPsec secures network traffic by using encryption and data signing
• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Ways to Use IPsec
Recommended uses of IPsec include:
• Packet filtering• Authenticating and encrypting host-to-host traffic• Authenticating and encrypting traffic to servers• L2TP/IPsec for VPN connections• Site-to-site tunneling• Enforcing logical networks
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
How Domain Isolation WorksTo isolate a domain, configure the following components:
• An AD DS domain• Member computers • Group Policy settings • Active IPsec policy settings
To deploy domain isolation, configure GPO to require that all incoming connection requests and subsequent data be authenticated and protected by using IPsecTo deploy domain isolation, configure GPO to require that all incoming connection requests and subsequent data be authenticated and protected by using IPsec
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Tools Used to Configure IPsec To configure IPsec, you can use:
• Windows Firewall with Advanced Security MMC(used for Windows Server 2008 R2 and Windows 7)
• IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions)
• Netsh command-line tool
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Demonstration: How to Configure IPsec Settings
In this demonstration, you will see how to:
• View existing IPsec policies in Group Policy
• Create a custom IPsec policy
• Create a security rule
• Create a new IP filter
• Completing the Security Rule Wizard
• Completing the IP Security Rule Wizard
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Configuring Connection Security Rules• What Are Connection Security Rules?• What Are Tunnel and Transport Modes?• Choosing Authentication Requirements• Authentication Methods• Demonstration: How to Configure a Connection Security Rule
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
What Are Connection Security Rules?
Connection security rules involve:
• Authenticating two computers before they begin communications
• Securing information being sent between two computers
• Using key exchange, authentication, data integrity, and data encryption (optionally)
How firewall rules and connection rules are related:
• Firewall rules allow traffic through, but do not secure that traffic
• Connection security rules can secure the traffic, but creating a connection security rule does not allow traffic through the firewall
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
What Are Tunnel and Transport Modes?
EncryptedIP Packet
ESPTRLR
ESPAuth
ESPHDR
NewIP HDR
IP HDR Data
ESP Tunnel Mode
ESP Transport Mode
EncryptedData
ESPTRLR
ESPAuth
ESPHDRIP HDR
IP HDR Data
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Choosing Authentication Requirements
Option Description
Request Authentication for inbound and outbound connections
Ask that all inbound/outbound traffic be authenticated, but allow the connection if authentication fails
Require authentication for inbound connections and request authentication for outbound connections
• Require inbound be authenticated or it will be blocked
• Outbound can be authenticated but will be allowed if authentication fails
Require authentication for inbound and outbound connections
Require that all inbound/outbound traffic be authenticated or the traffic will be blocked
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Choosing an Authentication MethodMethod Key Points
Default Use the authentication method configured on the IPsec Settings tab
Computer and User (Kerberos V5)
You can request or require both the user and computer authenticate before communications can continue; domain membership required
Computer (Kerberos V5)
Request or require the computer to authenticate using Kerberos V5
Domain membership required
User (Kerberos V5) Request or require the user to authenticate using Kerberos V5; domain membership required
Computer certificate
• Request or require a valid computer certificate, requires at least one CA
• Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPsec NAP
Advanced Configure any available method; you can specify methods for First and Second Authentication
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Demonstration: How to Configure a Connection Security Rule
In this demonstration, you will see how to:
• Enable ICMP traffic on NYC-SVR1
• Create a server to server rule on NYC-SVR1
• Create a server to server rule on NYC-CL1
• Test the rule
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Configuring IPsec NAP Enforcement
• IPsec Enforcement for Logical Networks• How IPsec NAP Enforcement Works• Deploying NAP with IPsec Enforcement
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
IPsec Enforcement for Logical Networks
SHAsNAP agentNAP ECs
RestrictedNetwork
BoundaryNetwork
Secure Network
Non-NAP capable client
Non-compliant NAP client
NAP enforcement servers
Remediation servers
Compliant NAP client
Secure servers
NPS servers
HRAVPN802.1XDHCPNPS proxy
SHAsNAP agentNAP ECs
NAP administration serverNetwork policiesNAP health policiesConnection request policiesSHVs
Certificate servicesE-mail serversNAP policy servers
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
IPsec NAP Enforcement includes:
• Policy validation• NAP enforcement• Network restriction• Remediation• Ongoing monitoring
of compliance
How IPsec NAP Enforcement Works
Intranet
Remediation Servers
InternetNAP Health Policy Server
DHCP Server
Health Registration Authority
IEEE 802.1X Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Deploying NAP with IPsec Enforcement
To deploy NAP with IPsec and HRA, you must:
Configure relevant NPS policies
Enable the NAP IPsec client-enforcement agent
Install health registration authority
Install and configure AD CS
Configure Group Policy settings
11
22
33
44
55
Configure WSHVs66
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Monitoring and Troubleshooting IPsec• Monitoring IPsec by Using Windows Firewall with Advanced Security• Monitoring IPsec by Using IP Security Monitor• Troubleshooting IPsec
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Monitoring IPsec by Using Windows Firewall with Advanced Security
• Use the Connection Security Rules and Security Associations nodes to monitor IPsec connections
• Security Associations that can be monitored include:
• Main Mode• Quick Mode
The Windows Firewall in Windows 7 and Windows Server 2008 R2 incorporates IPsecThe Windows Firewall in Windows 7 and Windows Server 2008 R2 incorporates IPsec
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Monitoring IPsec by Using IP Security Monitor
Options for using the IP Security Monitor:
• Modify IPsec data refresh interval to update information in the console at a set interval
• Allow DNS name resolution for IP addresses to provide additionalinformation about computers connecting with IPsec
• Computers can monitored remotely:• To enable remote management editing, the
HKLM\system\currentcontrolset\services\policyagent keymust have a value of 1
• To Discover the Active security policy on a computer, examine the Active Policy Node in the IP Security Monitoring MMC
• Main Mode Monitoring monitors initial IKE and SA:• Information about the Internet Key Exchange
• Quick Mode Monitoring monitors subsequent key exchanges related to IPsec:
• Information about the IPsec driver
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Troubleshooting IPsec
Stop the IPsec Policy Agent and use the ping command to verify communications
Verify firewall settings
Start the IPsec Policy Agent and use IP Security Monitor to determine if a security association exists
Verify that the policies are assigned
Review the policies and ensure they are compatible
11
22
33
44
55
Use IP Security Monitor to ensure that any changes are applied66
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Lab: Increasing Security for Network Communication
• Exercise 1: Selecting a network security configuration
• Exercise 2: Configuring IPsec to Authenticate Computers
• Exercise 3: Testing IPsec Authentication
Estimated time: 45 minutes
Logon information
Virtual machines6421B-NYC-DC16421B-NYC-SVR16421B-NYC-CL1
User name Contoso\Administrator
Password Pa$$w0rd
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Lab ScenarioContoso Ltd. has implemented a new web-based Research application that contains confidential information such as product information. The application is secured by authenticating users by using a username and password. To enhance security, the director of Research would like the application to be accessible only from computers in the Research department.To meet the requirements specified by the director of Research, you will create a connection security rule that authenticates the computers in the Research department. Then you will create a firewall rule that ensures only authenticated computers from the Research department can access the application.
ww
w.te
chno
corp
.co.
inw
ww
.tech
noco
rp.c
o.in
Lab Review
• In the lab, you created an OU-specific policy for a specific application. If Contoso wanted to create a domain isolation rule, how would you go about it?
• What method of authentication would you select?