11:47
Unknown
In Windows Server 2008, to provide secure
remote connectivity, you need to design access through a perimeter network. Therefore,
to configure remote access strategy, you need to design a secure perimeter
network and decide which services will reside within it.
There are three types of Perimeter Network
Architecture:
·
Border network provides a direct
connection to the external environment through a router. The border router can
offer some protective features, such as access lists to manage specific
unwanted traffic from Internet Control Message Protocol (ICMP). An example of
such unwanted traffic are the echo requests associated with pinging. A perimeter
firewall along with associated security devices and services provides
protection for the border network.
·
Perimeter network is a semi-protected
area secured by a perimeter firewall and an internal firewall. Services located
in this area include Web servers for public access that connect to internal SQL
servers along with many other application servers.
·
Internal network is the location of the
secure environment. It includes the corporate user and server environments. The
security designs in this type of network include another firewall service separating
the internal user network from the server farms.
You can use the following services and security features when
designing the perimeter network.
·
NAT – Uses private IP addresses that
have significant meaning when used within your organization. When traffic is
sent out to the Internet, these addresses require translation to an acceptable
public IP address. One of the benefits of using NAT in your firewall design is
that your internal addressing structure is hidden from outside attackers.
·
Stateful inspection firewalls – Provide an accounting of all traffic that originated on
an interface in a state table. When the connection traffic is returned, the
state table determines whether the traffic originated on that interface.
·
Circuit-level firewalls – Provide a more
in-depth inspection of traffic than does a stateful firewall. Circuit-level
firewalls provide session maintenance and enable the use of protocols that
require secondary connections such as FTP.
·
Proxy servers – Provide security by
functioning as intermediaries and requesting a service on behalf of a client.
The client is not directly connected to the service. The proxy service can
inspect all headers involved in the transaction, providing an extra layer of
protection. Frequently requested content can be cached and reused to reduce
bandwidth. Proxy servers can also provide authenticated requests, NAT, and
authentication request forwarding.
·
Application-layer firewall – Inspects
all the incoming and outgoing packet headers and state tables maintained. It
also inspects the data streams to
provide security against attacks hidden in the data payloads of ordinary Web
service packets such as HTTP, other Web-related request and data packets, and
many ot her application- specific request and response packets.
Remote access Strategy
In designing remote access, an enterprise
administrator must consider all required avenues of access. For example, let us
consider designing a VPN Protocol Solution. Deciding which VPN protocols to use
for your remote access policies depends on several issues, such as:
:
·
Which security requirements
exist regarding encrypted communications?
·
Which security policies exist
to secure communication through your corporate firewall?
·
Which authentication mechanisms
are acceptable?
·
Whether a need exists to deploy
a PKI to support the VPN infrastructure?
·
What are the security
requirements for encrypted communications?
·
Which security policies exist
to secure communication through your corporate firewall?
·
Which authentication mechanisms
are acceptable?
·
Is there a need to deploy a PKI
to support the VPN infrastructure?
VPN Tunneling Protocols
Windows Server
2008 provides support for three tunneling protocols when configuring remote
access connections:
·
Point-to-Point Tunneling Protocol (PPTP) – PPTP provides a high level of security as a VPN tunneling
protocol. It is well supported by several
Microsoft operating systems, including Windows 2000 Professional, Windows 2000 Server,
Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
·
Layer 2 Tunneling Protocol (L2TP) – L2TP
provides a more secure connection than PPTP due to several aspects. L2TP
provides the same user authentication that PPTP provides as well a computer
authentication using IPsec authentication. L2TP with IPsec uses 168-bit triple
DES (3DES) encryption for the data and provides per-packet data origin
authentication, proving the identity of the user and providing data integrity
and replay protection while providing a high level of confidentiality.
·
Secure Socket Tunneling Protocol (SSTP) – SSTP is a new VPN tunnel supported by
Windows Vista SP1 and Windows Server 2008. It uses SSL-encrypted HTTP
connections for the VPN connection. More specifically, Point-to-Point Protocol
(PPP) sessions are encrypted by SSL and transferred over an HTTP connection.
Another advantage is that SSTP is quite secure. An SSL tunnel is initially
formed prior to the transfer of user credentials. SSTP also supports Extensible
Authentication Protocol (EAP) types for user authentication, including
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and
Protected Extensible Authentication Protocol-Transport Layer (PEAP-TLS), as
well as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2
authentication methods.
An additional
rule is needed only to ensure the passage of TCP port 443 from the border
network into the perimeter network to the VPN server perimeter interface.
Authentication Protocols
Windows Server
2008 provides support for a few authentication protocols:
·
PAP
·
MS-CHAP
·
MS-CHAP v2
·
PEAP-MSCHAP v2/EAP-MSCHAP v2
·
EAP-TLS
·
PEAP-TLS
Posted in: 70-647,Authentication Protocols,Border network,Perimeter networks,Remote access strategy,VPN Tunneling Protocols,Windows Server 2008
0 comments:
Post a Comment