Chapter 14 Outline

advertisement
|1|
Chapter 14 Implementing Enterprise-Wide Network Security
Chapter 14, Lesson 1
Implementing Network Security
|2|
1.
Lesson 1 Topics
A.
B.
C.
D.
E.
|3|
2.
Planning for Network Security
|4|
A.
|5||6|
B.
|7|
Identifying security risks
Creating a network security plan
Microsoft Windows 2000 security features
Internet connection security issues
Lesson objectives
1.
To describe sections of a network security plan
2.
To identify network security risks
3.
To describe Windows 2000 security features
4.
To describe how to secure a connection between your network and the
Internet
Review security considering Windows 2000 capabilities.
1.
Assess your network security risks.
2.
Determine your server size and placement requirements.
3.
Prepare your staff.
4.
Create and publish security policies and procedures.
5.
Use a formal methodology to create a deployment plan for your security
technologies.
6.
Identify your user groups and their specific needs and security risks.
Assessing network security risks
1.
Network security risks
a.
Identity interception
b.
Masquerade
c.
Replay attack
d.
Data interception
e.
Manipulation
f.
Repudiation
g.
Macro viruses
h.
Denial of service
i.
Malicious mobile code
j.
Misuse of privileges
k.
Trojan horse
l.
Social engineering attack
2.
Network authentication
a.
Identifies users who attempt to connect
b.
Establish user accounts for authentication.
3.
Network security plan
C.
|8|
3.
Planning Distributed Network Security
A.
|9|
B.
4.
|11|
B.
5.
Internet provides a valuable service to customers and staff.
1.
Staff uses e-mail to communicate.
2.
Customers use e-mail and Web sites for information and services.
Implementing a firewall
1.
Provides connectivity
2.
Minimizes the risk
3.
IPSec defines traffic allowed to cross the firewall.
4.
Firewalls act as proxy servers or routers.
Microsoft Proxy Server
A.
2
Involves coordination of many security functions
1.
Access to information
2.
Limited access to update information
3.
Sensitive or private information is protected.
4.
Develop a plan or plans.
Testing your security plans
1.
Test plan.
2.
Revise and update plan.
Internet Connection Issues
A.
|10|
a.
To be sure that appropriate people have access
b.
To track network resources
Preparing your staff
1.
Need capable and trustworthy people
2.
Must integrate network and security infrastructure to eliminate or
minimize weaknesses
3.
Security is only as good as implementation.
4.
Must know features
a.
Security templates
b.
Kerberos authentication
c.
Microsoft Public Key Infrastructure (PKI)
d.
Smart card infrastructure
e.
IP Security Protocol (IPSec) management
f.
NT file system (NTFS) encryption
Provides both proxy server and firewall functions
1.
Acts as an intermediary between your computer and the Internet
a.
It is most frequently used when there is a corporate intranet and users
are connected to a local area network (LAN).
(1) Application layer gateway
b.
It can also work with a firewall to provide a security barrier between
your internal network and the Internet.
c.
It can reduce network traffic by caching content that is frequently
requested by the browsers they serve.
Outline, Chapter 14
Microsoft Windows 2000 Network Infrastructure Administration
B.
6.
2.
May need to be upgraded for compatibility with Windows 2000
Multiple proxy servers may be needed.
1.
Automatically coordinated
2.
Click the Microsoft Security Advisor link for detailed information:
http://windows.microsoft.com/windows2000/reskit/webresources
Summarize Lesson. Check for Questions.
Chapter 14, Lesson 2
Configuring Routing and Remote Access Security
|12|
1.
Lesson 2 Topics
A.
B.
C.
|13|
2.
Overview of Remote Access
A.
|14|
|15|
3.
Security and encryption protocols
Managing policies
Lesson objectives
1.
To create a remote access policy
2.
To configure remote access security
3.
To configure encryption protocols
4.
To configure authentication protocols
5.
To configure and troubleshoot network protocol security
Connection to system by phone
1.
Opens access to intruders
2.
Windows 2000 provides multiple security features to prevent mischief.
a.
The request matches one of the remote access policies defined for the
server.
b.
The user’s account is enabled for remote access.
c.
Client/server authentication succeeds.
Configuring Protocols for Security
A.
B.
C.
Challenge Handshake Authentication Protocol (CHAP)
1.
Passing passwords in plaintext
2.
Common protocol
3.
Passwords need to be longer and not in dictionary.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
1.
Does not need plaintext version of password
2.
Vulnerable to brute force and dictionary attacks
3.
Challenge response is calculated with Message Digest 4 (MD4)-hashed
version of password and network access server (NAS) challenge.
Password Authentication Protocol (PAP)
1.
PAP passes password as a string from computer to NAS.
2.
NAS encrypts password with Remote Authentication Dial-In User
Service (RADIUS) and passes password on.
3.
Most flexible protocol
Outline, Chapter 14
Microsoft Windows 2000 Network Infrastructure Administration
3
D.
E.
|16|
4.
Creating Remote Access Policies
A.
B.
|17|
C.
|18|
5.
Used by Windows 2000 Routing and Remote Access Service (RRAS)
and Windows 2000 Internet Authentication Service (IAS)
1.
Stored locally
2.
Policy is dictated on a per-call basis.
3.
Grant or deny access by
a.
Time of day
b.
Day of week
c.
Windows 2000 group
d.
Type of connection
Local vs. centralized
1.
Centralized management installation
a.
Install Windows 2000 IAS as a RADIUS server.
b.
Configure IAS with RADIUS clients that correspond to Windows
2000 remote access or virtual private network (VPN) servers.
c.
On IAS server, create a central set of policies.
d.
Configure each of the Windows 2000 remote servers as RADIUS
client to IAS server.
e.
Will not use remote access policies stored on remote servers
Use with Windows NT 4.0 with RRAS as a RADIUS client to an IAS
server
Using Encryption Protocols
A.
B.
C.
4
4.
Plaintext makes it vulnerable.
Shiva Password Authentication Protocol (SPAP)
1.
Reversible encryption mechanism
2.
Authenticates itself to Shiva remote access server
3.
Remote access client running Windows 32-bit operating systems can use
SPAP to authenticate itself to Windows 2000 remote access server.
4.
More secure than PAP, less secure than CHAP or MS-CHAP
5.
Vulnerable to remote server impersonation
Extensible Authentication Protocol (EAP)
1.
Extension to Point-to-Point Protocol (PPP)
2.
Uses arbitrary authentication mechanisms for validation of PPP
a.
Method chosen during negotiation
b.
Validated at connection
3.
Fixed series of messages in a specific order
4.
Highest flexibility in uniqueness and variation
Remote access server can be set to require encrypted communications.
VPN data is encrypted between the ends.
Dial-up networking encrypts on communications link.
1.
Microsoft Point-to-Point Encryption (MPPE)
a.
Can be all PPP connections except Layer Two Tunneling Protocol
(L2TP)
Outline, Chapter 14
Microsoft Windows 2000 Network Infrastructure Administration
b.
c.
d.
2.
6.
Uses Rivest-Shamir-Adleman (RSA) Rivest’s Cipher 4 (RC4) stream
cipher
Used with EAP-Transport Layer Security (TLS) or MS-CHAP
authentication
Uses
(1) 40-bit encryption key: Backward compatibility and
international use
(2) 56-bit encryption key: International use and complies with
encryption export laws
(3) 128-bit encryption key: North American use
Highest key strength is negotiated.
e.
IPSec
a.
Demand-dial connections using L2TP
b.
Determined by establishment of IPSec security association (SA)
c.
Encryption includes
(1) Data Encryption Standard (DES) with 56-bit key
(2) Triple DES (3DES) with three 56-bit keys for high-security
environments
Summarize Lesson. Check for Questions.
Chapter 14, Lesson 3
Monitoring Security Events
|19|
1.
A.
B.
C.
|20|
|21|
Lesson 3 Topics
2.
Monitoring Your Network Security
A.
B.
C.
|22|
3.
Network security technologies can meet security goals if you plan and
configure them carefully.
Review security strategies to meet and anticipate changing
environment and needs.
Watch security network activity to spot weaknesses.
1.
Several tools available
2.
Several ways to deploy tools
Using Event Viewer to Monitor Security
A.
|23|
How to monitor security events in Windows 2000
How to prevent attacks and intrusion on network
Lesson objectives
1.
To manage and monitor network traffic
2.
To manage and monitor remote access
Event Viewer monitors events.
1.
Maintains logs on program, security, and system events
2.
Can view and manage event logs
3.
Can collect data on hardware and software problems
4.
Can monitor Windows 2000 security
Outline, Chapter 14
Microsoft Windows 2000 Network Infrastructure Administration
5
B.
C.
|24|
D.
|25|
4.
System Monitor
A.
|26|
5.
6.
Confirms successful security by displaying active SAs
Run IPSec Monitor
IPSec Monitor provides statistics for performance tuning and
troubleshooting, including
1.
Number and type of active SAs
2.
Total number of master and session keys
3.
Total number of confidential or authenticated bytes sent or received
Monitoring Security Overhead
A.
B.
6
Tracks system resources usage
1.
Tests application’s usage of system resources
a.
Memory
b.
CPU activity
c.
Network activity
d.
Disk activity
2.
Counters
a.
Server\Errors Access Permissions
b.
Server\Errors Granted Access
c.
Server\Errors Logon
d.
IIS Security
3.
Monitors events
The IPSec Monitor Utility
A.
B.
C.
|27|
Practice: Recording Failed Logon Attempts
Viewing the security event log
1.
Can specify that an audit entry be written to a log when certain actions
are performed to show
a.
Action
b.
User who performed action
c.
Date and time of action
2.
Recording security events is a form of intrusion detection through
auditing.
a.
Tracks changes to security
b.
Identifies possible breaches
c.
Can serve as legal evidence
Practice: Viewing the Security Log
Monitoring affects performance of system.
Compare performance with and without security features, measuring
1.
Processor activity and process queue
2.
Physical memory used
3.
Network traffic
4.
Latency and delays
Outline, Chapter 14
Microsoft Windows 2000 Network Infrastructure Administration
7.
Summarize Lesson. Check for Questions.
Outline, Chapter 14
Microsoft Windows 2000 Network Infrastructure Administration
7
Download