1 / 88

Securing Access for Remote Users and Networks

Securing Access for Remote Users and Networks. Planning Remote Access Security Designing Remote Access Security for Users Designing Remote Access Security for Networks Designing Remote Access Policy Planning RADIUS Security. Planning Remote Access Security.

trent
Télécharger la présentation

Securing Access for Remote Users and Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Access for Remote Users and Networks • Planning Remote Access Security • Designing Remote Access Security for Users • Designing Remote Access Security for Networks • Designing Remote Access Policy • Planning RADIUS Security

  2. Planning Remote Access Security • Choosing between dial-up and virtual private network (VPN) solutions • Planning remote access authentication • Planning dial-up protocols • Planning VPN protocols • Planning integration with Microsoft Windows NT 4.0 Remote Access Service (RAS) servers

  3. Dial-Up Access

  4. VPN Access

  5. Making the Decision: Choosing Between Dial-Up and VPN Remote Access • Use dial-up access if • The organization maintains an existing modem pool • Most remote connections to the network are through local access numbers and do not require long distance or toll-free charges • The organization requires an alternative connection method between offices if a dedicated network link fails • Use VPN access if • The organization wants to outsource modem support to an ISP • Users have existing Internet access • The organization wants to reduce the costs associated with long-distance and toll-free numbers • The organization requires faster access speeds than are possible with dial-up networking solutions

  6. Applying the Decision: Hanson Brothers Requires Both Dial-Up and VPN Remote Access • Dial-up access • The stock application from Adventure Works requires a dial-up connection. • Hanson Brothers will restrict the connection to a specific phone number. • VPN access • Connect Montreal to the corporate office in Warroad. • Create a demand-dial connection as a backup. • Packets will initiate the dial-up connection if the VPN is unavailable.

  7. Authentication Protocols Supported by Windows 2000 RRAS • Routing and Remote Access Service (RRAS) supports • Password Authentication Protocol (PAP) • Shiva Password Authentication Protocol (SPAP) • Challenge Handshake Authentication Protocol (CHAP) • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) • Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2) • Extensible Authentication Protocol (EAP)

  8. The Advantage of Two-Factor Authentication • Adds security to the authentication process • Requires two forms of identification when users are authenticating with the network

  9. Making the Decision: Choosing a Remote Access Authentication Protocol • Low level of protection • PAP • SPAP • Medium level of protection • CHAP • MS-CHAP • High level of protection • MS-CHAPv2 • EAP-TLS

  10. Applying the Decision: Hanson Brothers Must Implement MS-CHAP and MS-CHAPv2 • These protocols provide the strongest form of authentication acceptable to both the remote client and the RRAS server. • Implement strong encryption on the remote access connection from Adventure Works. • Internet Protocol Security (IPSec) tunnel mode is the only choice for connecting the Montreal office securely to the Warroad office over the Internet.

  11. Remote Access Protocols Supported by Microsoft Windows 2000 • Point-to-Point Protocol (PPP) • Serial Line Internet Protocol (SLIP) • Asynchronous NetBEUI (AsyBEUI)

  12. Making the Decision: Choosing a Remote Access Protocol • PPP • SLIP • AsyBEUI

  13. Applying the Decision: Hanson Brothers Implements PPP Remote Access Protocol • Windows 2000 RRAS will provide remote user and office connectivity. • PPP meets all needs for connectivity. • SLIP is supported only for remote access clients. • There is no need to configure the remote access clients to support SLIP connections. • There is no need to support AsyBEUI remote access connections.

  14. Planning VPN Protocols

  15. VPN Protocol Introduction • Windows 2000 supports • VPN solutions for both client-to-server and network-to-network connectivity • Both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP)/IPSec solutions • IPSec tunnel solutions for providing network-to-network connectivity • The design decisions do not vary for client-to-network and network-to-network solutions. • Network-to-network solutions can include IPSec tunnel mode.

  16. Point-to-Point Tunneling Protocol (PPTP) • PPTP requires an IP connection to exist before the VPN can be established. • PPTP uses Microsoft Point-to-Point Encryption (MPPE) to provide encryption of the transmitted data. • MPPE can use 40-bit, 56-bit, or 128-bit encryption keys. • If a firewall is used, it should be configured to allow the PPTP packets to pass through the firewall. • Use the destination port of TCP port 1723 and protocol ID 47 (Generic Routing Encapsulation (GRE))

  17. Use PPTP to Meet the Following Requirements • If support for down-level clients is needed • If the VPN must cross a firewall or perimeter network that performs Network Address Translation (NAT) • If the organization requires the authentication of the user account only, not the machine account

  18. PPTP Security Weakness • The original implementation of PPTP used MS-CHAP as the authentication protocol. • The latest update to PPTP has added support for MS-CHAPv2 and EAP authentication. • With PPTP deployed, it is possible to determine the password by using a dictionary attack if weak passwords have been used. • If weak passwords are a major concern, ensure that all remote access clients use Windows 2000, and issue smart cards to use EAP authentication.

  19. Differences between L2TP and PPTP • L2TP does not include an encryption mechanism. • L2TP provides two forms of authentication. • L2TP cannot pass through a firewall or perimeter server performing NAT.

  20. L2TP/IPSec Firewall Considerations • Configure the firewall to allow IPSec packets destined for the tunnel server to pass through the firewall. • The IPSec packets are destined for UDP port 500 on the tunnel server using the IPSec ESP protocol identified by protocol ID 50. • Do not configure the firewall to pass L2TP packets (destined for UDP port 1701) because the packets are still encrypted when they pass through the firewall.

  21. IPSec Tunnel Mode • IPSec Tunnel Mode uses Encapsulating Security Payloads (ESPs) to encrypt all traffic passing between the tunnel endpoints. • Original IP packets are encrypted within the IPSec tunnel mode packet as they are transmitted across the unsecured network. • Data is decrypted when it reaches the endpoint nearest the destination computer.

  22. IPSec Tunnel Mode Considerations • IPSec tunnel mode is a highly interoperable solution. • IPSec does not provide user authentication of the two endpoints involved in the IPSec tunnel. • IPSec tunnel mode does not support client-to-network VPN access. • IPSec tunnel mode does not provide end-to-end encryption of data. • IPSec supports certificate-based authentication, Kerberos, and preshared key authentication for IPSec connections. • Tunnel server placement can prevent IPSec tunnel mode communications.

  23. Making the Decision: Selecting a VPN Protocol • PPTP • L2TP • IPSec Tunnel Mode

  24. Applying the Decision: VPN Solutions for Connecting the Montreal and Warroad Offices

  25. Planning Integration with Windows NT 4.0 RAS Servers • NULL sessions • NULL sessions allow anyone connected to the network to query the Active Directory directory service without the default security mechanisms in place. • Windows NT 4.0 RAS servers determine whether a connecting user has dial-in permissions by connecting to a domain controller (DC) with a NULL session.

  26. Implications of Disallowing NULL Sessions • With a Windows NT 4.0 RAS server that connects to a Windows NT 4.0 backup domain controller (BDC) in a mixed mode network • Authentication will succeed because the Windows NT 4.0 BDC supports NULL sessions • With a Windows NT 4.0 RAS server that is a Windows NT 4.0 BDC in a mixed mode network • Authentication will succeed because the BDC can determine dial-in permissions by looking at its versions of the domain database • With a Windows NT 4.0 RAS server that connects to a Windows 2000 DC • The authentication will fail or succeed depending on the membership of the Pre–Windows Compatible Access security group

  27. Membership of the Pre–Windows 2000 Compatible Access Security Group • Members of this group can query the DC with a NULL session. • Membership is determined by the user who creates a new domain in the forest. • The Everyone group can be added to the Pre–Windows 2000 Compatible Access security group. • There are security implications due to unsecured queries to Active Directory.

  28. Making the Decision: Designing Remote Access when Windows NT RAS Servers Exist on the Network • If the Windows NT 4.0 remote access server is not a BDC, ensure that the membership of the Pre– Windows 2000 Compatible Access group contains the Everyone group. • Upgrade or decommission the Windows NT 4.0 remote access servers as soon as possible. • Remove the Everyone group from the Pre–Windows 2000 Compatible Access group after all servers are upgraded or decommissioned.

  29. Applying the Decision: Windows NT RAS Server Considerations for Hanson Brothers • There are no Windows NT 4.0 servers running remote access services in the network. • To prevent excess rights from being granted to the network, inspect the membership and ensure that the Everyone group is not a member of the Pre–Windows 2000 Compatible Access security group.

  30. Designing Remote Access Security for Users • Planning user settings for dial-up networking security • Authorizing dial-up connections • Securing client configuration

  31. Remote Access Settings for User Accounts • Set remote access permissions. • Verify caller-ID. • Configure callback options. • Assign a static IP address. • Apply static routes.

  32. Making the Decision: Planning User Properties for Remote Access Security • Prevent remote access to the network. • Use remote access policy settings to determine remote access permissions. • Restrict dial-up connections to a specific phone number. • Assign a specific IP address for all connection attempts by the user. • Restrict remote access clients to specific network segments.

  33. Making the Decision: Enabling the Remote Access Account Lockout Feature • Use this feature to deny remote access to a user account if a preconfigured number of failed authentication attempts occur. • This helps prevent an attacker from attempting dictionary attacks. • The attacked account is disabled for remote access once the number of failed attempts exceeds the configured threshold. • Remote access account lockout is not related to user account lockout. • Enabling remote access lockout leaves the network susceptible to an attacker who could lock out user accounts.

  34. Making the Decision: Registry Settings to Enable Remote Access Account Lockout • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Parameters\AccountLockout\MaxDenials • Sets the value for the failed attempts counter. • If the counter exceeds the configured value, remote access is locked out for the account. • A successful authentication resets the failed attempts counter. • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Parameters\AccountLockout\ResetTime • Sets the interval, in minutes, to reset the failed attempts counter to a value of 0. • The default value is 2880 minutes, or 48 hours. • RADIUS authentication • Make the registry modifications at the server running Internet Authentication Services (IAS).

  35. Applying the Decision: Deploying User Properties for Remote Access Security for Hanson Brothers • Hanson Brothers • The default option of Control Access Through Remote Access Policy is appropriate for all user accounts. • Configure Deny Access for the Guest account. • Adventure Works • Define a dedicated user account for connecting to the Hanson Brothers network. • Configure the dial-in settings for the account to Verify Caller-ID and set the predefined phone number at Adventure Works. • Hanson Brothers can cover the long-distance phone charges by using callback security to return the call to the specified phone number.

  36. Authorizing Dial-Up Connections • Windows 2000 remote access authorization techniques can be implemented in addition to authenticating remote access connections. • Authorization techniques examine the attributes of the connection attempt, not the user account. • The entire phone system must support the authorization method. • If any part of the connection does not support the authorization method, authorization will fail.

  37. Remote Access Authorization Methods

  38. ANI/CLI and Caller ID Differences • Automatic Number Identification/Calling Line Identification (ANI/CLI) does not require the remote access connection to provide user credentials. • The remote access connection is authorized based on the originating phone number when ANI/CLI is used. • ANI/CLI does not send user credentials in the connection request. • The Caller-ID attribute is not verified until after the credentials are presented for a remote access connection. • Caller ID can be used to secure access to other resources on the network.

  39. Making the Decision: Authorization Methods for Remote Access • ANI/CLI • Dialed Number Identification Service (DNIS) • Third-party security hosts

  40. Applying the Decision: Authorization Methods for Remote Access at Hanson Brothers • Hanson Brothers should consider using a combination of ANI/CLI and DNIS for the connection from Adventure Works. • Adventure Works should use a different phone number when connecting to the Hanson Brothers network to query stock levels. • DNIS can identify connection attempts to the network and apply the most restrictive remote access policy to the connection. • Hanson Brothers can use ANI/CLI to provide Adventure Works with unauthenticated, but authorized, access to the network. • ANI/CLI cannot be used for requests to the stocking application, since user credentials will not be provided.

  41. Securing Client Configuration • The Configuration Manager Administration Kit (CMAK) allows an administrator to create a dial-up connection that works with Microsoft Windows 95, Microsoft Windows 98, Windows NT 4.0, and Windows 2000. • CMAK allows control of the security settings of remote access connections by • Enforcing the settings the organization requires • Restricting access to key configuration screens for remote access connection objects • CMAK reduces administrative overhead by deploying preset security configuration. • CMAK is included with Microsoft Windows 2000 Server.

  42. CMAK Advantages over User-Defined Dial-Up Network Connection Objects • Defines a highly secure connection object • Defines a package that launches a dial-up and VPN connection • Creates a package that can be deployed to most Microsoft Windows operating systems. • Removes saved password vulnerabilities • Deploys preset security configurations • Uses a standard phone book

  43. Making the Decision: Designing CMAK Packages to Secure Remote Access • Provide local access numbers. • Simplify the dial-up process when VPNs are deployed. • Prevent the modification of security configuration parameters set in a dial-up connection. • Prevent remote access connections by unauthorized personnel. • Meet multiple dial-up configuration requirements.

  44. Applying the Decision: Designing CMAK Packages to Secure Remote Access for Hanson Brothers • CMAK package for dial-up clients • Configure the phone book to provide local access numbers for the Calgary, Boise, and Warroad offices. • Configure the dial-up connections to use only MS-CHAPv2 to ensure mutual authentication of remote access client and remote access server. • Configure the dial-up connections to require the strongest encryption settings. • Restrict access to the Security tab to prevent users from modifying data encryption or authentication settings.

  45. Applying the Decision: Designing CMAK Packages to Secure Remote Access for Hanson Brothers (Cont.) • CMAK package for VPN clients • Configure the phone book to provide host names for the remote access servers at the Calgary, Boise, and Warroad offices, or configure separate CMAK packages for each office. • Configure the VPN connections to only use MS-CHAPv2 to ensure mutual authentication of remote access client and remote access server. • Configure the VPN connections to require the strongest encryption settings. • Configure the VPN connection to use only PPTP. • Deploy computer certificates to all remote access client computers before implementing L2TP/IPSec connections. • Prevent access to the Security tab so users cannot modify data encryption or authentication settings.

  46. Designing Remote Access Security for Networks • Choosing remote office connectivity solutions • Securing dedicated WAN connections • Designing VPN solutions

  47. Private WAN Links

  48. VPN Over a Public Network

  49. Making the Decision: Choosing a Remote Office Connectivity Solution • Reasons to choose a dedicated WAN Link • Restricts network traffic over the WAN link exclusively to traffic between the two offices • Guarantees bandwidth between the two sites • Cost of a dedicated link is not prohibitive • International boundaries or local laws do not prevent the establishment of a dedicated network link

  50. Making the Decision: Choosing a Remote Office Connectivity Solution (Cont.) • Reasons to choose a VPN over a public network • Leverages existing Internet links to provide network connectivity between sites • Provides connectivity between hardware from different network vendors over public networks • Reduces the costs associated with connecting offices across international boundaries

More Related