For Geeks @nd the not so Geeky

Configuring Computer Networking

Configuring Computer Networking

 None – No Encryption or Authentication

  • Some wireless access points require the user to accept a user agreement before being able to log on to the network. You can provide encryption through VPN, DirectAccess or IPsec to enable some form of security.

Wired Equivalent Protection (WEP)

  • 64 or 128 bit encryption
  • Sufficient to provide basic protection and almost universally supported
  • Wi-Fi Protected Access (WPA)
  • Offers significantly stronger encryption compared to WEP

Network Security

WPA – Personal Shared Key (PSK)

  • Should be avoided if possible as WPA-PSK uses a static key which is difficult to manage in an enterprise environment.
  • WPA – Extensible Authentication Protocol (EAP) or WPA – Enterprise
    Requires a RADIUS server for authentication and allows multiple wireless access points to rely on one central server for authentication.
  • Network Policy Server (NPS) can pass authentication requests to a domain controller and allows for flexible authentication without the need for a static key.

Windows Server 2008 R2 Enterprise and Datacenter support NPS without restriction whereas Windows Server 2008 R2 Standard supports a maximum of 50 clients and 2 remote RADIUS server groups.

Use a Public Key Infrastructure (PKI) to deploy certificates to both your RADIUS server and wireless client computers and enable autoenrollment. RADIUS Proxy Servers can be used to interconnect to forward requests to different RADIUS servers in the forest or for load-balance requests across multiple servers

WPA2 (IEEE 802.11i)

  • Updated, even more secure version of the original WPA

Network Access Protection (NAP)http://technet.microsoft.com/en-us/network/bb545879.aspx

Windows Server 2008 R2 Wireless Network Authentication  Modes

Computer or User

Windows uses computer credentials to authenticate prior to logon after which it checks the user credentials before the network can be accessed

Computer Only No user authentication is required as the computer authenticates to the network before displaying the logon screen

Single Sign On (SSO)

Supported by Windows Vista, Windows 7 and Windows Server 2008

Remote Access – Dial-Up and VPN

Dial-Up connections use an analog phone line to establish a connection to the network and are therefore very secure as you are not connected to the Internet.

Dial-Up access is very costly if you have many clients in your network as each is using a dedicated connection with very low bandwidth. Just like wireless networks, you can deploy a RADIUS server to handle authentication requests for Dial-Up clients.

VPNs on the other hand share a single internet connection thereby significantly reducing costs as your organization will already have an Internet connection and all that might be required is to purchase some extra bandwidth.

The drawback is that an Internet connection is mandatory and that you must allow incoming traffic through your firewall. You could use a Dial-Up connection and then create a VPN tunnel but the added overhead of VPN and the poor latency it provides would offer very poor performance.

Point-to-Point Tunneling Protocol (PPTP)

Originally a Microsoft technology that uses Point-to-Point (PPP) authentication for the user and Microsoft Point-to-Point Encryption

(MPPE) for data encryption.  No client certificate is required when using PEAP-MS, EAP_MS, EAP-MS-CHAP or MS-CHAP V2.

Layer Two Tunneling Protocol (L2TP)

An open standard VPN  protocol relying on PPP authentication  for user-level authentication and IPsec for computer-level authentication as well as data authentication, data integrity and data encryption. Requires computer certificates which in the Windows world is achieved by using Active Directory Certificate Services. L2TP is for now the only technology that can be used over the IPv6 Internet.

Secure Socket Tunneling  Protocol (SSTP)

Uses PPP authentication methods on the user-level authentication while relying on HTTP encapsulation over SSL for data authentication,

integrity and encryption. This enables it to travers many firewalls, NAT and proxy servers that would block traditional PPTP or L2TP traffic. SSTP is only supports on Windows Server 2008 and Windows Vista SP 1 and up and requires a CA.

DirectAccess

Only available in Windows 7 Enterprise, Windows 7 Ultimate and Windows Server 2008 R2 and requires the IPv6 protocol. Therefore transitional technologies such as 6to4, Teredo and ISATAP are mandatory in most networks. Also don’t forget to add firewall exeptions when using DirectAccess. For DirectAcces to work you need the following:

A multi-homed DirectAccess Server which is a member of a domain but NOT a domain controller with 2 consecutive IPv4 assigned to the public interface

DirectAccess clients must be joined to a domain and running Windows 7 Enterprise, Ultimate or Windows Server 2008 R2
An AD domain which holds the Network Location Service Role (NLS) including IIS and the SSL certificate service

A PKI through a CA to support IPsec as well as a DNS server running at least Windows Server 2008 SP2.
Application servers and a network infrastructure that support IPv6 or similar transition technologies

End-to-Edge Protection

Clients connect securely –encryption and authentication – to a DirectAccess server and can then communicate on the intranet with servers that do not support IPv6. Application servers however must support IPv6.

End-to-End Protection

Clients connect directly to application servers using IPv6 and IPsec over as well the Internet and the intranet. The DirectAccess server functions very much as a router forwarding traffic without accessing the content. This offers the highest level of security and requires the application servers to be running Windows Server 2008 or higher in combination with IPv6 and IPsec.

 

Leave a Response