word document

advertisement
Page |1
VPN and Kerberos Policy in ADS
Date Assigned: mm/dd/yyyy
Time Due: mm/dd/yyyy by hh:mm
Educational Objectives
This lab is designed for the students to gain hands-on experience with the configuration of
Kerberos Policy in an enterprise environment of Windows’ Active Directory networks and
setting up VPN connections between Linux computers using open source software.
Lab Environment
The following machines are needed to complete this lab (instructions may vary for different
Linux distributions/versions if you use your own VMs):


Three Fedora 18 Linux systems, which will be used in VPN setup. These three Linux
machines must be networked and be able to access to each other.
One Windows Server 2008 system, which will be used in Kerberos configuration
Lab Overview
There are two components in this lab.


Get familiar with Kerberos Policy settings in an enterprise environment of a Microsoft
Active Directory network.
Establish a VPN connection between Linux computers using the OpenVPN package and
test it.
o Install the package on Linux machines
o Generate certificates for the server and clients
o Configure server and clients
o Test this VPN connection
Section 1 Kerberos policy settings for a domain
Please promote the Windows Server 2008 system to a Domain Controller so that you can check
on the Kerberos settings in the domain policy.
The Kerberos authentication protocol is employed in Microsoft Active Directory Domain
Service for mutual authentication. The configurable parameters of Kerberos protocol are set by
using a collection of security policy settings. These policy settings are applied to the domain
level in the Microsoft Active Directory environment through a domain-wide GPO. They are
included in the Default Domain Policy GPO in the Computer Configuration\Policies\Windows
Settings\Security Settings\Account Policies\ folder as shown in the following screenshot.
Page |2
Please log on to your domain controller and study the Kerberos policy settings to understand
what they are used for and why it is essential to enable them in an Active Directory domain.
Question 1: Choose one of the Kerberos policy settings. Explain why it is critical and how you
would change the default setting in certain cases.
Section 2 VPN
VPN connection between computers is a widely accepted option to conduct secure
communications in terms of confidentiality, integrity and authenticity over the publicly
accessible Internet. There are a number of commercial products out there that can be used to set
up VPN connections. In this lab we will use the community version of OpenVPN for this
purpose. More details about OpenVPN can be found from the following link:
http://openvpn.net/
In this lab, we will build a VPN connection between three Linux computers. The network is
shown in Figure 1.
Page |3
VPN Server
Client 2
Client 1
Figure 1 Layout of the VPN settings
On the network, there are one server and two clients. We will build a VNP connection between a
pair of the computers. In practice, you can add more clients to the network when needed. You
can also configure multiple servers for load balancing and failover.
For this lab, it is of your choice to make one computer as the server and the others as the clients.
The OpenVPN project has a HOWTO Web page regarding its installation and configuration. For
more information, please refer to the following link:
http://openvpn.net/index.php/open-source/documentation/howto.html#quick
Question 2: What industry standard is used by OpenVPN for secure communication over the
Internet? (Hint: refer to the above link if you don’t know)
2.1 OpenVPN installation
The easy-rsa package is used to manage certificates and PKI in the OpenVPN environment.
The following command will install OpenVPN and easy-rsa on Fedora 18 systems:
yum install openvpn.$HOSTTYPE easy-rsa
Now, please install OpenVPN and easy-rsa on your Linux computers, including the server and
the two clients.
Page |4
By default, all key/certificate generation scripts are located in the following folder:
/usr/share/easy-rsa/2.0/
It is more convenient and good practice to copy those scripts to a different place and work on the
certificates from there. The following command will copy those scripts to ~/easy-rsa/
cp –ai /usr/share/easy-rsa/2.0 ~/easy-rsa
2.2 Certificate authority, certificates and keys
The first step in building an OpenVPN network is to purchase/generate public-key certificates
for the VPN server and clients. In this lab, we will setup a certificate authority (CA) first, and
then issue certificates to the server and clients.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client
must authenticate to the server and the server must authenticate to the client before mutual trust
is established.
2.2.1 Establishing A CA
Please perform the following tasks to generate the master CA certificate and key on the server:





cd ~/easy-rsa (go to the right directory)
Edit the file vars and set the following variables in the file with proper values:
o KEY_COUNTRY=”US”
o KEY_PROVINCE=”MI”
o KEY_CITY=”Houghton”
o KEY_ORG=”Michigan Tech”
o KEY_EMAIL=”your email address”
source ./vars (set up the source environment)
./clean-all (initialize the key and certificate generation process)
./build-ca (build CA) (Please read the following description before executing this script.)
The script build-ca will build the certificate authority (CA)’s certificate and key by invoking the
interactive openssl command. Execution of this script will ask you a sequence of questions for
you to confirm or enter basic information about the CA. Most queried parameters will be
defaulted to the values in the vars file. The only parameter which must be explicitly entered will
be the Common Name. You can use a name of your choice. For example, I used
“SAT4812_Lab06_CA” as the common name. It will be a good practice to choose a meaningful
common name.
Question 3: What name did you use for the common name of the CA certificate?
Page |5
2.2.2 The certificate and key for the server
Next, we will need to generate a certificate and private key for the server. Please run the
following program to do this:

./build-key-server server (Please read the following description before executing this
program.)
As in the previous subsection, most default parameters can be used. When the Common Name
is queried, enter server. Two other queries require positive responses as shown below:
2.2.3 The certificates and keys for two clients
The process of generating client certificates is similar to the previous subsection. Please run the
following programs:
./build-key client1
./build-key client2
Please note that for each client, make sure to type the appropriate Common Name when
prompted, such as client1 and client2. Always use a unique common name for each client. In
addition, provide positive responses to the two queries shown below:
This will generate certificates and private keys for the two clients.
2.2.4 Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server. Please do the following:
./build-dh
Page |6
This will generate D-H parameters for the OpenVPN server.
2.2.5. Key files
All of the newly-generated keys and certificates are located in the keys subdirectory by default.
An explanation of the relevant files is given in Table 1
Table 1 Keys and certificates generated for running OpenVPN
Filename
Needed By
Purpose
Secret
ca.crt
server + all clients
Root CA certificate
NO
ca.key
key signing machine only (CA)
Root CA key
YES
dh{n}.pem
server only
Diffie Hellman parameters
NO
server.crt
server only
Server Certificate
NO
server.key
server only
Server Key
YES
client1.crt
client1 only
Client1 Certificate
NO
client1.key
client1 only
Client1 Key
YES
client2.crt
client2 only
Client2 Certificate
NO
client2.key
client2 only
Client2 Key
YES
The .pem files include the certificate information in plain text. Please study those files and gain a
better understanding of public key certificates.
Question 4: What is the signature algorithm that is used to generate the SSL certificates (X.509
standard) using easy-rsa?
Page |7
Question 5: Are there any extension fields included in the certificates that were generated in the
previous subsections? Please explain your answer.
Question 6: Suppose a public-key is represented as {e, n}. What are the values of e included in
those three certificates?
01.pem
02.pem
03.pem
2.2.6 Transferring the files
The final step in the key generation process is to transfer all the necessary files in the keys
subdirectory to the computers that need them. These files contain the certificates and private
keys. In practice, this should be done in a secure way. You don’t want to expose these files to
anyone else.
How to transfer those files? You can use a method of your choice (e.g., scp).
Note: In order to use scp, you may need to start sshd on the server: systemctl start
sshd.service, and configure the firewall to allow port 22.
scp student@10.11.1.0:/home/student/easy-rsa/keys/client1.* ./
Where do you install those files on the clients? Technically, you can locate those files wherever
you like. For this lab, I locate them in the same subdirectory as they are on the server
(/home/student//easy-rsa/keys/). This is just for me to remember them easily since the path
will be needed for the following configurations.
Question 7: What are the certificate(s) and key(s) that are necessary for client1 to set up a VPN
connection with bidirectional authentication?
2.3 The Server and Client Configuration
Now, the certificates and keys have been generated and properly located. Next, we need to tell
OpenVPN where the certificates and keys are located and how you want to operate the VPN
connection. This is done by including the relevant information in a configuration file.
2.3.1 The server configuration
The easiest way to configure the server is to edit the sample server configuration file. By default,
the sample configuration files are located in the following folder:
Page |8
/usr/share/doc/openvpn-2.3.2/sample/sample-config-files
It is a good practice to locate the server configuration file in a proper folder, such as
/etc/openvpn/. To do this, simply copy the sample configuration file to that folder and edit
it from there.
Please log on to the server and edit the server.conf file as follows:



Set the ca, cert, key and dh parameters to point to the files you generated in Section 2.2.
Modify the server directive using the subnet assigned to you that is given in Table 2.
This directive defines the subnet as well as the IPs that you can use to conduct secure
communication over the VPN connection. (Note: If all computers/VMs are on the same
LAN, a subnet should be assigned to each user/student. If each one works on a separate
LAN, there is no need to assign subnet to each one.)
Use the default settings for the rest of the configurations for now.
Do not forget to save your edits.
Question 8: Which protocol and what port number does OpenVPN server listen on by default?
(Hint: study the server.conf file carefully)
Table 2 Subnet assignments
Student Name
User ID
Subnet
Student 1
user1
10.8.10.0/24
Student 2
user2
10.8.12.0/24
Student 3
user3
10.8.14.0/24
Student 4
user4
10.8.16.0/24
Student 5
user5
10.8.18.0/24
Student 6
user6
10.8.20.0/24
Page |9
Student 7
user7
10.8.22.0/24
Student 8
user8
10.8.24.0/24
Student 9
user9
10.8.26.0/24
Student 10
user10
10.8.28.0/24
Student 11
user11
10.8.30.0/24
Student 12
user12
10.8.32.0/24
2.3.2 The client configuration
A sample client configuration file is located in the same subdirectory as the sample server
configuration file.
It is also a good practice to locate the server configuration file in a proper folder, such as
/etc/openvpn/. To do this, simply copy the sample configuration file to that folder and edit
it from there.
Please log on to the clients as a Linux root and edit the client.conf file as follows:



Edit the remote directive to point to the IP address and port number of the OpenVPN
server. Note that this IP is the host IP of the server, not the VPN IP.
Like the server configuration file, edit the ca, cert and key parameters to point to the files
you generated in Section 2.2. Note that each client should have its own cert/key pair and
share the same ca.
Accept the defaults for the rest of the configurations. Save your edits.
Note that you need to perform the above edits on both clients.
2.4. Starting the VPN connection
The OpenVPN can run in the background or be configured to start automatically on an operation
network. However, for this lab, we simply use the command line to set up a VPN connection for
test purpose.
P a g e | 10
2.4.1. Starting the server
For this lab, you need to work on the firewall to allow traffic through the ports the OpenVPN
server listens on. This means that


Connection should be allowed through the VPN port.
ICMP echo request should be allowed for test purpose.
In reality (don’t need for this lab), you also need to make the VPN server accessible
from the Internet. That means that

A rule should be configured to forward the connection from the
firewall/gateway to the OpenVPN server.
Please log on to the server as a Linux root and run the following command to start the OpenVPN
server:
openvpn --config <server configuration file>
Replace the <server configuration file> with the file name of the server configuration file.
2.4.2. Starting the client
Similar with the process of starting the server, please log on to the client computer as a Linux
root and run the following command to start the OpenVPN client:
openvpn --config <client configuration file>
Replace the <client configuration file> with the file name of the client configuration file.
Question 9: Summarize the major steps you need to take to set up a VPN network using
OpenVPN.
Section 3 Testing the VPN Connection
By default, network traffic through the VPN connection (the VPN subnet, 10.8.xx.0/24) is
secured (encrypted and authenticated). However, network traffic over the network of the hosts
(on 10.11.1.0/16 for our lab) is not secured. In order for the latter to be secured, we need to add
rules to the gateway to forward the traffic. This is beyond the scope of this lab.
The first thing you want to know is whether the VPN has been set up correctly and is operating.
You can use ping to learn the status of the VPN.
P a g e | 11
Question 10: What IP address would you use with the ping command to test the VPN
connection between client 1 and the server? (Hint: use ifconfig to study the IPs)
Please ping the OpenVPN server from the clients.
If the ping succeeded between the server and the client, congratulations! You have a functioning
VPN. Otherwise, you need to debug your installation and configurations.
Question 11: Are you able to connect client1 to client2 through the VPN connection in current
configuration? Please test your solution with ping.
Section 4 Bonus (2%)
By the default configuration, the clients cannot communicate with each other through the VPN
connection. This was verified in the test.
Bonus Scenario
For the bonus part, please configure the OpenVPN so that client 1 can communicate with client 2
and vice versa over the secured VPN connection. (Hint: Study the server configuration.)
Question B1: What would you do to achieve the goal specified in the Bonus Scenario?
Survey Questions
Questions in this section will not be graded, but will make your suggestions and voice heard by
your instructor.
GQ 1. What changes would you like to make to this lab?
GQ 2. How much time did you spend to finish this lab?
GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?
Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let
me know if you have any comments.
P a g e | 12
Answer Sheet
========================== Required Questions ===========================
Question 1: Choose one of the Kerberos policy settings. Explain why it is critical and how you
would change the default setting in certain cases.
Question 2: What industry standard is used by OpenVPN for secure communication over the
Internet? (Hint: refer to the above link if you don’t know)
Question 3: What name did you use for the common name of the CA certificate?
Question 4: What is the signature algorithm that is used to generate the SSL certificates (X.509
standard) using easy-rsa?
Question 5: Are there any extension fields included in the certificates that were generated in the
previous subsections? Please explain your answer.
Question 6: Suppose a public-key is represented as {e, n}. What are the values of e included in
those three certificates?
01.pem
02.pem
03.pem
Question 7: What are the certificate(s) and key(s) that are necessary for client1 to set up a VPN
connection with bidirectional authentication?
Question 8: Which protocol and what port number does OpenVPN server listen on by default?
(Hint: study the server.conf file carefully)
P a g e | 13
Question 9: Summarize the major steps you need to take to set up a VPN network using
OpenVPN.
Question 10: What IP address would you use with the ping command to test the VPN
connection between client 1 and the server? (Hint: use ifconfig to study the IPs)
Question 11: Are you able to connect client1 to client2 through the VPN connection in current
configuration? Please test your solution with ping.
========================= Bonus Questions (2%) ==========================
Question B1: What would you do to achieve the goal specified in the Bonus Scenario?
============================ Survey Questions ===========================
GQ1. Would you like to make any changes to this lab?
GQ2. How long did it take you to complete this lab?
GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this
lab?
Download