A secure network begins with a thorough assessment of current and future network infrastructure considerations.
Understanding current and emerging threats and risk mitigation is essential for managing a secure network.
The following infrastructure components should each be assessed and secured:
Dynamic Host Configuration Protocol (DHCP)
Domain Name Service (DNS)
Windows Internet Naming Service (WINS)
Internet Information Server (IIS)
Routing and Remote Access (RRAS)
Application and file sharing
Internet Protocol Security (IPSec) provides for security via transport and tunnel mode via the use of two protocols: Authentication Header (AH), which verifies the integrity of the packet, and Encapsulated Security Payload (ESP), which encrypts the data and signs the packet for both privacy and integrity.
Windows Server 2003 provides three default IPSec policies that can be used as examples on how to create, modify, and implement IPSec policies.
IPSec in Windows Server 2003 now supports ESP-protected IPSec traffic passing through a NAT-T.
DNS is a highly desirable target for hackers. You can segment your DNS namespace and use the top-level namespace for public/Internet connection and a separate, internal namespace for the corporate network. Separating the internal and external DNS servers and namespaces by firewalls and perimeter networks protects the internal namespace.
Integrating DNS with Active Directory gives you the capability to perform secure dynamic DNS updates, which reduces the risk to DNS.
The Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol is typically used to secure Hypertext Transport Protocol (HTTP/HTTPS), but can also be used by other applications that require security for application layer protocols such as FTP, LDAP, or SMTP.
Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to secure e-mail traffic from one end to the other. SSL is often used to secure server-to-server traffic, but S/MIME is best suited for end-to-end e-mail security.
SMB signing can be implemented to prevent man-in-the-middle attacks because the data in transit is protected. SMB supports the digital signing of SMB packets to prevent modification while SMB packets are in transit.
Threats to wireless networks are very similar to threats to wired networks. Rogue WLANs, the inability to know whos connected, accidental access, and free-loading are problems associated only with WLANs.
A secure design for a wireless network includes designing WLAN network infrastructure, designing wireless authentication, and designing wireless access infrastructure
You can create Wireless Network (IEEE 802.1X) Policies via the Group Policy Editor to control wireless networks and access.
The use of PKI and RADIUS/IAS integrated with Active Directory provides the most secure wireless network solution.
802.1X is the IEEE standard for authenticated access to Ethernet-based networks and wireless 802.11 networks. This standard supports centralized user identification, authentication, dynamic key management, and accounting, all features that can be provided by a RADIUS server.
The use of strong authentication methods including EAP-TLS, PEAP with EAP-TLS, and PEAP with EAP-MS-CHAPv2 ensures authentication and encryption are used to create a secure wireless network connection.
The fairly recent discovery of flaws in the WEP encryption technology means that additional authentication and encryption methods should be employed whenever practical.
Understanding the authentication and encryption functional process helps to both design and implement the most secure wireless network possible in a Windows Server 2003 environment.