Objective 3.1: Designing Network Infrastructure Security

Phase I Security Association

Both phases of establishing a security connection require policy negotiation. In Phase I, four mandatory parameters must be established via negotiation:

• Encryption algorithm

• Hash algorithm

• Authentication method

• The Diffie-Hellman (DH) group to be used for the base keying material

Phase II Security Association

Phase II of the security association negotiation determines how data will be secured via:

• The IPSec protocol to be used

• The hash algorithm

• The encryption algorithm

Remember, the hash and encryption algorithms in Phase I are used to negotiate communication between the two computers . The hash and encryption algorithms in Phase II are used on the data itself. Like Phase I, Phase II also uses hashing and keying algorithms for packet integrity (hashing) and data security (keying and encrypting). The third element is the IPSec protocol to be used. The IPSec protocols are the Authentication Header (AH) and the Encapsulating Security Payload (ESP) . Before we discuss the details of these two protocols, it s important to review the two modes for IPSec.

Authentication Header

Using a hash function, the data in the authentication header is protected from tampering and in turn , it protects the data by signing the entire packet. Some data in the packet might not be included in this protection because data in some fields might legitimately change during transportation, such as the Time To Live (TTL) field. The packet format for AH in transport mode is shown in Figure 5.1.

Let s compare that to the IP packet using AH in tunnel mode, as shown in Figure 5.2. A new IP header and the AH header are placed in front of the original IP header. The new IP header is the address of the intermediary such as a gateway or router. The AH signs the entire packet, including the new IP header. Notice that the IP header in the middle is the IP header of the original packet and contains the ultimate source and destination addresses. The outer IP addresses are used to route the packet to intermediaries and to protect the ultimate source and destination addresses. An important note is that the intermediaries, such as gateways or proxy servers, need not be configured with IPSec because the packet appears to be a normal packet to these computers.

Clearly, using IPSec in tunnel mode makes sense when you want to protect traffic that has to pass through an unprotected area such as the Internet or some other untrusted source. Tunnel mode is often used for remote access and typically not used for local connections where transport mode is generally more appropriate. Keep in mind that if the data is being sent between two host computers using IPSec tunneling, the IP header on the outside of the encapsulated data is the same as the IP header on the inside.

A few notes of caution here. Tunnel mode secures IP traffic; it can t be used to secure non-IP traffic. Windows Server 2003 does not support protocol-specific or port-specific tunnels.

Tunnels can be configured via IP Security Policy Management and Group Policy to specify rules for inbound and outbound tunnel traffic. We ll explore IP Security Policy in depth later in this chapter.

Before we leave AH, it s helpful to understand what s actually in the AH segment. Without going into tremendous detail, let s look at the elements of the AH. Table 5.6 describes each element and its use.

Encapsulated Security Payload

AH is fine to use for authentication and integrity, but it does not provide privacy. To keep the data in a packet confidential, it must be encrypted. That s where the second IPSec protocol comes in, Encapsulated Security Payload (ESP). Like AH, ESP works in transport or tunnel mode, and like AH, ESP provides authentication, integrity, and anti-replay protection. Where ESP differs is that it provides data encryption, which AH does not. In the default transport mode, only AH will protect the IP header, so you can see why you might want to use both AH and ESP to fully protect a packet. Figure 5.3 shows the format of a packet using ESP in transport mode.

The difference between AH and ESP becomes immediately apparent when you look at the packet format because ESP appends data to the IP packet itself. The signed portion of the packet is signed for integrity and authentication. The encrypted portion provides confidentiality of the payload. ESP is used in tunnel mode when packets will be sent over an unsecured link. The packet format for ESP in tunnel mode is shown in Figure 5.4.

Notice that a new header for tunneling is added to the packet. Everything that follows, then, is signed, except for the ESP authentication trailer. The entire packet is appended with an ESP authentication trailer and then the packet is encrypted. Thus, the original IP header is encrypted as part of the encapsulated data. The new tunnel header is only used to route the packet between endpoints. Both AH and ESP can be used singly or together in tunneling mode to provide integrity, authentication, and confidentiality.

As with AH, the fields used in the ESP header have specific functions that help understand how the packet is protected. Table 5.7 describes the elements found in the ESP header, ESP trailer, and ESP authentication trailer.

Although you might not see specific questions on the format of the AH or ESP protected packets, you might see questions that ask you to assess what type of IPSec formatting is best in a given environment. Understanding how AH and ESP work alone and in combination in transport and tunnel modes will certainly give you a great understanding of IPSec and how to best implement it in your organization.

IPSec Rules

IPSec policies are applied based on rules. A rule provides the ability to create secure communication based on the source, destination, and type of IP traffic. Each rule contains a list of IP filters and a set of security actions to take. Each policy can contain one or more rules, all of which can be active simultaneously . The <Dynamic> Default Response rule is discussed later in this section, as it is present in all IPSec policies and cannot be deleted, although it can be deactivated. Each IPSec rule consists of these elements:

• A selected filter list

• A selected filter action

• Selected authentication methods

• A selected connection type

• A selected tunnel settings

  Table 5.8: Predefined IPSec Policies

  Policy Name	Description	Rules, Filter Lists, Filter Actions
  Client (Respond Only)	This policy can be used (once modified) to allow client computers to respond to security requests but not to initiate them. For example, you might have a DHCP server or Application server set to require security, and the client can respond to these requests. The policy contains the default response rule , which creates dynamic IPSec filters for inbound and outbound traffic based on the requested port and protocol being secured. If a server is locked down (discussed later in this section), the default response rule will not allow the client to communicate with that locked-down server. The default response rule is present in all IPSec policies by default. It cannot be removed, but it can be deactivated.	Rule 1 (default response rule) “ IPFilterlist <Dynamic> “ Filter Action: Default Response “ Authentication: Kerberos “ Tunnel Setting: None “ Connection Type: All
  Server (Request Security	This predefined policy is an example of a policy that could be used on computers that would prefer secure communication but would allow fallback to unsecured communication. For servers dealing with mixed clients (including down-level clients), this option provides the best balance between security and connectivity for down-level clients. There are three rules in place. The first looks at all IP traffic and requests security negotiations. If the client computer supports IPSec, a negotiation will take place. Rule 2 allows all Internet Control Message Protocol (ICMP), used to report errors and exchange limited control and status information for IP-based communications on the network. Rule 3 is the default response rule and is used to ensure a computer responds to security requests.	Rule 1 “ IP Filter List : All IP Traffic “ Filter Action: Request Security (Optional) “ Authentication: Kerberos “ Tunnel Setting: None Connection Type: All Rule 2 “ IP Filter List: All ICMP Traffic “ Filter Action: Permit “ Authentication: N/A “ Tunnel Setting: None “ Connection Type:All Rule 3 Default Response Rule “ IP Filter List: <Dynamic> “ Filter Action: Default Response “ Authentication: Kerberos “ Tunnel Setting: None “ Connection Type: All
  Server (Require Security)	Servers that transmit highly sensitive data should require secure communications. This predefined policy is an example of how such a policy can be designed. It contains three rules: Rule 1 requires secure communication, Rule 2 allows ICMP traffic, and Rule 3 is the default response rule. Computers running Windows 2000 require the High En- cryption Pack or Service Pack 2 (or higher) to be installed in order to communicate using the 3DES algorithm. If the Windows 2000 computer does not have the High Encryption Pack or SP2 installed, it will fall back to the less secure DES. Windows XP and Windows Server 2003 support 3DES, and no mod- ification or additional configur- ation is required.	Rule 1 “ IP Filter List: All IP Traffic “ Filter Action: Require Security “ Authentication: N/A “ Tunnel Setting: None “ Connection Type: All Rule 2 “ IP Filter List: All ICMP Traffic “ Filter Action: Permit “ Authentication: Kerberos “ Tunnel Setting: None “ Connection Type: All Rule 3 Default Response Rule “ IP Filter List: <Dynamic> “ Filter Action: Default Response “ Authentication: Kerberos “ Tunnel Setting: None “ Connection Type: All

Exercise 5.01: View Predefined IPSec Policy “ Server (Request Security)

1. Click Start , select Run , type mmc in the Open text box, click OK or press Enter .

2. The Microsoft Management Console opens a new console. Click File , select Add/Remove Snap-in .

3. In the Add/Remove snap-in dialog with the Standalone tab selected (default setting), click Add .

4. In the Add Standalone Snap-in, scroll down and select Group Policy Object Editor . Click Add and then accept the default select of Local Computer for the Group Policy Object . Click Finish and then click Close .

5. Local Computer Policy should be displayed in the box in the Add/Remove snap-in dialog. Click OK to close the dialog.

6. In the left pane of the MMC console, click the + to expand the Local Computer Policy node.

7. Click the + to expand the Computer Configuration node.

8. Click the + to expand the Windows Settings node.

9. Click the + to expand the Security Settings node.

10. Click the IP Security Policies on the Local Computer node .

11. In the right pane, the three default IPSec policies are displayed. In the right pane, click the Server (Request Security) , which should be the first policy listed.

12. On the menu, click Action and then select Properties . Alternately, you can right-click the policy and select Properties from the menu, or simply double-click the policy name to display the Properties .

13. The Rules tab is selected by default. Click the General tab to select it.

14. The General tab shows the policy name and description as well as the setting for how often it should check for policy changes.

15. Click the Settings button to display Key Exchange Settings . You can change settings for the authentication and generation of new keys based on time length or sessions. You can also specify methods. If you want to use Master Key Perfect Forward Secrecy (PFS), click the check box to select that setting. If you enable this setting, the session key limit is not used. If both a master key lifetime and a session limit are specified, whichever limit comes first causes a new main mode negotiation to take place. By default, IPSec policy does not specify a session limit. Clicking this box will disable the Sessions option.

16. Click the Methods button. Figure 5.5 show the Key Exchange Security Methods dialog that is displayed. Notice that the settings are for IKE and specify the security method preferences, in order. To modify a setting, click the setting and then click Edit . To add a new setting, click Add . To remove a setting, click Remove . You can also use the Move up or Move down buttons to change the order of preference. Notice as you use the horizontal scrollbar that you can modify encryption, integrity (hash), and Diffie-Hellman Group settings here.

    
    Figure 5.5: Key Exchange Security Methods Dialog

17. Click Cancel to exit the Key Exchange Security Methods dialog without accepting changes.

18. Click Cancel to exit the Key Exchange Settings dialog without accepting changes.

19. You should now be back to the Server (Request Security) Properties dialog. Click the Rules tab.

20. With the Rules tab selected, you can see the three IP Security rules defined. These match the information in Table 5.8.

21. Select the first IP Security rule, All IP Traffic , and use the horizontal scroll bar to view the various settings: IP Filter list, Filter Action, Authentication, Tunnel Endpoint, and Connection Type.

22. Click Edit to view the options on this first rule.

23. The Edit Rule Properties dialog gives you access to all the modifiable parameters. The tabs in this dialog are IP Filter List , Filter Action , Authentication Methods , Tunnel Setting , and Connection Type . If desired, look at the various options on the tabs to become familiar with the options on each.

24. Click Cancel to exit without saving changes.

25. Click Cancel to exit the Server (Request Security) Properties dialog without saving changes.

26. Close the MMC console by clicking File , then selecting Exit and clicking No when prompted to save the console.

 

As you can see, you can create intricate IPSec policies using the parameters and options we just explored in Exercise 5.01. Later, we ll create a policy so you can get some hands-on experience with creating IPSec policies.

The IPSec policy we just reviewed, Server (Request Security), contains three predefined rules, shown previously in Table 5.8. The first is to filter All IP Traffic and request security, the second is to filter All ICMP Traffic and to permit it, and the third is the <Dynamic> Default Response Rule. Let s discuss these rules in more detail.

Predefined Filter Lists

There are two predefined filter lists ”one that looks for All IP Traffic and one that look for All Internet Control Message Protocol (ICMP) Traffic.

The All IP Traffic filter list looks for all IP traffic sent or received by the computer on which the filter list (via the IPSec policy) is applied. By default, the Internet Key Exchange (IKE) traffic is excluded. Other traffic types are matched against IPSec filters. IPSec does not negotiate security associations for multicasts and broadcasts, although you can configure, block, or permit filter actions specifically for these.

The All ICMP Traffic filter list looks for all ICMP traffic (IP protocol 1) sent and received by the computer. Since this traffic is used for low-level IP communication and error reporting, it is permitted in even the most secure predefined IPSec policy.

The <Dynamic> Default Response is created automatically every time a new IPSec policy is created. It cannot be created manually. It is called the default response rule because it is used to respond to security requests when no other rules apply. You can disable this rule in the Rules tab (see Exercise 5.01 step 19). You can also modify the authentication method or the security method used by the default response rule, if needed. The <Dynamic> tag indicates that the filter list is generated automatically based on the receipt of IKE negotiation packets. The filter action of Default Response cannot be configured with the typical filter actions ( Permit , Block , or Negotiate ) . Unlike the other predefined rules, when you select a rule and click Edit (Exercise 5.01, step 23), you will only have two tabs (not five): Security Methods and Authentication Methods. To deactivate the default response, click the check box to the left of <Dynamic> to clear the check box, as shown in Figure 5.6.

Figure 5.6: Disabling Default Response Rule

Predefined Filter Actions

Microsoft provides three predefined filter actions as examples: Permit , Request Security (Optional) , and Require Security .

• Permit When the filter action is set to permit, traffic is permitted.

• Request Security (Optional) This filter action requests security when it can be negotiated and is set to Negotiate Security . There are two exceptions to negotiated security when using this setting.

  • Incoming initial traffic is allowed, and if negotiation fails after three seconds, communication is allowed with a non-IPSec-aware computer. This is also known as inbound passthrough .

  • If security negotiation fails after three seconds, negotiation is halted and unsecured communication with a non-IPSec computer is allowed. This secures traffic to all IPSec-aware computers but allows unsecured communication for non-IPSec-aware computers. This is known as fallback to clear.

    This filter action should not be used for traffic that goes through the Internet. Using this filter on Internet traffic could result in a DoS attack. If you request security and spend three seconds per negotiation, an attacker could send repeated requests that would virtually halt all other traffic.

    This setting uses a preset list of security methods during the negotiation process. The first method uses the highest security and the last uses the lowest security, as shown in Table 5.9

    Table 5.9: Security Negotiation Order of Preference

    Key Lifetimes Type	AH	ESP Encryption	ESP Integrity	(KB/sec)
    Custom	None	3DES	SHA1	100000/900
    Custom	None	DES	SHA1	100000/900
    Custom	SHA1	None	None	100000/300
    Custom	MD5	None	None	100000/300

• Require Security This filter action applies to all IP traffic and requires security using Kerberos trust. It does allow initial incoming unsecured communication (inbound passthrough ). The fallback to clear function is disabled so that no unsecured communication with untrusted clients is allowed. Traffic is secured via the Negotiate security mode in which both computers negotiate the most secure communication possible. However, if negotiation fails, a connection will not be established. This filter action should not be used on the Internet as it is vulnerable to DoS attacks since it will attempt negotiation with all incoming traffic. Table 5.10 shows the security methods used with this setting, in order of preference from highest to lowest. To create the most secure setting possible, known as lockdown , you can disable the inbound passthrough, thus disabling the ability of any unsecured traffic from being accepted. In this state, the client computer must be forced to negotiate security with the server to initiate communication. The client computers must be configured with an IPSec policy that will do this. If the client computer is configured to only use the default response rule, it will not be able to communicate with the locked-down server.

  Table 5.10: Security Methods for the Require Security Setting

  Type	AH	ESP Encryption	ESP Integrity	Key Lifetimes (KB/sec)
  Custom	None	3DES	SHA1	100000/900
  Custom	None	3DES	MD5	100000/900
  Custom	None	DES	SHA1	100000/900
  Custom	None	DES	MD5	100000/900

IP Packet Filtering

IP addresses are either local or remote addresses, meaning they originated on your network or they came from elsewhere. As you know, each IP address contains two sections ”the network ID and the host ID. IP packet filtering is used to provide a way to define exactly what IP traffic is passed through (not secured), secured, or blocked.

Each filter within the filter list describes a particular set of network traffic to be secured. The list identifies both inbound and outbound filters. Rules must always have filters to cover the traffic to which it applies. For example, if you have two computers, Black and White, and Black always wants to exchange data in a secure manner with White, the following must be set up:

• Black s IPSec policy has a filter for any outbound packets going to White.

• White s IPSec policy has a filter for any inbound packets coming from Black.

A filter contains the source and destination address of the IP packet. This setting can be set wide or narrow ”you can filter an entire network, subnet, or just a single IP address. A filter also contains the protocol being used to send the packet. The default is TCP/IP, but the filter can be modified to specify other protocols within the TCP/IP suite such as ICMP and UDP. A filter also contains the source and destination port of the protocol for TCP and UDP. The default covers all ports, but this can be modified to suit your organization s needs.

netsh Commands

The netsh.exe command can be used to work with IPSec policies and it is referred to throughout this chapter. Let s take a minute to review the netsh.exe command. netsh.exe is a command-line utility that can be used instead of the console-based management provided by the IP Security Policy Management and IP Security Monitor snap-ins in the MMC.

The netsh command has many different uses in Windows Server 2003. Each type of use is called a context . For example, you can use the DHCP context to manage DHCP, or you can use the IPSec context to manage IPSec. For more information on using the various contexts with the netsh.exe command, you can refer to the Windows Server 2003 help files. We re going to limit our discussion to the IPSec context. Support for this context was added to Windows Server 2003, providing another method of managing IPSec policy for admins more familiar or comfortable using the command-line utility. Using netsh.exe , you can configure and view dynamic or static IPSec main mode settings, quick mode settings, rules, and configuration parameters. This command-line utility is particularly useful when you want to use scripts to configure IPSec or to extend features not available via the snap-ins. These features include IKE (Oakley) logging, logging intervals, computer startup security, computer startup traffic exemptions, IPSec diagnostics, default traffic exemptions, and strong certificate revocation list (CRL) checking. To use the netsh.exe command, open a command prompt ( Start Run type in cmd OK ) and type netsh ipsec . This establishes the context for the netsh.exe command.

The command structure begins with static or dynamic mode, meaning that the syntax of the command begins in this way: netsh ipsec static or netsh ipsec dynamic . Both modes have many options. For example, in the static mode, you can add, delete, or modify a filter; add, delete, or modify a filter list; or add, delete, or modify a policy. Dynamic mode also has a long list of options you can set.

You can use the netsh ipsec static mode to create, modify, and assign IPSec policies without immediately affecting the configuration of the active IPSec policy. Using the netsh ipsec dynamic mode, you can display the active state of IPSec and immediately affect the configuration of the active IPSec policy. Dynamic commands immediately configure the security policy database (SPD) but take effect only when the IPSec service is running. If the IPSec service is stopped , the dynamic settings are discarded. A few of the dynamic commands do not take effect immediately and require that the computer or the IPSec service be restarted. It s important to note that the IPSec policy agent does not interpret netsh ipsec dynamic commands, so you need to understand the IKE main and quick mode policies to use these commands effectively. Another caution is that because almost all of these commands are executed immediately, you can create invalid IPSec policy configurations on the fly.

One important note here is that the netsh.exe commands for IPSec can only be used to work with IPSec policies on computers running Windows Server 2003. The command line to configure IPSec policies for computers running Windows XP is ipseccmd.exe . Windows 2000 computers use the command-line ipsecpol.exe

Assigning Domain-Based IPSec Policy

After you ve created your overall security plan and created IPSec policies to protect the data you want to secure, you ll need to apply the policies. In this section and the following two sections, we ll discuss, at a high level, how to apply these policies to three specific objects: domains, OUs, and local computers.

When you define IPSec via Group Policy and link the Group Policy Object (GPO) to the domain, the IPSec policy will propagate throughout the domain when the GPO is propagated. Like GPO, IPSec policy is applied from lowest to highest priority: local, site, domain, OU, persistent policy (if used). Unlike GPOs, IPSec policies from different OUs are never merged. Domain-based IPSec policies are limited to 10 rules, although Windows Server 2003 supports over 1500 rules per policy. It is recommended that you set broad IPSec policies at the domain level to reduce configuration issues and administrative overhead required to manage IPSec policy.

During the rollout phase of IPSec security, you should set your domain-based IPSec policy to Negotiate security, which allows unsecured communication with untrusted computers. This way, no computer will be blocked as you re rolling out policy. Once you re sure that all IPSec policies are being applied as expected, you can modify the security to require only secured communications. Of course, testing the policy on a single computer and monitoring results is recommended before rolling out any policies.

IPSec policies should first be applied to the domain to provide baseline security settings. Tighter IPSec filtering can be done on specific OUs that might require additional security.

Exporting and Importing IPSec Policy

Once you ve defined domain-based IPSec policy, you might want to import or export them. In order to back up or restore IPSec policy objects in the IP Security Policies container in Active Directory, you need to use the IP Security Policy Management snap-in in the MMC. You can also use the netsh.exe command-line utility with the IPSec context to perform these actions. As shown in Figure 5.9, you can import or export IPSec policy for the local computer for the domain. In this case, the IP Security Policies on Active Directory (domain) is selected. To export the policy, right-click, select All Tasks , and then select Export Policies . Notice this is also where you can create new IP security policy or manage IP filter lists and actions. If you want to create a new domain-based IP security policy, you would select Create IP Security Policy from the menu, as shown in Figure 5.9.

Figure 5.9: Export IPSec Policy via IP Security Policy Management Snap-In

When you use the Export Policies command, all IPSec policy objects are stored in one file given an extension of .ipsec. When you import policies, you can import .ipsec files into the destination policy stores. If you import IPSec policy into Active Directory (as you would do if you were to have the Active Directory level open, as is the case in Figure 5.9), you would overwrite existing IPSec policy objects. This can be good if you believe your Active Directory IPSec policy is corrupted or incorrect and you want to restore from a known good file. However, if you do not want to overwrite existing values, do not import into Active Directory. If you suspect your IPSec policies in Active Directory are corrupted, you can import the .ipsec file via the snap-in or via the netsh ipsec static importpolicy command. It s important that you leave either the snap-in or the command-line utility (depending on your method) open long enough to complete the import or export. Closing either before all IPSec policy data has been written could result in corruption.

Assigning OU-Based IPSec Policy

By default, the policies applied at the OU level override the baseline domain policies. For example, you can group all client computers into one OU and apply appropriate client-type IPSec policies to the OU. You can keep sensitive servers in another OU and apply more secure IPSec policies to this OU. You could also place sensitive client computers, such as those in Finance, Research, or Human Resources, into separate OUs and apply varying degrees of security to those OUs.

When you assign an IPSec policy within a GPO such as an OU, a pointer is recorded that points to the IPSec policy within the GPO. If you make changes to the IPSec policy, the GPO is not aware of those changes. The GPO is only aware of changes to the IPSec policy itself. The IPSec service detects changes related to the IPSec policy, and this detection interval can be specified in the General tab of the properties of the policy via the IP Security Policy Management snap-in. This interval is known as the IPSec polling interval.

Assigning Local IPSec Policy

Local GPOs can be overridden by GPOs assigned to sites, domains, and OUs when operating in an Active Directory framework. On a network without Active Directory, you can use the local policy to apply IPSec policies (and group policies) to individual computers. Every computer running Windows Server 2003 has one local GPO called local computer policy . When this is used, Group Policy settings can be stored on the local computer regardless of whether they are joined to an Active Directory domain. However, if they are joined to an Active Directory domain, local policy will be overridden by any policies with higher precedence.

Persistent policies are used on local computers as a way to secure the computer during the startup process. This policy adds or overrides the local or Active Directory policy and remains in effect regardless of whether other policies have been applied. Persistent IPSec policies provide a more secure framework because they provide a secure transition from computer startup to the application of IPSec policy. Persistent policy can also be used as a failsafe mechanism in case of corruption or errors during the application of higher precedence IPSec policy. Persistent policy can cause problems if it is the only policy applied and you are trying to diagnose a problem remotely, as the diagnostic traffic might be blocked. Persistent policies can be configured via the netsh commands. Persistent policies are stored in the computer s local Registry and are loaded by the IPSec policy agent during computer startup. The IPSec driver is set to secure mode (discussed later in this chapter) if the persistent policy is successfully applied. Although you can make changes to persistent policy at any time, changes are not implemented until the IPSec service is restarted.

IPSec Driver Modes

In understanding how policies work, it s important to understand that the IPSec driver operates in three modes: computer startup , operational , and diagnostic . Computer startup mode is used when the computer is starting up. Operational mode is used when the computer is up and running in normal operational mode. Diagnostic mode is used for troubleshooting.

Diagnostic Mode

You can use the diagnostic mode for troubleshooting to log events and errors. The IPSec driver logs can record inbound and outbound drop events on a per-packet basis during both startup mode and operational mode. Logging is disabled by default, and care should be used when enabling logging. It should not be used for extended periods of time. Depending on the level of logging you configure, your System log file can fill very quickly.

Test Day Tip

A few days before the test, review the overall process of how all the IPSec components interact, and pay special attention to the startup and operational modes of the IPSec driver. Also remember that the netsh commands for IPSec can only be used to configure IPSec policies for computers running Windows Server 2003.

Designing & Planning
What s New in IP Security in Windows Server 2003

There are changes to the implementation of IP Security in Windows Server 2003 that can impact how IPSec works with computers running earlier versions of Windows, including Windows 2000 and Windows XP. Since you re likely to see this kind of information included in questions on the exam and run into these issues on the job, it s important to review the changes related to deploying IPSec in Windows Server 2003. These are summarized in Table 5.11.

 

Table 5.11: New IPSec Features in Windows Server 2003

New IPSec Feature	Description and Use Guidelines
Default exemptions have been removed.	Windows 2000 and Windows XP contained default exemptions for IPSec filtering. Specifically, these operating systems exempted broadcast, multicast ISAKMP,Kerberos, and Resource Reservation Protocol (RSVP) traffic. In Windows Server 2003, only ISAKMP traffic is exempt by default.
netsh enables command-line support for IPSec.	The netsh.exe command-line utility now has an IPSec context, which allows you to run IPSec-related commands from within this utility. Previous versions of Windows used different commands, Ipsecpol.exe and Ipseccmd.exe .
IPSec filters update IP configurations of partners .	The source or destination address fields that a computer interprets as the DHCP server, DNS server, WINS server, or default gateway can be configured using the IP Security Policy Management snap-in or the netsh.exe command. IPSec policies can now automatically manage changes in the IP configuration of the source or the destination by using DHCP or static IP configurations.
Network Address Translation traversal (NAT-T) support added.	IPSec in Windows Server 2003 now supports ESP-protected IPSec traffic passing through a NAT. Some applications might not work if their traffic is protected with IPSec ESP and passed through a NAT. IKE detects NATs and uses EDP ESP encapsulation to send all user data via UDP port 4500. The use of the AH protocol through a NAT is not supported.
Resultant Set of Policy (RSoP) now supported for IPSec.	The RSoP snap-in is used to view the results of various policies applied to a computer to address unanticipated results. Support of IPSec policies has been added in Windows Server 2003.
Support for Diffie-Hellman Group 2048.	The DH Group 2048 provides high security via the use of 2048-bit keying material to create security algorithms. Previous operating systems only supported DH Groups 1 and 2.
Persistent IPSec policy is supported.	Persistent IPSec policy is policy that is present during computer startup, before other policies are applied. Persistent IPSec policy can be used to protect the computer during the startup process. Admins can also force local IPSec policy to be applied when Active Directory policy is applied. Typically, Active Directory policy would override any local policy.
Stateful filtering of network traffic during startup.	IPSec in Windows Server 2003 now supports stateful filtering during startup. It permits only outbound traffic the computer initiates during startup and the inbound traffic sent as a response.
IP Security Monitor snap-in added.	This provides more detail about IPSec than the previous utility Ipsecmon.exe .

IPSec Best Practices

Microsoft outlines several best practices related to implementing IPSec.

• Establish an IPSec deployment plan As we discussed earlier, planning is a critical part of the process in developing security plans.

• Create and test IPSec policies for each deployment scenario Before deploying IPSec, all scenarios should be tested in a lab environment.

• Do not use pre-shared keys These are stored in plain text and provide relatively weak authentication. Pre-shared keys should be used only for testing. In a live environment, certificates or Kerberos v5 should be used.

• Do not use Diffie-Hellman Group 1 (low) DH Group 1 only provides 768 bits of keying strength. In today s demanding environment, use Group 2 (medium) for interoperability with Windows 2000 and Windows XP, or Group 2048 (high) for strong security using 2048 bits of keying strength. DH Group 2048 is only provided in Windows Server 2003.

• Use Triple Data Encryption Standard (3DES) This uses a stronger encryption algorithm than does DES. Use 3DES for enhanced security. Windows 2000 computers must have the High Encryption Pack or Service Pack 2 installed in order to use 3DES. If the High Encryption Pack or Service Pack 2 is not installed, the security is set to the weaker DES. If not all computers support 3DES, use DES. Windows XP and Windows Server 2003 computers support 3DES by default.

• For computers connected to the Internet, do not send the name of the Certification Authority (CA) along with the certificate request For computers connected to the Internet, enable the option to exclude the name of the CA from the certificate request to protect sensitive information about trust relationships from intruders.

• For computers connected to the Internet, do not Kerberos v5 as an authentication method The computer identity is sent unencrypted until encryption of the entire payload occurs. This leaves the computer identity exposed during the authentication process. To secure computers connected to the Internet, use certificate authentication instead.

• For computers connected to the Internet, do not allow unsecured communication You should disable the option to accept unsecured communication but respond with IPSec . Disabling this will prevent DoS attacks. Also disable the option to allow unsecured communication with non-IPSec-aware computers . If this option is not disabled, you are allowing unsecured communication. This is appropriate only in environments where IPSec is not needed.

• Restrict the use of administrative credentials Administrative credentials can be used to attack the system, so these credentials should be restricted and monitored .

• Test IPSec policy thoroughly when working with different versions of the Windows operating system Not all IPSec features are supported in all versions of Windows; thorough testing will prevent problems for users and problems with security.

• Use the IPSec Policy Management console in Windows Server 2003 to manage IPSec policies This console provides for streamlined IPSec policy management. Be sure to use the console in Windows Server 2003, since earlier consoles lack features found in Windows Server 2003 and will not support newer IPSec features.

• Use Terminal Server to remotely manage and monitor IPSec on computers running different versions of Windows Remote management and monitoring of IPSec is only supported on computers running the same versions of the Windows operating system. To remotely manage IPSec on computers running a different operating system, use Terminal Server.

  Exam Warning

  As with other details of IPSec, the exam won t test you directly on your knowledge of these individual elements. However, whenever Microsoft publishes best practices, you can be sure you ll see questions on the exam that test your understanding of these best practices in scenario questions. Make sure you re familiar with these recommendations and keep them in mind when answering exam questions.

Configuring IPSec Policy

You can configure IPSec policy in one of two ways. You can create a new policy, define rules, and then add filter lists and filter actions. You can also create filter lists and filter actions and then create policies and add rules that combine the filter lists and actions. Use whatever method makes the most sense for your particular needs. Using the first method, you ll add filter lists and filter actions during the rule creation. Using the second method, IPSec policies are created and rules are added that combine the desired filter list with desired filter action. Once IPSec policies are configured, they must be assigned.

IPSec policies can be configured via the IP Security Policy Management snap-in in the MMC or via the netsh command-line.

Assigning IPSec Policy

Once IPSec policies have been created, the list is available to assign to any level of the Active Directory hierarchy, but only one policy can be assigned at any given level in Active Directory. IPSec policy applied to an OU takes precedence over domain-level policy for members of the OU, which is why servers should be placed into OUs. You should also apply IPSec policy to the highest OU possible to avoid dealing with potential IPSec policy conflict and to ease security administration. A child OU will inherit the IPSec policies from its parent OU unless policy inheritance is explicitly blocked or explicitly assigned. Before assigning an IPSec policy to a GPO, make sure the GPO meets the requirements of the IPSec policy. For example, if your IPSec policy requires the use of a computer certificate, make sure the computer has a certificate. Finally, since an IPSec policy might remain active even after a GPO to which it is assigned is deleted, you should get in the habit of unassigning the IPSec policy first and then delete the GPO. Typically, you should wait 24 hours before removing the GPO to make sure changes have been propagated successfully.

Keep in mind that when policies are changed, the IPSec service might be forced to delete an existing Security Association (SA) and re-establish the SA. In this case, communication between the two computers will be terminated until a new SA is negotiated based on the new IPSec policy.

Exercise 5.02: Exploring the IP Security Policies snap-in

Before you create specific IPSec policies, rules, filter lists, and filter actions, you ll need to be familiar with the IP Security Policies snap-in in the MMC. This exercise will help familiarize you with this snap-in.

1. Click Start , select Run , and in the Open box, type in mmc , and then press Enter or click OK to open the MMC.

2. A new console is opened by default. Click File and then select Add/Remove Snap-in .

3. In the Add/Remove Snap-in dialog, click the Add button.

4. In the Add Standalone Snap-in dialog, scroll down to locate and select the IP Security Policy Management snap-in. Click Add to add the snap-in.

5. The Select Computer or Domain dialog will open. This allows you to select which computer or domain the snap-in will manage. You can manage policies on the local computer (the default setting) or you can select the Active Directory domain the computer belongs to, a different Active Directory, domain or another computer. Accept the default ( Local computer ) and click Finish. The Select Computer or Domain dialog closes , returning you to the Add Standalone Snap-in dialog.

6. The active dialog is the Add Standalone Snap-in dialog. Click Close to return to the Add/Remove Snap-in dialog. Click OK to close this dialog and return to the MMC.

7. Click IP Security Policies on Local Computer in the left pane to select this snap-in. By clicking it, you cause the default policies to be displayed in the right pane. You should see Server (Request Security) , Client (Respond Only) , and Secure Server (Require Security) . Following each is a description. You can adjust column widths by positioning your mouse over the vertical line separating labels in the gray header area (Name, Description, Policy Assigned, etc.) and left-clicking and pulling to the left or right.

8. Locate Server (Request Security) and double-click that policy to display the properties. Alternately, you can select the policy, right-click, and then select Properties from the menu.

9. The tab selected by default is the Rules tab, which displays the IP Security rules that are part of this policy. Each rule contains several elements: IP Filter List, Filter Action, Authentication, Tunnel Endpoint, and Connection Type.

10. Select the General tab by clicking it. This tab displays the policy name, description, and how often it will check for policy changes. The default value is 180 minutes, or every three hours.

11. You can configure additional settings for the key exchange by clicking the Settings button. Click the Settings button to display Key Exchange Settings .

12. You can change settings for the Key Exchange in this dialog. Click the Methods button to display the IKE security methods options.

13. In the Key Exchange Security Methods dialog, you can set the preference order for key exchange. The default settings are shown in Figure 5.11.

    
    Figure 5.11: Default Settings for Key Exchange Security Methods for Default IPSec Policy

14. Use the horizontal scroll bar to view all the fields, which include Type, Encryption, Integrity, and Diffie-Hellman Group. Individual algorithms can be modified by double-clicking the desired algorithm or by clicking the Edit button. Each drop-down list shows choices we ve discussed earlier in this chapter. Take a moment to click each drop-down arrow and view the choices. Test your recall of each of these elements by reciting to yourself the definition and use of each element. The choices you should see are Integrity Algorithm “ MD5 or SHA1, Encryption Algorithm “ 3DES or DES, Diffie-Hellman group “ Low (1), Medium (2), or High (2048).

15. To avoid making any changes, click Cancel to exit. Click Cancel to exit the Key Exchange Security Methods dialog. Also click Cancel to exit the Key Exchange Settings dialog.

16. You should now have just the Server (Request Security) Properties dialog open. Click the Rules tab to select that tab.

17. The IP Security rules list contains three rules. Double-click the first rule All IP Traffic to display the properties for editing. Alternately, you can click the first rule then click the Edit button below.

18. The Edit Rule Properties dialog is displayed. There are five tabs in this dialog: IP Filter List is selected by default. The other tabs are Filter Action, Authentication Methods, Tunnel Setting and Connection Type, all the fields shown in the Rules dialog. The IP Filter List, Filter Action, and Authentication Methods tabs have options that you can drill down through to view the many different options you can set. Click Cancel to exit these without changing settings. Click Cancel to exit the Edit Rules Properties dialog and return to the Server (Request Security) Properties dialog.

19. Before we close this dialog, notice the check box in the lower-right corner labeled Use Add Wizard . When this box is selected, the Security Rule Wizard will be opened when you click the Add button. If you deselect this check box, a New Rule Properties dialog will be displayed. This has the same options as the Edit Rule Properties we just explored. You can select the options you want and then click OK to accept or Cancel to exit without saving the rule. When first working with IPSec policies and rules, you might want to use the Security Rule Wizard to step you through creating a new rule. Click Cancel to exit any open dialogs and return to the MMC.

20. To access the various options within the console related to the IP Security Policies on the Local Computer, right-click the selection (IP Security Policies on Local Computer) or click Action from the menu.

21. Click Action and select All Tasks .

22. Notice the actions you can take ”you can create a policy, manage filter lists and actions, restore defaults, and import and export policies.

23. Exit the MMC by clicking File and then selecting Exit . Click No when prompted to save the console.

 

As you can see, many levels of options can be configured within the IPSec policies. To keep things simple and make configuring, managing, and troubleshooting IPSec policy easier, make sure you define the fewest possible number of IPSec policies to meet your security needs, apply them at the highest possible level, and apply them to computers in similar roles via the use of OUs. Now you re ready to begin configuring IPSec policy for computers.

Objective 3.1.2: Designing IP Filtering

When designing IP filtering, there are a few design suggestions that will make your task easier. These are delineated in Table 5.12 and describe recommendations for both filter lists and filter actions.

As you can see, there are many TCP and UDP ports defined. The list in Table 5.13 is just a small portion of the entire list maintained by IANA. However, it s helpful to know what TCP and UDP ports are used for which common network functions so you can properly block or permit that traffic. It s also important to understand that TCP and UDP ports can be reserved (port numbers above 1000), and the highest number defined is 65535. Individual companies such as Cisco, Microsoft, and Hewlett-Packard (and hundreds of others) can reserve TCP and UDP port numbers for specific applications. This is also important to know as a network administrator. For example, suppose the director of the Research department comes to you and asks to install an instant messaging (IM) program for the researchers to use in her department. You do some research and find this program uses UDP port 334 for communicating. You could permit UDP port 334 traffic on the research segment but could block it at the gateway or router to keep IM local to that segment. This is an example of a UDP port being used for a particular application and one that might not be one of the more well-known ports.

Objective 3.1.1: Configuring a Firewall Configuration

Firewalls can be used between segments of a network or, more commonly, to protect the corporate network from the Internet. Since the firewall by definition provides a security boundary, configuring IPSec for a firewall makes sense. First, let s look at the firewall function in Windows Server 2003.

Windows 2000, Windows XP, and Windows Server 2003 all included a host-based firewall, often referred to as distributed firewall software or personal firewalls , called Internet Connection Firewall (ICF). Originally designed for home users, businesses found it useful to employ the ICF to provide an additional layer of protection against attack. ICF is a basic firewall program designed to prevent basic intrusion, but it does not include the robust features of full firewall applications. Most third-party firewall applications protect computers from software that could violate user privacy (including spyware, Trojan horses, etc.) or allow an attacker to misuse the target computer. ICF does not provide these features.

Most businesses separate their internal network from the Internet as a common sense security measure. This is typically done using firewalls that block traffic sent to specific ports or protocols. However, corporate networks have gained a level of complexity that often makes it difficult to protect sensitive data at all times. This is especially true because it s difficult, if not impossible, to know every single port that is carrying important information or that needs to be secured. IPSec allows you to provide broader coverage than a firewall might by allowing you to permit, block, or negotiate security for unicast IP traffic.

The difference between IPSec and ICF is that IPSec provides complex static filtering based on IP addresses, and ICF provides stateful filtering for all addresses on a network interface. IPSec is often used in intranets to secure communication between two trusted computers using the Kerberos service or for specific paths across the Internet where PKI can be used. To secure communication via remote access, you would more likely use L2TP/IPSec for VPN connections. This configuration does not require the creation and deployment of IPSec policies. We ll discuss this to some extent later in this chapter when you learn about securing a wireless network.

By default, Windows Server 2003 only exempts IKE traffic from filtering. IKE traffic is needed to establish secure communication channels between two computers so secure data can be exchanged. However, you can modify this to remove the exemption and require all traffic to be secured. If you do this, you must configure a IPSec policy on client computers in order for secure communications to be successfully negotiated. The < Dynamic > Default Response rule will not allow a successful negotiation when the server is locked down. For firewalls and servers sitting on the Internet, removing this exemption is the most secure configuration. Leaving this setting as is can expose the server to a DoS attack. For servers not on the Internet or not acting as firewalls, it is acceptable to allow IKE traffic to be unsecured but to require all other data be secured by IPSec.

To configure a firewall between IPSec computers, it must be configured to:

• Forward inbound and outbound IPSec traffic on UDP source and destination port 500. This allows ISAKMP traffic to be forwarded.

• Forward inbound and outbound IP protocol 50 (ESP).

• Forward inbound and outbound IP protocol 51 (AH).

• Forward inbound and outbound UDP source and destination port 4500.

  Although we re not specifically discussing NAT in this section, it should be noted that if you re using NAT-Traversal (NAT-T), you must also configure forwarding on UDP source and destination port 4500.

IPSec can be routed as normal IP traffic, although the forwarders do not have the ability to examine the packet if it is encrypted with ESP. When there is a firewall or gateway in the path of the IPSec traffic, IP forwarding must be enabled at the firewall as described. L2TP/IPSec traffic looks like IPSec traffic. The firewall forwarding L2TP/IPSec traffic should be configured to allow IKE (UDP port 500) traffic as well as IP protocol 50 (ESP).

In some cases, it might be necessary to allow Kerberos traffic through the firewall as well. In this case, permitting forwarding of UDP and TCP port 88 should also be configured.

Common Threats to DNS

There are a number of common threats to DNS that must be considered and mitigated when planning security for the enterprise. Table 5.14 shows the common threats and how hackers can exploit these threats. We ll look at ways to mitigate these threats in a moment.

To properly protect the DNS server service on your network, you must address security at these levels: DNS namespace, DNS server service, DNS zones, DNS resource records (RR), and DNS clients. Let s look at each of these in more detail.

Single Namespace

A single domain namespace is what you are assigned if your company registered for a domain name. Even in a small company, if you are connected to the Internet, you should separate your namespace into one or more namespaces to designate internal and external names.

Delegated Namespace

You can divide the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. The decision to delegate the namespace is typically dependent on whether you need to delegate management of part of the namespace for administrative ease, whether you need to divide a large zone for better DNS service (response time, replication time, etc.), or whether you want to extend your namespace with subdomains to accommodate organizational needs.

Internal Namespace

An internal namespace is the namespace you define for your private corporate network. Companies configure these differently, but one common example is to create separate namespaces for separate segments of the business. This can be a fairly flat system or a deeper hierarchy, depending on your organization s needs. For example, your external namespace, as regulated by ICANN, might be somecompany.com. You might choose to create a subdomain (internal namespace) for each division: Finance, Sales, Human Resources, Service, and Manufacturing. Within each of those subdomain namespaces, you can create additional namespaces. For example, you might have na.sales.somecompany.com for North American sales, eu.sales.somecompany.com for European sales, and so forth. All of these are internal namespaces and must be protected. This is exactly the kind of information a hacker would seek to learn via footprinting.

Segmented Namespace

You can split your namespace between internal and external DNS servers. Your external DNS is the root domain, and your internal space is a subdomain of the external space. For example, if your external namespace is somecompany.com, your internal namespace can be defined as corp.somecompany.com. The internal namespace is managed by internal DNS servers behind a firewall, and resolution from external DNS servers to a corporate address occurs from the external DNS server to the internal DNS server via queries.

Securing the Namespace

To secure the DNS namespace, you should separate DNS servers that must resolve names on the Internet from those that do not. By separating internal and external DNS servers, you can restrict external contact to the internal DNS servers. Hosting your internal name space on internal servers and your external name space on external servers will create a first line of defense. To resolve queries for external names made internally, you configure internal DNS servers to forward external queries to external DNS servers for resolution. External hosts use only external DNS servers for name resolution.

For example, by using a segmented namespace, you can create these namespaces: somecompany.com, corporate.somecompany.com, and operations.somecompany.com. The somecompany.com namespace could be on an external DNS server and could resolve external Internet queries. The corporate and operations subdomains would be hosted on internal DNS servers. One DNS server would be the primary master for corporate.somecompany.com, and another would be the secondary server for the subdomain namespace. A second DNS server (perhaps the secondary just described) would be the primary master for the operations.somecompany.com, and the other DNS server would be the secondary for this subdomain. However, in no case does either DNS server resolve Internet name queries ”these are all forwarded to the external DNS server.

For external queries for internal namespace resolution, you should configure the external DNS server to send those queries to only one internal DNS server designated for this role. Configure a packet-filtering firewall to allow only UDP and TCP port 53 communications between your external DNS server and a single internal DNS server. This allows external queries for internal resources but prevents other external computers from gaining access to the DNS namespace.

SSL/TLS

The Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol is typically used to secure HTTP/HTTPS traffic on Web sites. However, SSL/TLS works below the application layer in the TCP/IP stack and can be used transparently by applications that require security for application layer protocols such as FTP, LDAP, or SMTP. SSL/TLS provides server authentication, optional client authentication, data encryption, and data integrity. SSL/TLS can be used to protect against masquerade attacks, man-in-the-middle attacks (sometimes called bucket brigade attacks), and rollback and replay attacks.

SSL was originally developed by Netscape Communications Corporation to secure transaction over the Web. The current version is SSL 3.0. An earlier version, SSL 2.0, is still in use. After SSL was devised, the IETF created a standard for similar functionality called the Transport Layer Security protocol. Although there are subtle differences between SSL 3.0 and TLS 1.0, they are often referred to as SSL/TSL. TLS uses a keyed-hashing for Message Authentication Code, referred to as HMAC. SSL 3.0 uses the Message Authenticate Code (MAC) algorithm. The HMAC s keyed hashing makes it harder to break because the hash algorithm is used in combination with a shared secret key, and both parties must have the same shared secret key to prove the data is authentic .

SSL/TLS works between the application layer and the transport layer and includes two layers of its own: the handshake layer and the record layer. The handshake layer is responsible for setting up the secure connection, and the record layer contains the data. The handshake layer manages the authentication, encryption, and hash algorithms.

Authentication via SSL/TLS is accomplished using an X.509 certificate issued by a CA. Both symmetric and asymmetric keys are used for encryption in SSL/TLS. Symmetric keys, known also as shared secret keys, use the same key to encrypt and decrypt the message. Asymmetric keys use different keys to encrypt and decrypt the message. Typically, one of the keys is a public key and the other key is known only to the owner of that key (private key).

The hash algorithm used is either Message Digest 5 (MD5) or the Standard Hash Algorithm 1 (SHA1). MD5, as you recall, generates a 128-bit hash value, and SHA1 generates the stronger 160-bit hash value. In addition, the SSL/TLS hash algorithm includes a value that checks integrity of the data. TLS uses HMAC and SSL uses MAC. Although HMAC is stronger, both are acceptable hash algorithms to use. Windows Server 2003 supports using SSL and MAC.

Using SSL/TSL provides several important benefits that might make it an appropriate security technology in your organization.

• Strong authentication, message integrity, and privacy SSL/TLS provides the ability to transmit secure data using encryption. It also provides server authentication and optional client authentication to prove that the parties involved in the communication are who they say they are. This is accomplished through the use of digital certificates. Data integrity is provides through an integrity check function, similar to that used in the IPSec AH or ESP protocols.

• Algorithm flexibility SSL/TLS provides the ability to select authentication methods, encryption algorithms, and hashing algorithms to be used during the secure session.

• Easy to deploy and use Deploying SSL for secure browsing in Windows Server 2003 requires that you check a check box to enable this security feature via IIS. Since SSL/TLS resides below the application layer, it is transparent to applications and users and requires no user interaction to enable the secure communication. Although it can be used with various applications and application layer protocols, those applications must be written to use SSL/TLS.

However, there are two notable drawbacks to using SSL/TLS:

• Increased CPU utilization As with any encryption system using public keys, the use of SSL/TLS requires additional CPU processor cycles creating overhead that must be anticipated and managed. The increased processor time to manage SSL/TLS is greatest when connections are being set up.

• Administrative overhead SSL/TLS uses certificates and certificate-based systems require regular maintenance to configure the system and manage certificates.

Configuring SSL/TLS

You can configure SSL on your Web server but must first obtain a valid certificate. You can use the Web Server Certificate Wizard in Windows Server 2003, or use a third-party company to obtain a certificate. After you ve obtained and installed your certificate, you can enable SSL in IIS.

Exercise 5.03: Objective 3.3: Configuring IIS to Use SSL

Follow these steps to configure your Web server to use SSL in IIS. If you do not have your server configured as an IIS server or if you do not have a valid certificate, you will be unable to perform all of these steps. Review them even if you cannot perform them on your system, as you will likely need to know this information for the exam.

1. Click Start Administrative Tools Internet Information Services (IIS) Manager .

2. Expand the IIS node in the left pane to display the three subnodes: Application Pools , Web Sites , and Default Web Site .

3. Click the + to expand Web Sites, and select the Web site to which you want to add SSL. Right-click on that Web site and select Properties .

4. The [Name] Web Site Properties dialog is displayed. In the Web site identification section on the Web Site tab, click Advanced , as shown in Figure 5.12.

   
   Figure 5.12: Web Site Properties Dialog

5. In the Advanced Web site identification box, under Multiple identities for this Web site, verify the address for the IP address is assigned to port 443, the default port for secure communications. Click OK .

6. To configure additional SSL ports for this Web site, click Add under Multiple Identities of this Web site . Configure additional ports, and then click OK .

7. On Directory Security , under Secure Communications , click Edit .

8. Click to select the check box labeled Require secure channel (SSL) in the Secure Communications box, as shown in Figure 5.13.

   
   Figure 5.13: Require Secure Channel (SSL) Configuration

9. To enable SSL client Certificate authentication and mapping, click the check box for Enable client certificate mapping and click Edit .

10. If you click the check box labeled Required 128-bit encryption , the browser must support 12-bit encryption.

11. On the Secure Communications dialog, you can also specify how to handle client certificates: ignore , accept , or require . Requiring client certificates provides the most secure solution and is appropriate for limiting access to the site.

12. You can enable client certificate mapping, which allows access control to resources using client certificates that can be mapped to user accounts.

13. You can enable a trust certificate list by clicking the check box labeled Enable certificate trust list . A certificate trust list is a signed list of root certificate authorities that have been deemed reputable by the administrator.

14. Click OK to accept changes or Cancel to discard changes in the Secure Communications dialog.

15. Click OK to accept or Cancel to discard changes to the [Name] Web Site Properties dialog.

16. Click File Exit to close the IIS Manager console.

 

There are a number of different scenarios in which you might elect to implement SSL/TLS. For example, it s fairly common to see SSL/TLS implemented on Web sites (HTTPS) to provide secure communications with a Web site, particularly when securing an e-commerce transaction. Today, almost all e-commerce servers use SSL/TLS to secure username, password, and credit card transaction information. Although e-commerce is the most predominant and visible application of SSL/TLS, there are other scenarios in which using this security protocol makes sense.

• Authenticated client access to a secure site You can provide access to authenticated clients to a secure site by requiring both client and server certificates and by mapping those certificates. Client certificates can be mapped on a one-to-one basis or a many-to-one basis via Active Directory Users and Computers. You can create a group of designated users, map the users certificates to the group, and give the group permission to access the secure site.

• Remote access SSL/TLS provides authentication and data protection for remote users logged in to Windows-based systems. E-mail and other applications that use SSL/TLS provide security by requiring authentication and data encryption.

• SQL access SQL Server administrators can require client authentication when clients attempt to connect to SQL Server. Either the client or the server can also be configured to require encryption of the data transferred. This is an important feature for SQL databases that contain sensitive information such as payroll, financial, or medical records.

• E-mail Microsoft Exchange servers can use SSL/TLS to protect data between servers on the Internet or on the internal intranet. End-to-end security is best accomplished with Secure/Multipurpose Internet Mail Extensions (S/MIME) , discussed in the next section. However, data between servers can be secured via SSL/TSL regardless of whether S/MIME is implemented.

S/MIME

S/MIME is used to secure e-mail traffic from one end to the other. As mentioned earlier, SSL can be used to secure server-to-server traffic, but S/MIME is best suited for end-to-end security.

S/MIME is an extension of MIME that supports secure e-mail by enabling the e-mail originator to digitally sign an e-mail to provide proof of both origin and message integrity. It also enables e-mail to be encrypted to provide confidential communication via the Internet. Microsoft Exchange Server 2000 and Exchange Server 2003 both support S/MIME. However, one notable change from Exchange Server 2000 to Exchange Server 2003 is that Key Management is replaced by Certificate Services. Another significant change in Exchange Server 2003 is that it extends the scope of client support by the Microsoft Office Outlook Web Access S/MIME ActiveX Control. This enables Internet Explorer 6 SP1 and later Web clients to send and receive secure S/MIME e-mail. Discussing Exchange Server is outside the scope of this chapter, but it s important that you understand what S/MIME is and in what scenarios it makes sense to use it since you will undoubtedly run into questions related to or involving S/MIME on the exam.

SMB Signing

The Server Message Block (SMB) protocol provides the basis for file and print sharing and remote Windows administration. SMB signing can be implemented to prevent man-in-the-middle attacks because the data in transit is protected. SMB support the digital signing of SMB packets to prevent modification while SMB packets are in transit. As with most security measures, there is a balance between requiring SMB security and system performance.

If you think back to Chapter 2, you ll recall that Server Message Block Signing is negotiated in the secure*.inf predefined security template and is required in the hisec*.inf predefined security template. These settings can be implemented via the predefined security templates, security templates you create, or via Group Policy. It is recommended that you configure these settings inside a security template or group policy to make managing security more streamlined and consistent. To configure these settings via security templates, use the Security Template snap-in in the MMC. To configure these settings via group policy, open the appropriate policy via the Group Policy Editor snap-in in the MMC and expand the console tree in this manner: Computer Configuration Windows Settings Security Settings Local Policies Security Options .

There are four settings related to Server Message Block Signing, as shown in Figure 5.14. By viewing these settings within the predefined security template, securews.inf, you can see exactly how these settings relate. Each of these policy settings can be Enabled, Disabled, or Not Defined. When Enabled, the setting is enforced via the template or group policy. When Disabled, the setting is not enforced. When Not Defined, the check box for that policy has been cleared and that policy is no longer defined in the security database.

• Microsoft network client Digitally sign communications (always)

• Microsoft network client Digitally sign communications (if server agrees)

• Microsoft network server Digitally sign communications (always)

• Microsoft network server Digitally sign communications (if client agrees)

These settings must be used in certain combinations for communication to be successful. Table 5.19 outlines these combinations and the results. The if server agrees or if client agrees option essentially enables SMB signing on that computer. If this setting for either the client or server is disabled, SMB signing is disabled on the computer. This is the default setting (SMB disabled) for member servers.

Figure 5.14: Server Message Block Signing Options

* The Microsoft network server: Digitally sign communications node is implied .

** The Microsoft network client: Digitally sign communications node is implied.

By default, client-side SMB signing is enabled on workstations, servers, and DCs. This means the default setting for the client side is Microsoft network client: Digitally sign communications (if server agrees) . By default, server-side SMB signing is only enabled on DCs, and is disabled by default for member servers. This means the default setting for DCs is Microsoft network server: Digitally sign communications (if client agrees) is enabled and the default setting for member servers is Microsoft network server: Digitally sign communications (if client agrees) is disabled .

What this means is that essentially, all computers (running Windows NT or later) can sign SMB packets, if requested, without further configuration. DCs, by default, are the only servers that are configured to use (enabled) SMB signing. Other computers can be configured to use SMB signing, either as an option or as a requirement. An example of a use for this is a member server that stores sensitive research data. You can configure this server to always require SMB signing. You can either use the default client-side setting, which will use SMB because SMB signing is enabled by default, or you can require SMB signing on the client side as well.

Port Authentication for Switches

Network switches are commonly used to filter network traffic, reducing traffic to segments by filtering or blocking traffic that is not addressed for a particular network segment attached to the switch. Switches effectively segment a network. However, most switches send and received packets to and from any node (computer) attached to the switch. In less secure locations within a corporation, unauthorized users could gain access to the network via a switch. For example, conference rooms, lobbies , or shipping/receiving docks are all places a switch might be located to which outsiders have easy, often unchecked access. In these cases, securing the switch traffic can help secure the network.

Newer switches can be configured to require switch node authentication and authorization before data is transmitted from the network to the node attached to the switch. To accomplish this, each switch is required to have a user account database, but this becomes an administrative nightmare pretty quickly. Newer switches can now be RADIUS clients (in Microsoft, those are IAS clients), using the RADIUS protocol to send connection requests and accounting messages to the RADIUS server. RADIUS servers have access to user account databases and can better manage this data. The RADIUS server can then receive and process the switch s request for a connection and accept or reject it based on stored credentials.

IAS supports switch access authentication via Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Ethernet port type, or virtual local area network (VLAN).

• EAP-TLS is used to provide certificate-based authentication for either the computer or the user.

• Ethernet port type is typically used when configuring remote access policies. Using this port type, you can create various remote access policies that contain connection parameters specifically designed for switch nodes.

The use of VLAN switching is determined by whether or not the switch access client is authenticated.

Objective 1.2.3: Using Segmented Networks

One of the most common methods of securing network data is to segment the network into smaller sections. Switches, routers, gateways, or firewalls can be configured in between these network segments to manage traffic between and among various network segments. This can be especially helpful for computers in a particular department that require additional security. By placing these computers on a network segment, traffic to and from that segment can be filtered via the gateway.

When traffic for a host on another network or network segment is sent from a host, the packet goes to the host s default gateway. The IP address of a packet is compared to the host s IP address and subnet mask. If the network ID matches, the packet is destined for a computer on the local segment and is not passed on to the gateway. If the network ID does not match, the packet is forwarded to the default gateway for routing to the intended host.

Segmenting a network also improves the efficiency of the network because multicast and broadcast traffic is kept on the local segment, preventing it from being transmitted across the entire network. By segmenting a network, local traffic stays local and remote traffic is forwarded to the gateway. The gateway can be configured to block or permit different types of traffic to protect network segments from either receiving or sending data to unauthorized networks, segments, or hosts.

Types of Wireless Networks

There are essentially four types of wireless networks, based on their range or scope:

• Wireless personal area networks (WPANs)

• Wireless local area networks (WLANs)

• Wireless metropolitan area networks (WMANs)

• Wireless wide area networks (WWANs)

A WPAN connects wireless personal devices such as cellular phones, personal digital assistants (PDAs), laptops, or wireless printers. WPANs operate using either infrared or radio frequency (RF). Bluetooth is one example of a radio-frequency-based WPAN and is defined by the IEEE 802.15 specification. Most WPANs provide connectivity up to about 30 feet and, because it uses RF, it can penetrate walls, pockets, and briefcases. Infrared WPANs are limited to line-of-sight and at a distance generally not greater than about three feet. Wireless keyboards and mice often use infrared.

WLANs are designed to provide connectivity to a local area, typically defined as a building or office. WLANs are based on the 802.11 standard. IEEE 802.11 WLANs original throughput was about 1 “2Mbps. Current throughput via the802.11g standard is about 54 Mbps and the range is about 300 feet. Special antennae can be used that boost the range up to five kilometers. A WLAN is implemented by attaching wireless access points (WAPs) to the wired LAN. Wireless users connect via a WAP to the LAN. Some implementations can be peer-to-peer WLANs. Wireless bridges can also be used to connect devices to the wireless network or to connect two wireless networks together.

WMANs connect buildings within a campus or city through infrared or radio frequency. The infrared implementation has limitations due to the requirement to have line-of-site for connectivity. RF is subject to interference from other devices that might operate at the same or nearby frequencies. RF WMANs include multichannel multipoint distribution services (MMDS) and local multipoint distribution services (LMDS), al though a standard for this has not yet been finalized.

WWANs have existed for a while and are most commonly implemented via cell phones. The current technology is not standardized and there are several companies and/or technologies vying for their place in the standard. These technologies are all referred to as second generation (2G), and the International Telecommunication Union is working on a third generation standard known as 3G. Current technologies include Cellular Digital Packet Data (CDPD and Code Division Multiple Access (CDMA).

Public Key Infrastructure

A PKI consists of certificates, CAs, and other registration authorities (RAs). Together, these verify and authenticate the identity of each party. Standards for PKI are evolving, but support for PKI is implemented in Windows Server 2003 and Windows XP. Although earlier versions of Windows supported elements of PKI, Windows Server 2003 and Windows XP use the latest features in PKI technology.

PKI is used in a number of different ways in Windows Server 2003. For example, it can be used to secure a wireless network, as we re discussing. It is also used to implement secure e-mail via S/MIME and to secure Web traffic via SSL and TLS, all discussed earlier. You can use PKI to implement smart cards for strong authentication as well as to implement EFS and IPSec.

Remote Authentication Dial-In User Service and Internet Authentication Service

RADIUS is a protocol defined by IETF RFCs 3865 and 2866. RADIUS is implemented in Windows Server 2003 as IAS, which is why you often seem them referred to together. RADIUS is used to provide centralized authentication, authorization, and accounting for dial-up access, VPNs, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, wireless network access, and other network access methods.

RADIUS is implemented in a client/server model. The RADIUS server provides the authentication, authorization, and accounting services to RADIUS clients. RADIUS clients are typically remote access servers (RAS), VPN servers, or wireless access points (WAP). When a user wants to access the network, the user connects to the RADIUS client (again, RAS, VPN, WAP, etc.) and the authentication credentials and connection information are sent to the RADIUS server for verification. The RADIUS server authenticates and authorizes the user and sends a RADIUS message back to the RADIUS client. The user is then permitted access as defined by access policies and user permissions. The RADIUS messages from the client to the server and from the server to the client are never transmitted back to the user or user machine.

For point-to-point (PPP) authentication protocols, the results of authentication between the access server/RADIUS client (RAS, VPN server, WAP) and the user s computer are then forwarded to the RADIUS server for verification. PPP protocols include:

• Password Authentication Protocol (PAP)

• Challenge Handshake Authentication Protocol (CHAP)

• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

• MS-CHAP version 2 (MS-CHAP v2)

RADIUS supports the use of RADIUS proxies, which forward traffic back and forth between RADIUS clients, RADIUS servers, and other RADIUS proxies. RADIUS traffic between RADIUS clients, servers, and proxies is secured using a common shared secret, commonly configured as a text string at both ends.

Active Directory

You ll need to determine which users and groups should have wireless access. Then, via groups and group policy, you can enforce those selections. With Active Directory, these settings are enforced across the domain to ensure consistent application of access and security policies for all users, including wireless users.

Several group policy settings are related to wireless connections, including data installed on wireless clients regarding user and computer certificate auto-enrollment, Wireless Network Policy settings that specify the preferred networks, 802.1X settings, and WEP settings. These can be specified in group policy.

Exercise 5.04: Create a Wireless Network Policy

To create a wireless network policy via group policy, use the following steps.

1. Open the Microsoft Management Console by clicking Start Run and then typing mmc in the Open: box. Click OK or press Enter .

2. Click File Add/Remove Snap-in . In the Add/Remove Snap-in dialog, click Add .

3. In the Add Standalone Snap-in dialog, scroll down to select the Group Policy Editor snap-in. Click Add . When prompted to select the Group Policy Object :, click Browse .

4. Locate the Default Domain Policy in the Browse for a Group Policy Object , click to select it, and then click OK .

5. Click Finish to select the Default Domain Policy as the GPO.

6. Click Close on the Add Standalone Snap-in dialog to return to the Add/Remove Snap-in dialog. Click OK to return to the MMC.

7. In the MMC s left pane, click the + to expand the Default Domain Policy.

8. Click + to expand the Computer Configuration node.

9. Click + to expand the Windows Settings node.

10. Click + to expand the Security Settings node.

11. Click + to expand the Wireless Network (IEEE 802.11) Policies node. If there is nothing beneath the node, the + will not be displayed and the tree will not expand.

12. Right-click Wireless Network (IEEE 802.11) Policies or click Action on the menu and select Create Wireless Network Policy . This launches the Wireless Network Policy Wizard. Click Next to continue.

13. Type a name for the wireless policy in the Name: box. Type a description for the policy that will help you identify this policy and describe what it does. Click Next .

14. The next screen is the completion screen. Leave the check box labeled Edit Properties selected and click Finish .

15. The policy properties will be displayed, as shown in Figure 5.15.

    
    Figure 5.15: Sample Domain Wireless Policy Properties Dialog

16. If you want to modify how often Active Directory polls for changes, you can change the value in the Check for policy changes every: setting, which defaults to 180 minutes.

17. Specify the type of wireless network the clients can access by selecting a network type in the Networks to access drop-down box as shown in Figure 5.15. For this exercise, select the default Any available network (access point preferred) . This setting allows the wireless user to connect to any available network but will attempt to connect to the Preferred Network first. Using this setting does allow users to participate in an ad hoc network and, depending on your corporate environment, this might pose a security problem. If it does, select the second choice, Access point (infrastructure) networks only . There might be reasons to only allow the computers to connect to only via an ad hoc network. If so, select the third option, Computer-to-computer (ad hoc) networks only .

18. To allow clients to configure their own wireless settings, leave the Use Windows to configure wireless network settings for clients check box selected. To prevent users from doing this, clear the check box.

19. To allow users to connect to networks that do not appear in the Preferred Networks tab, check this box. To ensure clients connect only to networks that appear on the Preferred Networks tab, clear the check box for Automatically connect to non-preferred networks . This option is cleared by default for security. When this is not selected, Windows XP users will be notified of available wireless networks but will not be automatically connected. If the user chooses to connect to the nonpreferred network, they must take an action to do so. This choice strikes a balance between security and usability.

20. Preferred Networks are configured on the Preferred Networks tab of the Properties dialog. Click to select this tab. To add a network, click Add . The New Preferred Settings Properties dialog opens, as shown in Figure 5.16.

    
    Figure 5.16: Adding a New Preferred Network

21. Enter a unique name for the new preferred network and enter a description in the description box that will help you to identify this network.

22. In the Wireless network key (WEP) section, there are three check boxes: Data encryption (WEP enabled) , Network authentication (Shared mode) , and The key is provided automatically .

    • Selecting the Data encryption (WEP enabled) setting will require a network key to be used for encryption. Select this to ensure encryption is used to provide security on the wireless network. This is selected by default.

    • Selecting the Network authentication (Shared mode) setting will require that a network key be used for authentication. If this is not selected, the network will operate in open system authentication mode, which is more secure. This setting should be cleared. A shared key strategy uses a static WEP key, which can be easily cracked and requires a fair amount of administrative work to change or update. Due to the administrative burden , shared keys are rarely changed, which leads to security holes. This is not selected by default.

    • Selecting The key is provided automatically setting determines whether a network key is automatically provided for clients. This option should be selected so that the policy uses 802.1X to provide dynamic WEP session keys for encryption traffic. This is a more secure solution than using static WEP keys. This is selected by default.

23. The last option in the New Preferred Setting Properties dialog is a check box labeled This is a computer-to-computer (ad hoc) network; wireless access points are not used . This box is not selected by default, indicating the network is an infrastructure-based wireless network (uses wireless access points).

24. The second tab in the New Preferred Setting Properties dialog is the IEEE 802.1X tab, which allows you to set parameters for 802.1X, a port-based network access control. We ll discuss this later in this section. For now, accept the default options and click OK .

25. Click OK to close the Sample Domain Wireless Policy Properties dialog.

26. You should now be in the MMC and should have a Wireless Network (IEEE 802.11) Policies policy, as shown in Figure 5.17.

    
    Figure 5.17: Wireless Policy Defined in Default Domain

 

DHCP Configuration

DHCP scopes and leases are configured differently for wireless networks than they are for wired networks. Typically, scopes are defined by network segments, a collection of related IP addresses. To configure a secure wireless solution, create a separate scope for wireless clients. By using a separate scope, you can configure lease requirements differently for wired and wireless clients.

Wireless users connect and disconnect from the network far more often than do computers that are connected to a wired network. The default lease period for an IP address is eight days. Your organization might use a slightly different default, but typically, leases are not renewed more often than every few days to once a week. Wireless users do not release their IP address when they disconnect from the network. This means that if you use the default (or standard) lease period, the unused IP addresses held by the disconnected wireless users will be unavailable for long periods of time. For the scope that contains the wireless users, reduce the lease time significantly. The preferred setting will depend on a number of factors, most notably the typical behavior of wireless users on your network and the tolerance to the additional load on the DHCP server(s). For example, if most of your wireless users connect and disconnect throughout the day but remain at one location, you might use a lease period of 18 hours. However,, if you have a lot of wireless users connecting, disconnecting, and leaving the network for several weeks at a time, you might elect to create shorter lease periods of several hours. You might also choose to create more than one scope for wireless users if your users wireless connection behaviors are dramatically different.

DNS Configuration

To configure DNS for secure wireless networking, it s recommended that you integrate DNS with Active Directory to support secure dynamic updates. This is a recommended configuration for wired and wireless networks. In DNS, you should identify the DNS zones in which wireless computers will register DNS address records. If you re not using Active Directory-Integrated zones, then you should ensure that DNS zones are configured for dynamic updates, since wireless computers DNS settings might change more often than computers connected via the wired LAN. As discussed in the DHCP section, if you set your IP lease time to a lower value, your DNS records might change more often. Using secure dynamic updates provides the most secure configuration and reduces administrative overhead.

Public Key Infrastructure

PKI is discussed at length elsewhere in this book. As we discussed earlier, PKI relies on certificates to provide strong authentication credentials. You will need to set up a CA in Windows Server 2003 to create certificates for PKI, or obtain your certificates from a third-party provider. Once the certificates are created, they must be properly installed on the servers and clients that will use them.

Although it is possible to implement a wireless network without the use of PKI and RADIUS/IAS (discussed next), it is highly recommended that you use the Windows Server 2003 features to design and build a secure wireless network.

RADIUS/IAS

A discussion of how to design and implement RADIUS/IAS is outside the scope of this chapter. However, you should use RADIUS/IAS to manage remote connection authentication for better security and ease of administration. You should verify that the Internet Authentication Server (IAS), Microsoft s implementation of the RADIUS standard, can use the Extensible Authentication Protocol ”Transport Layer Security (EAP-TLS). This requires the installation of a certificate on the IAS server. This topic is covered in additional detail in various other chapters in the book.

If you use Active Directory as the directory service and IAS as the RADIUS server, you can provide a single logon solution for users. This way, users can log on the same way whether they re connecting to the wired network or the wireless network. If you implement certificates, you can use smart cards for user logon authentication. The IAS server must also support Protected Extensible Authentication Protocol (PEAP)-Microsoft Handshake Challenge Authentication Protocol version 2 (MS-CHAPv2). This is used for password-based security environments.

802.11 Identity Verification and Authentication

This is the least secure method because it uses open system authentication and shared key authentication . Open system authentication is not true authentication because it performs only identity verification between the wireless client and the wireless access point. Shared key authentication is even less secure than open system authentication. Shared key authentication provides authentication by verifying that the wireless client has the shared key. Under the 802.11 standard, it is assumed the shared key was provided to the wireless client via a secured method such as over a secure wired network or via floppy disk.

For better security, do not use the shared key authentication method because it requires the exchange of a secret key that is shared by all wireless access points and wireless clients, making it more vulnerable to attack.

802.11 Wired Equivalency Privacy (WEP) Encryption

The 802.11 specification also defines an encryption algorithm, Wired Equivalency Privacy (WEP). It provides data confidentiality by encrypting data sent between the wireless access point and wireless clients. The encryption used by WEP is the RC4 stream cipher that uses either 40-bit or 104-bit encryption key. The integrity of the data frame itself is provided by an integrity check value (ICV) in the encrypted portion of the frame so it cannot be tampered with or viewed.

Recent studies have shown that there are flaws within the WEP encryption method, and there are now several software products available that can easily crack WEP encryption, so this method is less secure that it was even three or five years ago.

Although there are known issues with this method, it is widely used in wireless networks that are configured today. It might be appropriate for smaller organizations that do not have the infrastructure or IT capabilities to implement and manage a more complex solution requiring certificates and other encryption methods, as described next. The balance between security and ease of implementation and management might make sense for some organizations where the risk of intrusion is low or where the cost of recovering from intrusion is low. However, in organizations where security of network data is critical, this is no longer a viable solution.

802.1X Authentication

802.1X is the IEEE standard for authenticated access to Ethernet-based networks and wireless 802.11 networks. This standard supports centralized user identification, authentication, dynamic key management, and accounting, all features that can be provided by a RADIUS server. The 802.1X standard improves security because both the wireless client and the network authenticate to each other. A unique per-user/ per-session key is used to encrypt data over the wireless connection and keys are dynamically generated, reducing administrative overhead and eliminating the ability to crack a key because the key is generally not used long enough for a hacker to capture enough data to then determine the key and crack it.

The 802.1X authentication method is supported in Windows XP (requires Service Pack 1) and Windows Server 2003. 802.1X authentication is only available for the access point (infrastructure) network type that requires the use of a network key (WEP). The most secure solution uses 802.1X, and connecting to a wireless network using anything less secure exposes your data to potential capture, modification, and malicious packet injection.

802.1X and Extensible Authentication Protocol

The 802.1X standard uses EAP for message exchange during the authentication process, to protect the contents of the authentication process. Remember that EAP is an extension of the PPP protocol that provides arbitrary authentication mechanisms to be used for the validation of a connection. Thus, with EAP, arbitrary authentication mechanisms such as certificates, smart cards, or passwords can be used to authenticate the wireless connection.

There are three authentication methods available using EAP, and you can use any of the following:

• EAP-TLS EAP-TLS uses certificates for server authentication. Client and computer authentication is provided by either certificates or smart cards.

• PEAP with EAP-MS-CHAPv2 Protected EAP (PEAP) with EAP-MS-CHAPv2 uses certificates for server authentication. User authentication is via username and password (also called password-based authentication).

• PEAP with EAP-TLS PEAP with EAP-TLS uses certificates for server authentication and either certificates or smart cards for user and computer authentication. PEAP is supported for wireless user and computer authentication, but is not supported for VPN or remote access clients. PEAP with EAP-TLS provides an encrypted channel for EAP-TLS authentication traffic.

  Exam Warning

  If you deploy both PEAP and EAP unprotected by PEAP , don t use the same EAP authentication type for both. For example, if you deploy PEAP with EAP-TLS, don t use EAP-TLS without PEAP. Using authentication methods with the same type (in this case, EAP-TLS), one with PEAP and the other without PEAP, creates a security vulnerability. If you see exam scenarios or solutions that use the same authentication method with and without PEAP, you ll know that solution causes a security hole (which might be the right answer, depending on how the question is presented).

To use EAP-TLS, you ll need to verify that the certificate infrastructure is in place. Windows Server 2003 supports Certificate Servers, so you can issue certificates to the users, computers, and IAS servers involved in wireless networking. EAP-TL is not supported if the IAS or remote access server is not a member of the domain.

To use PEAP-MS-CHAPv2, you ll need to verify your IAS servers have computer certificates installed. On the other end, you ll need to verify that all wireless computers have the root CA certificates of the issuer of the computer certificates that the IAS servers have installed. You can use third-party CAs to issue certificates as long as the certificates meet the requirements for TLS authentication.

IAS Support for 802.1X Authentication

As stated earlier in this chapter, IAS is the Microsoft implementation of RADIUS, another IEEE standard . Thus, a Microsoft IAS server is a RADIUS server. As such, it can be used to enhance security and deployment of wireless networks. Although configuration of an IAS is outside the scope of this chapter, you should be familiar with configuring IAS on Windows Server 2003 computers.

When you use RADIUS/IAS, wireless access points are configured as RADIUS clients and use the RADIUS protocol to send connection requests to the RADIUS/IAS server. The RADIUS server uses a user account database to verify the user against the database (authentication) and then verifies that user has appropriate permissions to connect to the LAN via the wireless access point (access). Once the RADIUS server compares the request with the user database information, it either issues permission for the user to connect or rejects the request. This information is passed back to the wireless access point using the RADIUS protocol.

This configuration, using IAS with wireless access points, is the most secure solution for wireless networking in the Windows Server 2003 environment.

802.1X Group Policy Settings

Now that we ve discussed 802.1X and earlier stepped through creating a wireless network policy, let s look the range of settings available on the IEEE 802.1X tab.

Briefly, this is accessed with the Group Policy Object Editor snap-in in the MMC.

1. Right-click the Wireless Access Policy (or whatever name you gave it).

2. Click the Preferred Networks tab, click the Network Name shown in the Networks: box, then click Edit .

3. In the Edit [Network Name] properties , click the IEEE 802.1X tab.

4. Figure 5.18 shows this dialog with the associated options. We ll walk through each of them now.

   
   Figure 5.18: IEEE 802.1X Properties in the Selected Preferred Network

   • Enable network access control using IEEE 802.1X This check box must be selected to use 802.1X capabilities on this wireless network.

   • EAPOL-Start message Your three options are: Do not transmit, Transmit, and Transmit per IEEE 802.1x. This message tells the client to begin the authentication process. It specifies whether to transmit EAP over LAN (EAPOL)-Start message packets and if so, how to transmit them. The default setting of Transmit is typically acceptable.

     • Parameters (seconds) These parameters are used to define the EAPOL-Start message packet. The default settings are usually the best settings unless you have clear reasons for changing them.

     • Max Start (default 3) Determines the number of successive EAP over LAN-Start messages the client will transmit when not receiving a response.

     • Held Period (default 60) Determines the amount of time the client will wait before re-attempting a failed 802.1X authentication.

     • Start Period (default 60) Determines the amount of time between EAPOL-Start messages when resending.

     • Authentication Period (default 30) Determines the amount of time between 802.1X request messages resent upon not receiving a response.

   • EAP type

     • Smart card or other certificate Smart card or other certificate is the default option for EAP type. This specifies EAP-TLS as the EAP type.

     • Protected EAP (PEAP) You can select this option as your EAP type to use Protected EAP.

   • EAP type Settings Both EAP types have various options that can be configured via the Settings button. Figure 5.19 shows the Smart Card or other Certificate Properties, and Figure 5.20 shows the PEAP settings available.

     
     Figure 5.19: Smart Card or Other Certificate Properties Options

     
     Figure 5.20: Protected EAP Properties Options

     • Authenticate as guest when user or computer information is unavailable This check box is cleared by default. If you want to provide public wireless access for visitors to connect to the Internet, for example, you can check this box to allow guest authentication. Unless the wireless network is for public use and is not connected to the internal corporate network, do not use this setting.

     • Authenticate as computer when computer information is available This setting uses computer-based authentication, discussed in more detail in the next section. It is recommended that you check this box, which is checked by default, for the best security and most convenient network configuration. If this box is not checked, the next option, computer authentication, is disabled.

     • Computer authentication There are three options to choose from in this final IEEE 802.1X parameter.

     • With user authentication If this setting is selected, when users are not logged on, the computer credentials are used. However, when a user logs on, the authentication established by the computer credentials is maintained.

     • With user re-authentication This is the default (and recommended) option and ensures that the users credentials are used whenever possible. When user credentials are not available, computer credentials will be used. Computer credentials are used until a user logs on. Then, the user credentials are used. When the user logs off, the computer credentials are again used.

     • Computer only This options specifies that user credentials will not be used and that only computer credentials will be used. User credentials are never checked with this option selected.

Selecting User or Computer-Based Authentication

For the most secure wireless network, you should consider using both user- and computer-based authentication. Although user authentication is a natural choice, there are instances when computer-based authentication also makes sense. The default choices in Windows XP Professional 802.1X client allow for computer-based authentication when users are not logged on and user authentication when users are logged on. This ensures user authentication is always used when a user is connected but also allows various Windows features to work properly when the user is logged off. Table 5.22 delineates the computer-based authentication scenarios.

Head of the Class
Understanding WEP Flaws, Threats, and Countermeasures

There are ever-evolving threats to WEP encryption. As mentioned earlier, there are programs available today that will crack WEP encryption. However, WEP can still be used effectively, and the emerging WPA standard will address some of the security flaws in WEP. It is anticipated that throughout 2004, WPA-based hardware and software solutions will become more widely available. However, let s take a look at the WEP encryption vulnerability.

Even with 802.1X dynamic key management and WEP, a determined hacker could still leverage flaws within the WEP encryption scheme. This flaw is well documented and if you want to understand the mathematical basis for this flaw, you can read about it in great detail in a draft document located at www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf entitled Intercepting Mobile Communications: The Insecurity of 802.11 DRAFT. Suffice it to say that the flaw can be leveraged but it requires two things: a certain amount of network traffic to be captured by the attacker, and a sufficient amount of time (or computer power) for the hacker to perform the crack.

The primary strategy, then, for keeping WEP secure, is to limit the amount of time a key is used. This prevents adequate network data from being captured before the key is changed and prevents the hacker from having time to crack the code before a new key is used. This is accomplished via the key refresh functionality present in wireless access points or by setting IAS RADIUS options to enforce automatic client-re-authentication including WEP key refresh. By forcing the re-authentication every 10 minutes, the hacker does not have time to both capture sufficient data and crack the key. Let s look at the math.

We know the theoretical maximum throughput rate for 802.11a is 54 Mbps. We also know that the actual throughput is about 60 percent of that, or 32Mbps. This is the equivalent of 4MB/second (a byte is eight bits, so 32 megabits divided by 8 bits is 4 megabytes). WEP only encrypts data packets, and data packets average 80 bytes. 4MB divided by 80 bytes equals 50,000 packets per second. Based on attacks known at this time, a maximum of 10 minutes (or the rough equivalent of 30,000,000 packets) is the recommended time for using a single WEP key.

It s important to understand several things, though. First, computing power continues to increase as do the sophistication of cracking programs. Second, there is additional network overhead used every time a key is re-established. When users frequently have to be re-authenticated, it can cause increased loads on IAS servers, WAPs, and client computers, which could have a negative impact on usability.

Look closely at your business model, your corporate computing needs, and your infrastructure to determine the threat level of wireless attack. Moreover, although it s hard to do at times, you ll have to assess the cost of prevention versus the cost of remediation . It s difficult to assess the cost of stolen data, but it must be assessed in order to understand the cost/benefit of implementing the security solutions for both your wired and wireless network.