CHAPTER 14

IMPLEMENTING ENTERPRISE-WIDE

NETWORK SECURITY

Lesson 1: Implementing Network Security

Security should be part of the design and implementation parts of the system.

Planning for Network Security

Even if you are confident that you have implemented a secure network environment, it is

important for you to review your security strategies considering the capabilities of

Windows 2000.

Assess your network security risks.
Determine your server size and placement requirements
Prepare your staff.
Create and publish security policies and procedures.
Use a formal methodology to create a deployment plan for your security technologies.
Identify your user groups and their specific needs and security risks.

*** See the chart on page 351 ***

Network Authentication

Authentication is the process of identifying users who attempt to connect to a network.

Users who are authenticated on the network can utilize network resources based on their

access permissions.

Network Security Plan

To make sure that only the appropriate people have access to resources and data you

should plan your network security.

Plan for deployment
Create secure boundaries
Prepare for Windows 2000 network security strategies.
Deploy strategies for everyone.

======================================================================

wininf14.html PAGE 2 2002/04/06

Deploy strategies for users of company applications.
Deploy strategies for company staff.
Deploy strategies for partners.

Preparing your Staff

Security technologies need to be deployed and managed by very capable and trustworthy

people. They must integrate the entire network and network security infrastructure so

that you can eliminate or minimize weakness.

The staff must be well-trained and up-to-date with the current technologies.

Planning Distributed Network Security

Distributed network security involves the coordination of many security functions on a

computer network to implement an overall security policy.

A typical security plan includes sections like on page 354.

You may need more than one security plan, depending on your organization. You should

also have a test bed for the organization.

Internet Connection Issues

Most organizations want their computers infrastructure connected to the Internet because

it provides valuable services to their staff and customers. A connection to the Internet

allows your organization’s staff to use e-mail to communicate with people around the

world and to obtain information and files from a vast number of sources.

Implementing a Firewall

To secure your organization’s network for access to and from the Internet, you need to

put a firewall between the two.

A firewall employs packet filtering to allow or disallow the flow of very specific types of

network traffic. Internet Protocol (IP) packet filtering provides a way for you to define

precisely what IP traffic is allowed to cross the firewall.

Firewalls often act as a proxy servers or routers because they forward traffic between a

private network and a public network. The firewall or proxy server software examines

all network packets on each interface to determine their intended address.

======================================================================

wininf14.html PAGE 3 2002/04/06

Microsoft Proxy Server

This provides both proxy server and some firewall functions. Proxy Server runs on

Windows 2000, and both need to be configured properly to provide full network

security.

Lesson Summary:

Always test and revise your network security plans by using test labs that represent the

computing environments for your organization.

You can implement a firewall to secure your organization’s network for access to and

from the Internet.

Microsoft Proxy Server provides both proxy server and firewall functions running with

Windows 2000 Server.

Lesson 2: Configuring Routing and Remote Access Security

Remote access enables clients to connect to your network from a remote location through

various hardware devices including network interface cards and modems. Once clients

obtain a remote access connection, they can use network resources such as files in the same

way as they would use a client computer directly connected to your LAN.

Overview of Remote Access

Remote access provides an opportunity for intruders to access your network, therefore

Windows 200 provides multiple security features to permit authorized access while limiting

opportunities for mischief. When a client dials a remote access server on your network,

he client is granted access to the network if the following are true:

The request matches one of the remote access policies defined for the server.
The user’s account is enabled for remote access.
Client/server authentication succeeds.

After a client has been identified and authorized, access to the network can be limited to

specific servers, subnets, and protocol types, depending on the remote access profile of

the client.

======================================================================

wininf14.html PAGE 4 2002/04/06

Configuring Protocols for Security

Consider that someone can intercept a user name and password while a user is attempting

to log on to the Routing and Remote Access server using techniques similar to a wiretap.

To prevent this, Routing and Remote Access can use a secure user authentication method

including:

CHAP, Challenge Handshake Authentication Protocol. CHAP handles passwords send

by plaintext.

MS-CHAP. Microsoft Challenge Handshake Authentication Protocol. MS-CHAP is a

variant of CHAP that does not require a plaintext version of the password on the

authenticating server. MS-CHAP passwords are stored more securely at the server but

have the same vulnerabilities to dictionary and brute force attacks as CHAP.

PAP, Password Authentication Protocol. PAP passes a password as a string from the

user’s computer to the NAS device.

SPAP, Shiva Password Authentication Protocol. SPAP is a reversible encryption

mechanism employed by Shiva remote access servers. SPAP is more secure than PAP

but less secure than CHAP or MS-CHAP. SPAP offers no protection against remote

server impersonation.

EAP, Extensible Authentication Protocol. EAP is an extension of PPP that allows for

arbitrary authentication mechanisms to be employed for the validation of a PPP connection.

Creating Remote Access Policies

Windows 2000 Routing and Remote Access and Windows 2000 Internet Authentication

Service (IAS) both use remote access policies to determine whether to accept or reject

connection attempts.

Local Versus Centralized Policy Management

Because remote access policies are stored locally on either a remote access server or an

IAS server, for centralized management of a single set of remote access policies for multiple

remote access or VPN server, you must do the following:

Install the Windows 2000 IAS as a RADIUS server on a computer.

Configure IAS with RADIUS clients that correspond to each of the Windows 2000 remote

access or VPN servers.

On the IAS server, create the central set of policies that all Windows 2000 remote access

servers are using. Configure each of the Windows 2000 remote access servers as a

RADIUS client to the IAS server.

======================================================================

wininf14.html PAGE 5 2002/04/06

Using Encryption Protocols

You can use data encryption to protect the data that is sent between the remote access

client and the remote access server. Data encryption is important for financial institutions,

law-enforcement and government agencies, and corporations that require secure data transfer.

There are two forms of encryption available for demand-dial connections: Microsoft

Point-to-point Encryption (MPPE) and IP Security (IPSec).

MPPE. All PPP connections, including PPTP but not including L2TP can use MPPE.

MPPE uses the Rivest-Shamir-Adleman (RSA) Rivest’s Cipher 4 (RC4) stream cipher

and is only used when either the EAP-Transport Layer Security (TLS) or MS-CHAP

(version 1 or 2) authentication methods are used. MPPE can use 40-bit, 56-bit or

128-bit encryption. The 40-bit key is designed for backward compatibility and

international use. The 56-bit key is designed for international use and adheres to

United States encryption export laws. The 128-bit key is designed for North America

use. By default, the highest key strength supported by the calling router and answering

router is negotiated during the connection establishment process. If the answering router

requires a higher key strength than is supported by the calling router, the connection

attempt is rejected.

NOTE: For dial-up networking connections, Windows 2000 uses MPPE.

IPSec. For demand-dial connections using L2TP over IPSec, encryption is determined

by the establishment of the IPSec security association (SA). The available encryption

algorithms include Data Encryption Standard (DES) with a 56-bit key, and triple DES

(3DES), which uses three 56-bit keys and is designed for high-security environments.

The initial encryption keys are derived form the IPSec authentication process.

Lesson Summary:

Remote Access enables clients to connect to your network form a remote location through

various hardware devices including NIC and modems.

In Windows 2000 you create remote access policies and then configure them for security.

======================================================================

wininf14.html PAGE 6 2002/04/06

Lesson 3: Monitoring Security Events

The network security technologies you implement, such as Microsoft Proxy Server, can

meet your security goals only if you plan and configure them carefully. However,

anticipating all possible risks can be very difficult because:

New risks develop
Systems can break down and the environment in which your systems are placed

changes over time.

Using Event Viewer to Monitor Security

Event Viewer allows you to monitor events in your system. It maintains logs about

program, security, and system events on your computer.

*** See the chart of page 386 for the possible events ***

Viewing the Security Event Log

You can specify that an audit entry be written to the security event log whenever certain

actions are performed or files are accessed.

Recording security events is a form of intrusion detection through auditing. Auditing and

security logging of network activity are important.

System Monitor

System Monitor is a tool that can be used to track system resource usage.

Server\Errors Access Permissions
Server\Errors Granted Access
Server\Errors Logon
IIS Security

The IPSec Monitor Utility

The IPSec Monitor can confirm whether your secured communications are successful

by displaying the active SAs on local or remote computers.

======================================================================

wininf14.html PAGE 7 2002/04/06

IP Sec Monitor can also provide statistics to aid in performance tuning and

troubleshooting, including the following statistics:

The number and type of active SAs.
The total number of master and session keys.
The total number of confidential (Encapsulated Security Payload) or authenticated
Encapsulated Security Payload or authentication header) bytes sent or received.

Monitoring Security Overhead

Security is achieved only at some cost in performance. Measuring the performance

verhead of security strategy is not simply a matter of monitoring a separate process or

thread. The features of the Windows 2000 security model and other security services

are integrated into several different operating system services.

Processor activity and the processor queue
Physical memory used
Network traffic
Latency and delays

Lesson Summary:

You should monitor network security activity to identify weaknesses before they are

exploited.

The audit entry shows the action performed, the user who performed it, and the date

and time of the action.

The IPSec monitor can confirm whether your secured communications are successful.
In addition, you can use Routing and Remote Access to monitor remote access traffic

in Windows 2000, and enable logging to review this data.