Chapter 7. Planning and Maintaining Network Security

O BJECTIVES

Planning and implementing network security methods do not end after you've implemented the security solutions discussed previously in Chapter 1, "Planning and Implementing Server Roles and Server Security." You still must ensure a handful of other issues are taken care of before your network is to be considered secure. Secure, however, is a relative term and one that is defined by the business and organizational requirements in place in your organization.

Microsoft defines the network security portion of the "Planning, Implementing, and Maintaining Routing and Remote Access" objective and the "Planning and Maintaining Network Security" objective as follows :

Plan secure network administration methods.

• Create a plan to offer Remote Assistance to client computers.

• Plan for remote administration by using Terminal Services.

• In today's distributed computing world, no longer can administrators easily or efficiently travel to all locations within an organization. The ability to remotely assist users and administer computers in real time gives administrators much more flexibility and offers them a means to better care for their network.

Plan security for wireless networks.

• The rapid and widespread introduction of IEEE 802.11 “based wireless networks has caused serious problems for those networks without a solid wireless network security plan. The power and utility of the wireless network also account for its threat and danger. Windows Server 2003 provides new Group Policy “based features that provide a good first step toward mitigating the threats posed by wireless networks.

Configure network protocol security.

• Configure protocol security in a heterogeneous client computer environment.

• Configure protocol security by using IPSec policies.

Configure security for data transmission.

• Configure IPSec policy settings.

Plan security for data transmission.

• Secure data transmission between client computers to meet security requirements.

• Secure data transmission by using IPSec.

Plan for network protocol security.

• Specify the required ports and protocols for specified services.

• Plan an IPSec policy for secure network communications.

• IP Security (IPSec) is the de facto standard for security network transmissions in both heterogeneous and homogenous network environments. IPSec can be used to provide secure network connections, both internal to your network and external to your network. IPSec operates in two modes, transport and tunnel, depending on where the endpoints in a communication lie in relation to each other. IPSec is fully supported in Windows Server 2003, and three preconfigured IPSec policies are supplied to get you going quickly. It is important for you to understand not only how to implement and configure IPSec for this exam, but also for you to secure your network as well.

Troubleshoot security for data transmission. Tools might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in.

• Unfortunately, nothing works right all the time; IPSec is no exception. Using improperly configured IPSec policies is a quick way to bring all normal network traffic to a screeching halt. Windows Server 2003 provides the IP Security Monitor and the Resultant Set of Policy snap-in to monitor and troubleshoot IPSec- related traffic issues.

O UTLINE

Introduction

Planning Secure Remote Administration Methods

Remote Assistance

Configuring Remote Assistance Policies

Sending and Managing Remote Assistance Requests

Using Remote Assistance

Remote Assistance Security Concerns

Remote Desktop for Administration (RDA)

RDA Security and Management Issues

Planning Wireless LAN ( WLAN ) Security

Planning Security for Data Transmission

Understanding the Architecture and Components of IPSec

Authentication Header (AH)

Encapsulating Security Protocol (ESP)

Internet Security Key Association Key Management Protocol (ISAKMP/Oakley)

L2TP and IPSec

Configuring and Implementing IPSec

Creating Customized IPSec Policies

Monitoring and Troubleshooting IPSec

The IP Security Monitor MMC Snap-in

The Resultant Set of Policy (RSoP) MMC Snap-in

General IPSec Troubleshooting

Chapter Summary

Apply Your Knowledge

Exercises

Review Questions

Exam Questions

Answers to Review Questions

Answers to Exam Questions

Suggested Readings and Resources

S TUDY S TRATEGIES

• Become familiar with the concepts of Remote Assistance and Remote Desktop for Administration. Not only will these two new technologies save you time and trouble in your daily job, but they also are very important on this exam.

• Set up two computers ”preferably both Windows Server 2003, but one can be a Windows XP Professional computer ”to practice sending and accepting Remote Assistance requests.

• Set up two computers ”preferably both Windows Server 2003, but one can be a Windows XP Professional computer ”to practice using Remote Desktop for Administration.

• If you have a wireless LAN at your disposal, be sure to create and implement a WLAN security policy.

• Carefully work your way through the material discussing the component parts of an IPSec policy. Practice creating and implementing an IPSec policy between two computers on your network.

• Get your hands dirty. The Step by Steps throughout this book provide plenty of directions and exercises, but go beyond these examples and create some of your own. If you can, experiment with each of the objectives to see how they work and why you would use each one.