Remote Network Security


You can configure your dial-up, virtual private network (VPN), and direct connections to enforce various levels of password authentication and data encryption. Authentication methods range from unencrypted to custom, such as the Extensible Authentication Protocol (EAP). EAP provides flexible support for a wide range of authentication methods, including smart cards, certificates, one-time passwords, and public keys. You can also specify the type of data encryption, depending on the type of authentication protocol (MS-CHAP, MS-CHAPv2, or Extensible Authentication Protocol-Transport Level Security (EAP-TLS)) that you choose. Finally, if you have sufficient permissions, you can configure callback options to save telephone charges and increase dial-up security.

Advanced settings, such as Autodial, callback preferences, network identification, and binding order, are configured on the Advanced menu in the Network Connections folder. Optional networking components, such as the SNMP service, can also be installed on the Advanced menu. For more information about callback options and other advanced settings, see Managing Outgoing Connections earlier in this chapter.

If your Windows XP Professional based computer connects to a Windows 2000 based server, the remote access permissions granted to your computer by the server are based on the dial-up settings of your user account and remote access policies. Remote access policies are a set of conditions and connection settings that give network administrators more flexibility in granting remote access permissions and specifying connection requirements and restrictions. If the settings of your connection do not match at least one of the remote access policies, the connection attempt is rejected, regardless of your dial-up settings.

The network administrator can configure Windows 2000 Server user accounts and domains to provide security by forcing encrypted authentication and encrypted data for remote communications. For more information about Windows 2000 security, see Windows 2000 Server Help.

Authentication

For dial-up, virtual private network (VPN), and direct connections, Windows XP Professional authentication is implemented in two processes: interactive logon and network authorization. Successful user authentication depends on both of these processes.

Interactive Logon Process

The interactive logon process confirms a user s identity to either a domain account or a local computer. Depending on the type of user account and whether the computer is connected to a network protected by a domain controller, the process can vary as follows:

  • A domain account. A user logs on to the network with a password or smart card, using credentials that match those stored in Active Directory. By logging on with a domain account, an authorized user can access resources in the domain and any trusting domains. If a password is used to log on to a domain account, Windows XP Professional uses the Kerberos V5 protocol for authentication. If a smart card is used instead, Windows XP Professional uses Kerberos V5 authentication with certificates.

  • A local computer account. A user logs on to a local computer, using credentials stored in Security Accounts Manager (SAM), which is the local security account database. Any workstation can maintain local user accounts, but those accounts can only be used for access to that local computer.

Network Access Control

The network access control process confirms the user s identity to any network service or resource that the user is attempting to access. To provide this type of access control, the Windows 2000 security system supports many different mechanisms, including the Kerberos V5 protocol, Secure Socket Layer/Transport Layer Security (SSL/TLS), and, for compatibility with Microsoft Windows NT version 4.0, the NTLM protocol.

Note 

NTLM is a Microsoft protocol that serves as default for authentication in Windows NT version 4.0. It is retained in Windows XP Professional and Windows 2000 for compatibility with clients and servers that are running Windows NT 4.0 and earlier. It is also used to authenticate logon attempts to stand-alone computers that are running Windows XP Professional, or Windows 2000.

Users who have logged on to a domain account do not see network access control challenges during their logon session. Users who have logged on to a local computer account might have to provide credentials (such as a user name and password) every time they access a network resource.

Logging On Using Domain Credentials

The credentials that you use to initially log on to your computer are also the credentials that are presented to a domain when attempting to access a network resource. Therefore, if your local logon and network authorization credentials differ, you might be prompted to provide Windows 2000 domain credentials each time you access a network resource. You can avoid this by logging on to your computer by using your domain name, your domain user name, and your domain password before you try to connect to a network resource. If you log on without being connected to the network, Windows 2000 Server recognizes that your credentials match a previous successful logon attempt, and you receive the following message: Windows cannot connect to a server to confirm your logon settings. You have been logged on using previously stored account information. Whenever you connect to your network, your cached credentials are sent to your domain and you can access network resources without having to provide your password again.

Authentication Protocols

You can use Network Connections with the following authentication protocols and methods.

PAP

Password Authentication Protocol (PAP) uses plaintext (unencrypted) passwords and is the least sophisticated authentication protocol. PAP is typically used when your connection and the server cannot negotiate a more secure form of validation. You might need to use this protocol when you are attempting to connect to a non-Windows-based server.

SPAP

Shiva Password Authentication Protocol (SPAP) uses a two-way encryption scheme to encrypt passwords. By using SPAP, Shiva clients can dial in to computers running Windows 2000 Server and Windows XP Professional clients can dial in to Shiva network access servers.

CHAP

The Challenge Handshake Authentication Protocol (CHAP) negotiates a secure form of encrypted authentication by using Message Digest 5 (MD5), an industry-standard hashing scheme. A hashing scheme is a method for transforming data (for example, a password) in such a way that the result is unique and cannot be changed back to its original form. CHAP uses challenge-response with one-way MD5 hashing on the response. In this way, you can prove to the server that you know your password without actually sending the password over the network. By supporting CHAP and MD5, Network Connections can authenticate users to almost all third-party PPP servers.

Note 

If your server requires you to use PAP, SPAP, or CHAP, you cannot use data encryption for dial-up or PPTP connections.

If the connection is configured to require data encryption, and connects to a server that is only configured for PAP, SPAP, or CHAP authentication, the client terminates the connection.

MS-CHAP

Microsoft created Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), an extension of CHAP, to authenticate remote Windows-based workstations. Like CHAP, MS-CHAP uses a challenge-response mechanism.

Where possible, MS-CHAP is consistent with standard CHAP. Its response packet is in a format specifically designed for networks with computers running Windows XP Professional, Windows XP Home Edition, Windows 2000, Windows NT, Windows Me, Windows 98, and Windows 95.

A version of MS-CHAP is available specifically for connecting to a Windows 95 based computer. It is available as part of the Windows Dial-up Networking 1.3 Performance and Security Upgrade for Windows 95. This is required only if your connection is being made to a Windows 95 based computer.

MS-CHAPv2

Windows XP Professional also includes Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2). This protocol provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving. To minimize the risk of password compromise during MS-CHAP exchanges, MS-CHAPv2 supports only a newer, more secure, version of the MS-CHAP password change process.

In Windows XP Professional and Windows 2000, both dial-up and VPN connections can use MS-CHAPv2. Windows NT 4.0, Windows 98, and Windows 95 based computers can only use MS-CHAPv2 authentication for VPN connections.

For VPN connections, Windows 2000 Server offers MS-CHAPv2 before offering MS-CHAP. Updated Windows-based clients accept MS-CHAPv2 when it is offered and MS-CHAP is enabled. Dial-up connections are not affected.

EAP

The Extensible Authentication Protocol (EAP) is an extension to the Point-to-Point Protocol (PPP). EAP was developed in response to an increasing demand for remote access user authentication that uses third-party security devices. EAP provides an infrastructure to support additional authentication methods within PPP. By using EAP, support for any number of authentication methods might be added, including token cards, one-time passwords, public key authentication using smart cards, certificates, and others. EAP is a critical technology component for secure VPN connections, because it offers stronger authentication methods (such as public key certificates) that are more secure against brute-force attacks, dictionary attacks, and password guessing than older password-based authentication methods.

Certificate Authentication

A certificate is an encrypted set of authentication credentials, including a digital signature from the certification authority that issued the certificate. In the certificate authentication process, your computer presents its user certificate to the server, and the server presents its computer certificate to your computer, enabling mutual authentication. As shown in Figures 23-4 and 23-5, if a user certificate is installed either in the certificate store on your computer or on a smart card, and EAP-TLS is enabled, you can use certificate-based authentication in a single network logon process. This provides tamper-resistant storage of authentication information.

click to expand
Figure 23-4: Authentication tab on the Local Area Connection Properties sheet

click to expand
Figure 23-5: Smart Card or other Certificate Properties dialog box

Certificates are validated by verifying the digital signature by means of a public key. The public key is contained in a trusted authority root certificate of the certification authority that issued the certificate. These root certificates are the basis for certificate verification and are supplied only by a system administrator.

Smart Cards

A smart card is a credit card sized device that is inserted into a smart card reader, which is either installed internally in your computer or connected externally to your computer.

Certificates can reside either in the certificate store on your computer or on a smart card. When setting the security options of a connection, you can use a smart card or other certificate, and you can specify particular certificate requirements. For example, you can specify that the server s certificate must be validated.

When you double-click New Connection in the Network Connections folder, if a smart-card reader is installed, Windows XP Professional detects it and prompts you to use it as the authentication method for the connection. If you decide not to use the smart card at the time you create a connection, you can later modify the connection to use another certificate or authentication method.

How the Remote Access Authentication Process Works

Your computer dials a remote access server. Depending on the authentication methods you have chosen, one or more of the following might happen:

Note 

If you are using an L2TP-enabled VPN connection, IP Security (IPSec) performs a computer-level authentication and provides encryption before any of these steps take place. For more information about IPSec, see Data Encryption later in this chapter.

Data Encryption

Think of data encryption as a key you use to lock valuables in a strong box. Sensitive data is encrypted by using a key algorithm, which renders the data unreadable without the key. Data encryption keys are determined when your computer connects to the computer on the other end. Data encryption can be initiated by your computer or by the server to which you are connecting.

For dial-up, VPN and direct connections, Network Connections supports two types of encryption: Microsoft Point-to-Point Encryption (MPPE), which uses Rivest-Shamir-Adleman (RSA) RC4 encryption, and an implementation of Internet Protocol security (IPSec) that uses Data Encryption Standard (DES) encryption. Both MPPE and IPSec support multiple key strengths for encryption.

Server controls are flexible. They can be set to deny the use of encryption or require a specific encryption strength. By default, most servers are set to allow encryption and allow clients to choose their encryption strength. The system administrator can set encryption requirements on a Windows 2000 remote access or VPN server by using the encryption settings on the profile of a remote access policy.

The encryption method used by a VPN connection depends on the type of protocol used by the server to which it connects. If the VPN connection is using PPTP, MPPE is used. If the VPN connection is using L2TP, IPSec encryption methods and strengths are used. If the VPN connection is configured for an automatic server type (which is the default selection), then PPTP is attempted first, followed by L2TP.

MPPE

Microsoft Point-to-Point Encryption (MPPE) encrypts data in PPP-based dial-up connections or PPTP VPN connections. Strong (128-bit key) and standard (56-bit key or 40-bit key) MPPE encryption levels are supported. MPPE provides data security between your computer and your dial-up server (for dial-up PPP connections) and between your computer and your PPTP-based VPN server (for VPN connections).

To use MPPE-based data encryption for dial-up or VPN connections, the client and server must use the MS-CHAP, MS-CHAPv2, or EAP-TLS authentication methods. These authentication methods generate the keys used in the encryption process.

IPSec

IP security (IPSec) is a suite of cryptography-based protection services and security protocols. Because it requires no changes to applications or protocols, you can easily deploy IPSec for existing networks.

The Windows XP Professional implementation of IPSec is based on industry standards developed by the Internet Engineering Task Force (IETF) IPSec working group.

IPSec provides computer-level authentication, as well as data encryption, for L2TP-based VPN connections. IPSec provides per packet data authentication (proof that the data was sent by the authorized user), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (captured packets cannot be interpreted without the encryption key). In contrast, PPTP only provides per-packet data confidentiality. IPSec negotiates a secure connection between your computer and the VPN server before an L2TP connection is established, which secures user names, passwords, and data.

Note 

UDP Ports 500 and 1701 need to be open when using L2TP with IPSec for encryption.

IPSec encryption does not rely on the PPP authentication method to provide initial encryption keys. Therefore, L2TP connections use all standard PPP-based authentication protocols, such as EAP-TLS, MS-CHAPv2, MS-CHAP, EAP-MD5, CHAP, SPAP, and PAP, to authenticate the user after the secure IPSec communication is established. However, the use of EAP-TLS or MS-CHAPv2 is recommended.

Encryption is determined by the IPSec security association (SA). An SA is a combination of a destination address, a security protocol, and a unique identification value, called a Security Parameters Index (SPI). The available encryptions include:




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net