1. Deploying a Secure Network Access Infrastructure�Part 1 ��Romano Jerez�Support Professional�Directory Services�Microsoft Corporation
2. 2
3. 3 Agenda Secure network access infrastructure
Evolution
Why integrate network and applications security?
How do you integrate network and applications security?
Microsoft .NET Server goals
Microsoft .NET network infrastructure features
DCHP, IPSec, IAS, 802.11, Routing and Remote Access, VPN
4. 4 Network Access Evolution
5. 5 Network Access Evolution (2)
6. 6 Network Access Evolution (3)
7. 7 Network Access Evolution (4)
8. 8 Network Access Evolution (5)
9. 9 Network Access Evolution (6)
10. 10 Network Access Evolution (7)
11. 11 Network Access Evolution (8)
12. 12 Network Access Evolution (9)
13. 13 Authentication Model
14. 14 Authentication Model Variations
15. 15 Network Identity and Trust
16. 16 Access Model Summary Identity: more than person
Group membership, attributes
Authentication end-to-end
Client to authentication service
Service may proxy
Identity secured end-to-end: avoid identity theft
17. 17 Access Model Summary (2) Network access authorization requires�richness beyond yes/no
Filters, quality of service…
Authorization requires change over time
Quarantine until provisioned, and then expand
Parameters for policy may be device/link-specific
Architecture requires extensibility
Authentication methods will evolve
Authorization (particularly networking) are very rich
Model should integrate with IT service infrastructure
18. 18 Integrating IT and Network Service Access
19. 19 Integrating IT and Network Service Access (2)
20. 20 Microsoft Secure Network Access Infrastructure
21. 21 Authenticated Access Recap IT service and network access evolved separately
Common authentication infrastructure simplifies administrator and user experience
End-to-end authentication required
Do not replicate identity infrastructure
Infrastructure requires flexibility
Future technologies
Richness for network access requirements
Interoperable standards exist now
Windows integrates them
22. 22 IPv4 “Reachability” Model
23. 23 IPv4 “Reachability” Issues
24. 24 “Reachability” Solution Short term mitigation of IPv4 related issues
Long term solution with IPv6
Single IP address space for all networks
Remove address constraints of IPv4
Remove address conflicts associated with IPv4
Preserve security boundary but minimize side effects
25. 25 DHCP What’s new?
Back-up and restore
Command-line/UI parity
Classes Static Routes (CSR)
Impact
Simplifies system recovery/duplication �(network administrator)
Simplifies split tunneling management (network administrator)
Windows 2000 and Windows NT® Interoperability
Service works in both environments
Requires Windows XP client to benefit from CSR
Availability improvement
Better back-up and replication
64-bit compatible
Yes
26. 26 IPSec What’s new?
Enhanced monitoring/logging
Command-line tool improvements
Active Directory policies for filters on dynamic services
Certificate-based authorization
2048 bit Diffie-Hellman key strength
Network Load Balancing support
Performance enhancements
DoS detection/protection
IPSec policy versioning
NAT traversal
27. 27 IPSec Policy Versioning Issue
IPSec policies are attribute-value pairs
Common engine for IKE policy negotiation and client policy local store
Clients discard unknown policies
IKE negotiation and local policy store
New IPSec versions get new policies
Old clients discard new policies when found
For example, Windows 2000 client managing policy for .NET/XP systems
Solution
When storing a policy, save unknown policies even if not interpreted in IKE
Requires Windows 2000 update
28. 28 IPSec NAT Traversal�Remote Access VPN
29. 29 Internet Authentication Service�Remote Authentication Dial-In User Service (RADIUS) Authentication, authorization, and accounting service for network access
Central access policy and accounting management
Extensible authorization model
Authenticated and encrypted UDP channel
Shared key authentication
“Client”-to-server (gateway to server) session
End-to-end authentication computer to RADIUS server
Proxy (gateway to proxy…to server)
30. 30 Internet Authentication Service (2)�Remote Authentication Dial-In User Service (RADIUS) What’s new?
Secure wireless deployment
802.1x
Certificate object identifier (also known as OID) checking for wireless use
Password-based wireless authentication
XML-SQL database logging
Cross-forest support without RADIUS proxy
Proxy capability
RADIUS attribute filtering
Client policy check/quarantine access
31. 31 Internet Authentication Service�Secure Wireless Deployment Barriers to effective 802.11 security management
Access control (who accesses the network)
Static keys are vulnerable to theft
Management of static WEP keys
Static keys make WEP vulnerable
Windows .NET and Windows XP solution
802.1x – bind EAP to 802.11
Authentication and key generation
Add 802.1x authentication to IAS
Wireless connection type, object identifier checking…
32. 32 Issue: not all customers deploy PKI
MS-CHAPv2 over protected EAP
PEAP new EAP method
One encrypted channel to host multiple EAP authentications
Establishes keys for encryption use
Access point requires certificate to prevent �man-in-middle (client can verify gateway)
MS-CHAPv2 used through PEAP
Encrypts MS-CHAPv2 authentication between client and RADIUS server
Prevents offline dictionary attacks
Updates to: IAS, Windows XP client Internet Authentication Service (2)�Secure Wireless Deployment
33. 33 Internet Authentication Service�XML-SQL Logging
34. 34 Internet Authentication Service�Cross-Forest and Proxy Support
35. 35 Internet Authentication Service�Quarantined Client Policy Check
36. 36 Internet Authentication Service (2)�Quarantined Client Policy Check
37. 37
38. 38 Routing and Remote Access Service�Scale Out and Up
39. 39 Remote Access Client for Windows XP What’s new?
Split tunneling (enabled through server-side release)
Remote access diagnostics (new client update)
Preshared key �(enabled through server-side release)
Impact
Reduced Internet egress load �(network administrator)
VPN plus home peripheral access (end-user)
Proactively diagnose remote access issues from client side (network administrator)
No-cert L2TP/IPSec deployment �(network administrator)
40. 40 Remote Access Client for Windows XP (2) Windows 2000 and Windows NT interoperability
Environment: yes
Not supported on Windows 2000 and Windows NT clients
Availability improvement
Faster diagnosis of infrastructure issues increases remote access service availability
64-bit compatible
Yes
41. 41 VPN Deployment Scenarios�Without Split Tunneling
42. 42
43. 43 VPN Deployment Scenarios�Remote Access Diagnostics and Preshared Key
44. 44 Wrap Up Network authentication, authorization, and accounting must be integrated with directory
Networks evolved out of connectivity needs
Authentication/authorization models for networks and information services developed independently
Resulting in redundant identity infrastructures
User identity and group membership should be centralized
Network authentication is an end-to-end problem that requires more richness and extensibility than a certificate or ticket
45. 45 Additional Resources http://www.microsoft.com/vpn/
http://www.microsoft.com/security/
http://www.microsoft.com/ipv6/
http://www.microsoft.com/net/
46. Thank you for joining today’s Microsoft Support
WebCast.
For information about all upcoming Support WebCasts,
and access to the archived content (streaming media
files, PowerPoint® slides, and transcripts), visit:
http://support.microsoft.com/webcasts/
Your feedback is sincerely appreciated. Please send any
comments or suggestions about the Support
WebCasts to supweb@microsoft.com.
