270 likes | 411 Views
Lecture 6: Implementing Security for Wireless Networks with 2003. Objectives. Overview of Active Directory Overview of Certificate Services How 802.1X with PEAP and Passwords Works How 802.1X-EAP-TLS Authentication Works Remote Access policies. What Is Active Directory?.
E N D
Lecture 6: Implementing Security for Wireless Networks with 2003
Objectives • Overview of Active Directory • Overview of Certificate Services • How 802.1X with PEAP and Passwords Works • How 802.1X-EAP-TLS Authentication Works • Remote Access policies
What Is Active Directory? Directory Service Functionality Centralized Management • Organize • Manage • Control • Single point of administration • Full user access to directory resources by a single logon Resources
Active Directory Objects Objects Active Directory Printers Printer1 Attributes Printer Name Printer Location Printer2 Printers Printer3 Attribute Value Users Attributes Don Hall First Name Last Name Logon Name Suzan Fine Users • Objects Represent Network Resources • Attributes Store Information About an Object
Active Directory Logical Structure • Domains • Organizational Units • Trees and Forests • Global Catalog
Domains User1 User2 • A Domain Is a Security Boundary • A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains • A Domain Is a Unit of Replication • Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain Windows 2000Domain Replication User1 User2
Organizational Units Network Administrative Model Organizational Structure • Use OUs to Group Objects into a Logical Hierarchy That Best Suits the Needs of Your Organization • Delegate Administrative Control over the Objects Within an OU by Assigning Specific Permissions to Users and Groups Sales Vancouver Users Sales Computers Repair
Trees and Forests contoso.msft (root) Two-Way Transitive Trust Forest nwtraders.msft asia. contoso.msft au. contoso.msft Tree asia. nwtraders.msft au. nwtraders.msft Two-Way Transitive Trusts Tree
Global Catalog Subset of the Attributes of All Objects Domain Domain Domain Domain Global Catalog Domain Domain Global Catalog Server Queries Group membership when user logs on
Domain Controllers Domain User1 User2 User1 User2 Replication Domain Controller Domain Controller • Domain Controllers: • Participate in Active Directory replication • Perform single master operations roles in a domain = A Writeable Copy of the Active Directory Database
Delegating Administrative Control Domain OU1 Admin1 OU2 Admin2 OU3 Admin3 • Assign Permissions: • For specific OUs to other administrators • To modify specific attributes of an object in a single OU • To perform the same task in all OUs • Customize Administrative Tools to: • Map to delegated administrative tasks • Simplify interface design
What Is a PKI? The combination of software and encryption technologies that helps to secure communication and business transactions
Components of a PKI Certificate and CAManagement Tools Certification Authority AIA and CRLDistribution Points Certificate Template Digital Certificate Certificate Revocation List Public Key—EnabledApplications and Services
What Is a Certification Authority? A certification authority: • Verifies the identity of a certificate requestor • The mode of identification depends on the type of CA • Issues certificates • The certificate template or requested certificate determines the information in the certificate • Manages certificate revocation • The CRL ensures that invalid certificates are not used
Roles in a Certification Authority Hierarchy Root CA Policy CA Issuing CA • A root CA is generally configured as a stand-alone CA and kept offline
Offline Root CA Installation Settings OfflineRoot CA Database andLog Settings stand-aloneCA Policy Validity Period Computer Name Key Length CA Name CryptographicService Provider
Wireless Network Authentication Options for WPA Wireless network authentication options include: • Wireless network security using Protected Extensible Authentication Protocol (PEAP) and passwords (802.1X with PEAP) • Wireless network security using Certificate Services (802.1X with EAP-TLS) • Wi-Fi Protected Access with Pre-Shared Keys (WPA-PSK)
Guidelines for Choosing the Appropriate Wireless Network Solution
How 802.1X with PEAP and Passwords Works Wireless Access Point Wireless Client RADIUS (IAS) 1 Client Connect 2 Client Authentication Server Authentication Mutual Key Determination 3 Key Distribution 4 WLAN Encryption Authorization 5 Internal Network
How 802.1X-EAP-TLS Authentication Works Wireless Client Certification Authority 1 Certificate Enrollment Wireless Access Point 2 Client Authentication Server Authentication RADIUS (IAS) Mutual Key Determination 4 Key Distribution 5 Authorization WLAN Encryption 3 6 Internal Network
Client, Server, and Hardware Requirements for Implementing 802.1X
PKI Requirements for Wireless Network Security To prepare the PKI for wireless security: • Define certificate requirements • Design the certification authority hierarchy • Configure certificates • Create a certificate management plan
Considerations for Creating Certificate Templates To create the certificates required for wireless security: • Define certificate parameters • Define certificate and key lifetimes • Define certificate clients and assurance level for each certificate holder
Remote Access Connection Policies Specify connection criteria Specify connection restrictions • Remote access permission • Group membership • Type of connection • Time of day • Authentication methods • Idle timeout time • Maximum session time • Encryption strength • IP packet filters
IAS Remote Access Policies Yes No Deny Allow Use Remote Access Policy Connection Allow Deny Connection Profile Evaluation Yes No ? Conditions Permissions Profile
Lab D: Planning and Implementing Security for Wireless Networks • Exercise 1: Configuring Active Directory for Wireless Networks • Exercise 2: Configuring Certificate Templates and Certificate Autoenrollment • Exercise 3: Configuring Remote Access Policies for Wireless Devices • Exercise 4: Configuring Group Policy for Wireless Networks