Page |1 VPN and Kerberos Policy in ADS Date Assigned: mm/dd/yyyy Time Due: mm/dd/yyyy by hh:mm Educational Objectives This lab is designed for the students to gain hands-on experience with the configuration of Kerberos Policy in an enterprise environment of Windows’ Active Directory networks and setting up VPN connections between Linux computers using open source software. Lab Environment The following machines are needed to complete this lab (instructions may vary for different Linux distributions/versions if you use your own VMs): Three Fedora 18 Linux systems, which will be used in VPN setup. These three Linux machines must be networked and be able to access to each other. One Windows Server 2008 system, which will be used in Kerberos configuration Lab Overview There are two components in this lab. Get familiar with Kerberos Policy settings in an enterprise environment of a Microsoft Active Directory network. Establish a VPN connection between Linux computers using the OpenVPN package and test it. o Install the package on Linux machines o Generate certificates for the server and clients o Configure server and clients o Test this VPN connection Section 1 Kerberos policy settings for a domain Please promote the Windows Server 2008 system to a Domain Controller so that you can check on the Kerberos settings in the domain policy. The Kerberos authentication protocol is employed in Microsoft Active Directory Domain Service for mutual authentication. The configurable parameters of Kerberos protocol are set by using a collection of security policy settings. These policy settings are applied to the domain level in the Microsoft Active Directory environment through a domain-wide GPO. They are included in the Default Domain Policy GPO in the Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\ folder as shown in the following screenshot. Page |2 Please log on to your domain controller and study the Kerberos policy settings to understand what they are used for and why it is essential to enable them in an Active Directory domain. Question 1: Choose one of the Kerberos policy settings. Explain why it is critical and how you would change the default setting in certain cases. Section 2 VPN VPN connection between computers is a widely accepted option to conduct secure communications in terms of confidentiality, integrity and authenticity over the publicly accessible Internet. There are a number of commercial products out there that can be used to set up VPN connections. In this lab we will use the community version of OpenVPN for this purpose. More details about OpenVPN can be found from the following link: http://openvpn.net/ In this lab, we will build a VPN connection between three Linux computers. The network is shown in Figure 1. Page |3 VPN Server Client 2 Client 1 Figure 1 Layout of the VPN settings On the network, there are one server and two clients. We will build a VNP connection between a pair of the computers. In practice, you can add more clients to the network when needed. You can also configure multiple servers for load balancing and failover. For this lab, it is of your choice to make one computer as the server and the others as the clients. The OpenVPN project has a HOWTO Web page regarding its installation and configuration. For more information, please refer to the following link: http://openvpn.net/index.php/open-source/documentation/howto.html#quick Question 2: What industry standard is used by OpenVPN for secure communication over the Internet? (Hint: refer to the above link if you don’t know) 2.1 OpenVPN installation The easy-rsa package is used to manage certificates and PKI in the OpenVPN environment. The following command will install OpenVPN and easy-rsa on Fedora 18 systems: yum install openvpn.$HOSTTYPE easy-rsa Now, please install OpenVPN and easy-rsa on your Linux computers, including the server and the two clients. Page |4 By default, all key/certificate generation scripts are located in the following folder: /usr/share/easy-rsa/2.0/ It is more convenient and good practice to copy those scripts to a different place and work on the certificates from there. The following command will copy those scripts to ~/easy-rsa/ cp –ai /usr/share/easy-rsa/2.0 ~/easy-rsa 2.2 Certificate authority, certificates and keys The first step in building an OpenVPN network is to purchase/generate public-key certificates for the VPN server and clients. In this lab, we will setup a certificate authority (CA) first, and then issue certificates to the server and clients. OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate to the server and the server must authenticate to the client before mutual trust is established. 2.2.1 Establishing A CA Please perform the following tasks to generate the master CA certificate and key on the server: cd ~/easy-rsa (go to the right directory) Edit the file vars and set the following variables in the file with proper values: o KEY_COUNTRY=”US” o KEY_PROVINCE=”MI” o KEY_CITY=”Houghton” o KEY_ORG=”Michigan Tech” o KEY_EMAIL=”your email address” source ./vars (set up the source environment) ./clean-all (initialize the key and certificate generation process) ./build-ca (build CA) (Please read the following description before executing this script.) The script build-ca will build the certificate authority (CA)’s certificate and key by invoking the interactive openssl command. Execution of this script will ask you a sequence of questions for you to confirm or enter basic information about the CA. Most queried parameters will be defaulted to the values in the vars file. The only parameter which must be explicitly entered will be the Common Name. You can use a name of your choice. For example, I used “SAT4812_Lab06_CA” as the common name. It will be a good practice to choose a meaningful common name. Question 3: What name did you use for the common name of the CA certificate? Page |5 2.2.2 The certificate and key for the server Next, we will need to generate a certificate and private key for the server. Please run the following program to do this: ./build-key-server server (Please read the following description before executing this program.) As in the previous subsection, most default parameters can be used. When the Common Name is queried, enter server. Two other queries require positive responses as shown below: 2.2.3 The certificates and keys for two clients The process of generating client certificates is similar to the previous subsection. Please run the following programs: ./build-key client1 ./build-key client2 Please note that for each client, make sure to type the appropriate Common Name when prompted, such as client1 and client2. Always use a unique common name for each client. In addition, provide positive responses to the two queries shown below: This will generate certificates and private keys for the two clients. 2.2.4 Diffie Hellman parameters Diffie Hellman parameters must be generated for the OpenVPN server. Please do the following: ./build-dh Page |6 This will generate D-H parameters for the OpenVPN server. 2.2.5. Key files All of the newly-generated keys and certificates are located in the keys subdirectory by default. An explanation of the relevant files is given in Table 1 Table 1 Keys and certificates generated for running OpenVPN Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only (CA) Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES client1.crt client1 only Client1 Certificate NO client1.key client1 only Client1 Key YES client2.crt client2 only Client2 Certificate NO client2.key client2 only Client2 Key YES The .pem files include the certificate information in plain text. Please study those files and gain a better understanding of public key certificates. Question 4: What is the signature algorithm that is used to generate the SSL certificates (X.509 standard) using easy-rsa? Page |7 Question 5: Are there any extension fields included in the certificates that were generated in the previous subsections? Please explain your answer. Question 6: Suppose a public-key is represented as {e, n}. What are the values of e included in those three certificates? 01.pem 02.pem 03.pem 2.2.6 Transferring the files The final step in the key generation process is to transfer all the necessary files in the keys subdirectory to the computers that need them. These files contain the certificates and private keys. In practice, this should be done in a secure way. You don’t want to expose these files to anyone else. How to transfer those files? You can use a method of your choice (e.g., scp). Note: In order to use scp, you may need to start sshd on the server: systemctl start sshd.service, and configure the firewall to allow port 22. scp student@10.11.1.0:/home/student/easy-rsa/keys/client1.* ./ Where do you install those files on the clients? Technically, you can locate those files wherever you like. For this lab, I locate them in the same subdirectory as they are on the server (/home/student//easy-rsa/keys/). This is just for me to remember them easily since the path will be needed for the following configurations. Question 7: What are the certificate(s) and key(s) that are necessary for client1 to set up a VPN connection with bidirectional authentication? 2.3 The Server and Client Configuration Now, the certificates and keys have been generated and properly located. Next, we need to tell OpenVPN where the certificates and keys are located and how you want to operate the VPN connection. This is done by including the relevant information in a configuration file. 2.3.1 The server configuration The easiest way to configure the server is to edit the sample server configuration file. By default, the sample configuration files are located in the following folder: Page |8 /usr/share/doc/openvpn-2.3.2/sample/sample-config-files It is a good practice to locate the server configuration file in a proper folder, such as /etc/openvpn/. To do this, simply copy the sample configuration file to that folder and edit it from there. Please log on to the server and edit the server.conf file as follows: Set the ca, cert, key and dh parameters to point to the files you generated in Section 2.2. Modify the server directive using the subnet assigned to you that is given in Table 2. This directive defines the subnet as well as the IPs that you can use to conduct secure communication over the VPN connection. (Note: If all computers/VMs are on the same LAN, a subnet should be assigned to each user/student. If each one works on a separate LAN, there is no need to assign subnet to each one.) Use the default settings for the rest of the configurations for now. Do not forget to save your edits. Question 8: Which protocol and what port number does OpenVPN server listen on by default? (Hint: study the server.conf file carefully) Table 2 Subnet assignments Student Name User ID Subnet Student 1 user1 10.8.10.0/24 Student 2 user2 10.8.12.0/24 Student 3 user3 10.8.14.0/24 Student 4 user4 10.8.16.0/24 Student 5 user5 10.8.18.0/24 Student 6 user6 10.8.20.0/24 Page |9 Student 7 user7 10.8.22.0/24 Student 8 user8 10.8.24.0/24 Student 9 user9 10.8.26.0/24 Student 10 user10 10.8.28.0/24 Student 11 user11 10.8.30.0/24 Student 12 user12 10.8.32.0/24 2.3.2 The client configuration A sample client configuration file is located in the same subdirectory as the sample server configuration file. It is also a good practice to locate the server configuration file in a proper folder, such as /etc/openvpn/. To do this, simply copy the sample configuration file to that folder and edit it from there. Please log on to the clients as a Linux root and edit the client.conf file as follows: Edit the remote directive to point to the IP address and port number of the OpenVPN server. Note that this IP is the host IP of the server, not the VPN IP. Like the server configuration file, edit the ca, cert and key parameters to point to the files you generated in Section 2.2. Note that each client should have its own cert/key pair and share the same ca. Accept the defaults for the rest of the configurations. Save your edits. Note that you need to perform the above edits on both clients. 2.4. Starting the VPN connection The OpenVPN can run in the background or be configured to start automatically on an operation network. However, for this lab, we simply use the command line to set up a VPN connection for test purpose. P a g e | 10 2.4.1. Starting the server For this lab, you need to work on the firewall to allow traffic through the ports the OpenVPN server listens on. This means that Connection should be allowed through the VPN port. ICMP echo request should be allowed for test purpose. In reality (don’t need for this lab), you also need to make the VPN server accessible from the Internet. That means that A rule should be configured to forward the connection from the firewall/gateway to the OpenVPN server. Please log on to the server as a Linux root and run the following command to start the OpenVPN server: openvpn --config <server configuration file> Replace the <server configuration file> with the file name of the server configuration file. 2.4.2. Starting the client Similar with the process of starting the server, please log on to the client computer as a Linux root and run the following command to start the OpenVPN client: openvpn --config <client configuration file> Replace the <client configuration file> with the file name of the client configuration file. Question 9: Summarize the major steps you need to take to set up a VPN network using OpenVPN. Section 3 Testing the VPN Connection By default, network traffic through the VPN connection (the VPN subnet, 10.8.xx.0/24) is secured (encrypted and authenticated). However, network traffic over the network of the hosts (on 10.11.1.0/16 for our lab) is not secured. In order for the latter to be secured, we need to add rules to the gateway to forward the traffic. This is beyond the scope of this lab. The first thing you want to know is whether the VPN has been set up correctly and is operating. You can use ping to learn the status of the VPN. P a g e | 11 Question 10: What IP address would you use with the ping command to test the VPN connection between client 1 and the server? (Hint: use ifconfig to study the IPs) Please ping the OpenVPN server from the clients. If the ping succeeded between the server and the client, congratulations! You have a functioning VPN. Otherwise, you need to debug your installation and configurations. Question 11: Are you able to connect client1 to client2 through the VPN connection in current configuration? Please test your solution with ping. Section 4 Bonus (2%) By the default configuration, the clients cannot communicate with each other through the VPN connection. This was verified in the test. Bonus Scenario For the bonus part, please configure the OpenVPN so that client 1 can communicate with client 2 and vice versa over the secured VPN connection. (Hint: Study the server configuration.) Question B1: What would you do to achieve the goal specified in the Bonus Scenario? Survey Questions Questions in this section will not be graded, but will make your suggestions and voice heard by your instructor. GQ 1. What changes would you like to make to this lab? GQ 2. How much time did you spend to finish this lab? GQ 3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab? Well, you have completed another lab for this class. Hope you enjoyed doing this lab. Please let me know if you have any comments. P a g e | 12 Answer Sheet ========================== Required Questions =========================== Question 1: Choose one of the Kerberos policy settings. Explain why it is critical and how you would change the default setting in certain cases. Question 2: What industry standard is used by OpenVPN for secure communication over the Internet? (Hint: refer to the above link if you don’t know) Question 3: What name did you use for the common name of the CA certificate? Question 4: What is the signature algorithm that is used to generate the SSL certificates (X.509 standard) using easy-rsa? Question 5: Are there any extension fields included in the certificates that were generated in the previous subsections? Please explain your answer. Question 6: Suppose a public-key is represented as {e, n}. What are the values of e included in those three certificates? 01.pem 02.pem 03.pem Question 7: What are the certificate(s) and key(s) that are necessary for client1 to set up a VPN connection with bidirectional authentication? Question 8: Which protocol and what port number does OpenVPN server listen on by default? (Hint: study the server.conf file carefully) P a g e | 13 Question 9: Summarize the major steps you need to take to set up a VPN network using OpenVPN. Question 10: What IP address would you use with the ping command to test the VPN connection between client 1 and the server? (Hint: use ifconfig to study the IPs) Question 11: Are you able to connect client1 to client2 through the VPN connection in current configuration? Please test your solution with ping. ========================= Bonus Questions (2%) ========================== Question B1: What would you do to achieve the goal specified in the Bonus Scenario? ============================ Survey Questions =========================== GQ1. Would you like to make any changes to this lab? GQ2. How long did it take you to complete this lab? GQ3. Do you learn anything new or gain a better understanding of class lecture by finishing this lab?