272 Chapter 5 Designing a Network Access Strategy ■ Which type of 802.1x enforcement, access control list (ACL) or virtual local area net- work (VLAN), will you use? ■ Must you support PXE boot? Using the inventory list from the documentation of your switches, you can begin assessing the switches involved in the 802.1x enforcement. Contact the vendor’s Web site to find out about any known issues with employing NAP and about any necessary updates. Access Point Considerations As 802.1x authentication proliferates, more and more vendors are adding NAP support. There are even blogs devoted to listing security vendors supporting NAP. Finding hardware is not the problem; discerning whether the hardware currently in use is or can be made compliant is the issue. Purchasing new hardware is always an easy way to attain compliance but is also the most expensive. MORE INFO 802.1x enforcement The Microsoft NAP team has provided a specific blog that lists switches tested for 802.1x enforce- ment. This list is not meant to be exhaustive; in fact, it appears rather to be a list about a single device from the major network infrastructure vendors that was tested for 802.1x enforcement abilities. The assumption is that there is support from each of these vendors in their product line because most of the vendors use a similar operating system across much of the same line of hardware. You can see this blog at http://blogs.technet.com/nap/archive/2007/07/10/nap-802-1x -enforcement-switches-we-ve-tested-w-nap.aspx. When examining compliance, look for specific RADIUS support. The Microsoft NAP supports the following vendor-specific attributes (VSA) and RADIUS attributes for defining the restricted network with 802.1x enforcement: ■ Filter-ID for identifying the ACL ■ Tunnel-Medium-Type ■ Tunnel-Pvt-Group-ID ■ Tunnel-Type ■ Tunnel-Tag For setting the periodic re-authentication interval, the standard Session-Timeout RADIUS attribute has broad support from most of the hardware vendors. ACLs vs. VLANs 802.1x enforcement can implement ACLs or VLANs for restricted access. Which enforcement method you use depends on your access point or switches’ support and which type provides the restriction desired within your environment. Lesson 2: Network Access Policy and Server and Domain Isolation 273 Using ACLs, an administrator can define a specific set of packet filters that enable a noncom- pliant NAP client to communicate only with a specific subset of servers. Because the 802.1x enforcement process occurs over layer 2, the noncompliant NAP client still attempts automatic configuration for its IPv4 configuration or autoconfiguration for IPv6. It attains an address for its usual subnet but now is confined to limited access to specific servers for remediation. The big advantage here is that the ACL also prevents a rogue noncompliant NAP client from attempting to infect other noncompliant NAP clients. Because all the remediation servers should be up to date with their security software and configuration settings, the remediation servers should be fairly impervious to attack as well. This creates an isolated network on a per- port basis because the noncompliant client sees only the remediation network servers until fully compliant. Using VLANs, an administrator can define a VLAN for remediation. Noncompliant NAT cli- ents and 802.1x NAP clients failing a health check are forced into this VLAN by the wireless access point or a wired switch port on the switch. The VLAN is composed of remediation serv- ers along with other noncompliant NAP clients. This restriction prevents communication out- side the VLAN until the NAP client passes its health check. Ensure that this restricted VLAN is used solely for noncompliant NAP clients. Do not configure non-NAP-capable or unauthen- ticated NAP clients to use this VLAN. Normally, if an EAPHost NAP enforcement client fails authentication, the computer will not be allowed to communicate through the access point, so these unauthenticated computers will not be placed in the VLAN designated as the restricted network either. Planning Authentication Protocols for 802.1x Enforcement The only two supported authentication protocols for 802.1x enforcement included in Windows XP SP3, Windows Vista, and Windows Server 2008 are the PEAP types, PEAP-TLS and PEAP-MSCHAP v2. If implementing third-party vendor add-ons for 802.1x enforcement, you need to test their solutions because Microsoft NAP supports only PEAP-based solutions. When implementing an 802.1x enforcement solution, you must consider the PKI when choos- ing between PEAP-TLS and PEAP-MSCHAP v2. If you’re using PEAP-TLS, it will probably be more cost effective to implement an internal Microsoft-based PKI. You need computer certifi- cates for the NPS servers performing RADIUS authentication and the NAP clients using 802.1x enforcement. You can acquire certificates for computer accounts through autoenroll- ment using Group Policy, by importing a certificate file using either a group certificate (con- sidered less secure) or an individual certificate per computer, or, finally, by using Web enrollment. The RADIUS servers require a certificate for PEAP-MSCHAP v2. You must install the root CA certificate on all computers employing 802.1x enforcement. For managed computers, it is fairly easy to have clients trust the root CA by using Group Policy. For unmanaged computers, 274 Chapter 5 Designing a Network Access Strategy you need to import the root CA certificate into the local computer’s Trusted Root Certification Authorities store. Using 802.1x enforcement also requires you to consider the reauthentication interval. If health policy changes, there is no standard way to enforce client remediation after an 802.1x enforcement client is considered compliant. Setting a time interval that requires clients to reau- thenticate provides a reliable means of forcing clients to seek compliance when the health pol- icy is modified. As mentioned earlier, shorter intervals place a greater stress on the NAP infrastructure components such as RADIUS. Microsoft best practices recommends a four-hour interval. You can enforce a reauthentication interval by the following techniques: ■ Direct manipulation of the access point’s 802.1x configuration ■ A VSA configured on the RADIUS server and supported by the 802.1x access point ■ The Session-Timeout RADIUS attribute Real World Paul Mancuso When using PEAP-MSCHAP v2, two PKI considerations come to mind. First, using an internal PKI gives you far greater control over which computer will trust the root CA. Managed computers can easily be configured to trust the root CA through Group Policy. This also establishes a nice baseline so that only managed computers have this trust. However, this creates a lot of work for an IT department when all that is really necessary to make 802.1x function in relation to a PKI is to purchase a certificate from a PKI ven- dor whose root CA is already trusted. This eliminates much work on the back end of an 802.1x authentication configuration. The dollar cost is pennies when compared to the time, effort, and additional troubleshooting necessary to set up your own internal PKI and configure Group Policy for managed computers (the easy part), or using one of the manual methods (Web enrollment or importing a certificate file) for unmanaged computers. Other 802.1x Enforcement Considerations 802.1x enforcement is not without some issues. One of them is the problem of not allowing the use of PXE boot on switch ports where 802.1x enforcement is configured. Also, there might be certain noncapable 802.1x clients within your environment, such as printer servers, fax servers, or computers installed with an operating system that is noncompliant for 802.1x enforcement. You must exempt them from 802.1x enforcement. Configuring exemptions can be as easy as configuring the specific ports used by these network clients to be exempt from Lesson 2: Network Access Policy and Server and Domain Isolation 275 802.1x authentication and 802.1x enforcement or from just 802.1x enforcement if they sup- port 802.1x authentication but not 802.1x enforcement. Using 802.1x is not the security panacea that will solve all your concerns with keeping out attack- ers. As stated earlier, NAP is not designed to stop attackers; it is mainly designed to prevent mal- ware outbreaks. In fact, 802.1x authentication has one known flaw regarding man-in-the-middle attacks, but this requires some physical access to your access ports. In addition, 802.1x does not provide the end-to-end security that IPsec enforcement can provide. 802.1x provides the assurance that compliant computers on the network, if attacked by invad- ing malware, are better equipped to ward off the attack. It helps maintain a stable and secure environment. Configuring Additional NAP Components on Clients and NAP Health Policy Servers The same considerations enumerated in the “Configuring Additional NAP Components on Clients” and “Configuring NAP Health Policy Servers” sections, discussed earlier in this chapter under IPsec enforcement, apply to 802.1x enforcement. Planning NAP DHCP Enforcement DHCP enforcement provides for NAP enforcement before an IPv4 client receives its automatic configuration information from a DHCP server. DHCP enforcement uses a limited IPv4 con- figuration to restrict a DHCP client to a restricted network to perform remediation. DHCP enforcement combines the use of Windows Server 2008 running the DHCP Server ser- vice, the NPS service for RADIUS client capabilities, and the supported Windows clients: ■ Windows XP SP3 ■ Windows Vista ■ Windows Server 2008 DHCP enforcement uses the following configurations of IPv4 to restrict a noncompliant client: ■ Sets the router option to 0.0.0.0 for noncompliant clients ■ Sets the subnet mask for the IPv4 address to 255.255.255.255 ■ Uses the Classless Static Routes DHCP option to set host routes to specified computers on the restricted network DHCP enforcement is simple to set up but has some considerable disadvantages when com- pared to other forms of NAP enforcement: ■ It is relatively the weakest form of NAP enforcement. ■ A local administrator can override the settings by setting an appropriate manual IPv4 configuration to access the network. ■ It does not provide support for IPv6 environments. Currently, DHCP enforcement is an IPv4-only solution. 276 Chapter 5 Designing a Network Access Strategy Design Considerations for DHCP Enforcement Several items need to be in place for a successful DHCP enforcement solution: ■ All DHCP servers need to be upgraded to Windows Server 2008. ■ All DHCP servers need to add the NPS role and configure a Remote Servers group con- taining the NAP health policy servers. ■ Installation of RADIUS infrastructure is necessary if one is not already deployed. ■ Consideration is necessary for how to implement exemptions for non-NAP-capable computers. The network infrastructure, switches, routers, and Active Directory domain controllers require no updates or upgrades. Only the DHCP servers need to be upgraded to Windows Server 2008; install the NPS service and configure the service to function as a RADIUS proxy for the back-end NAP health policy servers. ■ The DHCP scopes need to be appropriately configured: ❑ NAP needs to be enabled for the specified scopes where DHCP enforcement is to function. ❑ DHCP scopes need to be configured with the options for noncompliant NAP clients. ■ Using either specific Vendor classes or the Default Network Access Protection Class User class, configure the Classless Static Routes option (Option 249) for clients that are noncompliant. Configuring Additional NAP Components on Clients and NAP Health Policy Servers The same considerations enumerated in the “Configuring Additional NAP Components on Clients” and “Configuring NAP Health Policy Servers” sections, discussed earlier in this chap- ter under IPsec enforcement, apply to DHCP enforcement as well. Final Say on DHCP Enforcement Despite all the disadvantages of DHCP enforcement, it can provide a fine solution for a small company intent on enhancing its malware protection services. For larger environments, DHCP enforcement can provide an inexpensive reporting solution, assuming the necessary Windows Server 2008 components can be installed. For a small environment, as well as for branch offices in larger enterprises, one server can be used to deploy all the necessary compo- nents, DHCP, NPS, and NAP health policy server. This is an inexpensive solution to provide at least a fine reporting tool by which to monitor your noncompliant clients’ health in your envi- ronment and provide a step toward a more secure environment. Lesson 2: Network Access Policy and Server and Domain Isolation 277 Domain and Server Isolation Domain isolation and server isolation, introduced initially with Windows Server 2003, are effective means of improving secure communications within an enterprise. By ensuring which computers may communicate with other computers, you provide secure end-to-end authenti- cated communication. Securing end-to-end communication is not addressed through VPN enforcement, DHCP enforcement, or 802.1x enforcement. NAP IPsec enforcement does pro- vide the same end-to-end authenticated communication service as isolation and, thus, can implement a similar style of security while adding support for health policies. With domain and server isolation, IPsec authenticated communication defends a computer against network attacks, protection that application-layer user authentication security services do not offer. User authentication does prevent users from attacking specific files and applica- tions, but it is not true security at the lower layers. IPsec authentication would help prevent attacks against services running at the network layer. Domain vs. Server Isolation Domain isolation is a way of ensuring that computers that need to communicate are members of the domain and have received the necessary IPsec policies through Group Policy. This iso- lates trusted computers from untrusted computers. All incoming requests and subsequently transferred data must be authenticated and protected by IPsec. Using Windows Firewall with Advanced Security policy settings, you can define IPsec and connections security rules that either require or request all inbound traffic to be authenticated with IPsec. Server isolation is a more selective isolation method than domain isolation. Server isolation enables the enterprise administrator to designate specific hosts within the environment that should require that all client connection requests to it be authenticated by IPsec, much like domain isolation. In addition, you can designate select servers to allow communication with specific clients and servers through: ■ Selective certificates used for IPsec authentication. ■ Specific IP addresses, using Windows Firewall with Advanced Security policy settings. ■ Windows Server 2008, creating firewall rules that permit traffic from computers or users who are members of a select Active Directory security group. ■ Windows Server 2003, using the local Group Policy Access This Computer From The Network user right to specify users and computer accounts. Using either domain or server isolation, exemptions can be made for computers that are not capable of performing IPsec authentication or are not members of AD DS. 278 Chapter 5 Designing a Network Access Strategy Comparing Server and Domain Isolation to IPsec Enforcement From a high-level perspective, these technologies are more similar than different. Both tech- nologies use IPsec to provide logical network segmentation. Both server isolation and domain isolation attempt to make the network safer through ensuring that only trusted computers can communicate. IPsec enforcement ensures that computers trusted by health validation are allowed to communicate. Both use IPsec authentication to assure communicating computers mutually of their ability to trust and be trusted. Both technologies can use the default Kerberos authentication or deploy certificates for computer authentication prior to establishing IPsec security associations (SAs). Server isolation enables an administrator to segment high-value servers further for granular control within the trusted environment. IPsec NAP can define specific zones of security to tighten access even further to high-value servers. Figure 5-9 displays the logical network seg- mentation that both forms of IPsec isolation can provide. Figure 5-9 IPsec providing the logical network segmentation Adding NAP technology to your IPsec isolation solution now provides the following additional security aspects: ■ Formalizes policy validation for healthy computers ■ Further restricts computer trust to computers that are managed and healthy Server Isolation High Value Servers with trusted client access Domain Isolation Trusted Active Directory clients and servers/NAP compliant Restricted Network Remediation Servers, noncompliant NAP clients Untrusted Internet Lesson 2: Network Access Policy and Server and Domain Isolation 279 ■ Uses remediation to enable updating for unhealthy managed computers ■ Creates a system of ongoing enforced compliance that offers flexible management for defining trust Moving from Server and Domain Isolation to IPsec NAP If your environment is using Windows 2000 Server or later, you can use IPsec NAP to provide a trusted environment and enforce logical network segmentation for the creation of trusted zones. For networks that have already upgraded to Windows XP SP3 and Windows Vista on the desktop and have begun the upgrade to Windows Server 2008, a steady migration toward NAP can begin. You can begin introducing health validation in network locations that have already upgraded their operating systems to NAP-capable clients by implementing a pilot program. This pilot program should initially use reporting and quickly move toward the implementation of restriction. After a predominant portion of each network location—branch offices or the main office—have upgraded to NAP-capable clients, you can introduce a NAP solution using report- ing. Finally, each office in the network can eventually turn on restriction after a careful review of logs gathered during the implementation of reporting only. Proper planning is essential to a NAP implementation. It is conceivable that if IPsec NAP is your choice of NAP enforcement, then first instituting server and domain isolation in phases throughout your environment would be a good starting place. Lesson Summary ■ Gathering the design requirements for a NAP solution involves collecting a list of items necessary to perform each of the desired NAP enforcement types. ■ For all NAP enforcement types, ensure that your RADIUS servers are all upgraded to Windows Server 2008. Upgrade only the necessary components of your RADIUS solu- tion, the RADIUS clients and proxies, when called for in your design. ■ You can implement NAP enforcement through a VPN, 802.1x, DHCP, or IPsec. ■ For all NAP enforcement types, determine non-NAP-capable clients. Segment each type of non-NAP-capable client into respective groups so you can create policies for each type. Determine a NAP solution for the security policies prescribed for each group. ■ Maintain adequate supervision for the servers providing remediation in your restricted network. 280 Chapter 5 Designing a Network Access Strategy Lesson Review You can use the following questions to test your knowledge of the information in Lesson 2, “Network Access Policy and Server and Domain Isolation.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE Answers Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. Choose the appropriate decision points when deciding to implement NAP. (Choose all that apply.) A. Provides a safer environment for trusted computers B. Enforces a policy on the health level of the computers in the trusted environment C. Provides a firewall block against would-be attackers D. Ensures that internal computers are more likely to be protected from an attack 2. Choose the correct statement when determining which NAP enforcement method meets a stated policy goal of that NAP enforcement type. A. 802.1x enforcement provides end-to-end secure communications of NAP-compliant clients. B. DHCP enforcement enables an administrator to mandate the use of a VLAN ID in the restricted network upon failure of a NAP client for compliance. C. VPN enforcement provides for confidentiality of each packet’s data along its entire path. D. IPsec prevents the replay of any portion of a session between two trusted clients. Chapter 5 Review 281 Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the fol- lowing tasks: ■ Review the chapter summary. ■ Complete the case scenario. This scenario sets up a real-world situation involving the topics of this chapter and asks you to create a solution. ■ Complete the suggested practices. ■ Take a practice test. Chapter Summary ■ Design a perimeter network with servers that receive access requests from clients in the border network. Servers on the perimeter network include VPN servers, servers provid- ing Web services, Web application servers, proxy servers servicing Web applications serving as RADIUS clients, and the firewall and network infrastructure devices. ■ If you need a PKI to support a remote access solution, determine whether you can scale an existing PKI to support those needs. ■ Review the load on your RADIUS servers to determine high availability and load balanc- ing needs, especially if you intend to expand the VPN to support more remote users. ■ Determine the security requirements for your choice of VPN protocols. If the highest level of security is required for the VPN due to security policy, and mutual authentication is required for the user and the computer, consider using an EAP-based type of authen- tication with L2TP to provide the highest level of security for the tunnel, the data, and the VPN client. ■ NAP is not designed to lock attackers out of your environment. NAP is designed to ensure that, if attacked, your computers have a well-managed security policy that enhances their ability to fend off an attack. ■ You can implement NAP enforcement through IPsec, DHCP, VPN, or 802.1x. IPsec NAP enforcement is the strongest form of NAP enforcement. DHCP enforcement is the weak- est form of NAP enforcement. ■ Be sure to test a well-documented pilot deployment extensively prior to implementing an enterprise deployment of any NAP solution. [...]... Policies in Windows Server 2008” white paper from Microsoft at http://www .microsoft. com/downloads/details.aspx?FamilyID =8e4 764 9e- 962 c-42f 8-9 e6f-21c5ccdcf490&displaylang=en ■ Practice 2 Read the “The Security Risk Management Guide” white paper from Microsoft at http://www .microsoft. com/downloads/details.aspx?familyid=C782B6D 3-2 8C 5-4 DDA-A 168 -3 E442 264 5459&displaylang=en Practice 1 Chapter 5 Review 285... practice implementing each of the NAP enforcement types NAP DHCP: http://go .microsoft. com/fwlink/?Linkid=85897 Practice NAP VPN enforcement: http://go .microsoft. com/fwlink/?Linkid=858 96 Practice NAP IPsec enforcement: http://go .microsoft. com/fwlink/?Linkid=85894 Practice NAP 802.1x enforcement: http://go .microsoft. com/fwlink/?Linkid= 860 36 Watch a Webcast For these practices, watch two webcasts about Active... GPO within Active Directory The benefit to the user of the system is single sign-on to access resources enterprise- wide The impact of joining the domain for a computer is giving up administrative control of the computer The administrators in the enterprise now own the control of the system For the administrator in the enterprise, almost the only circumstances in which it might be desirable to have... office administrator The branch office administrator is generally less skilled and less trusted than the administrators in the corporate HQ Branch office administrators are responsible for lower-level administrative functions related to application installation, performing operating system and application updates, and restarting servers and domain controllers (DCs) However, the branch office administrator. .. and a limited GUI, local administration and administration through a Remote Desktop (Terminal Services) connection must be performed using commands at a command prompt Figure 6- 1 shows the Server Core console 2 96 Chapter 6 Figure 6- 1 Design a Branch Office Deployment The Server 2008 Server Core console Many Control Panel items are available in Server Core Type the name of the cpl item at the command... Chapter 6 Design a Branch Office Deployment The RODC was largely designed for the branch office implementation It can be installed on the full installation or the Server Core installation of Windows Server 2008—Server Core, of course, being the more secure of the two The option to install the DC as a RODC is a new setting in the DCPromo utility, as shown in Figure 6- 3 Figure 6- 3 Selecting the read-only... grants the delegated user or group local administrator privilege on the server, with the ability to log on to the server, update drivers, and restart the server, but disallows them from being able to manage Active Directory or the Directory Services This is called Administrator Role Separation You must perform Administrator Role Separation delegation on a server-by-server basis The delegated user or group... A lab environment with a Windows Server 2008 Active Directory domain ■ Internet access ■ Access to Microsoft TechNet 287 288 Chapter 6 Design a Branch Office Deployment Real World David R Miller In my experience as an enterprise administrator, branch offices are a natural point of vulnerability for an enterprise They often connect to the organization’s most critical information assets, but they are... Directory–related administrative functions Because branch office administrators are not as skilled or as trusted as the HQ administrators and because they typically are responsible only for their local branch office systems, it is generally not desirable to add the branch office administrators to the Domain Admins group or to other domain-related built-in groups This is usually too much privilege As in Windows... domain Delegation at the domain level would require a skilled and trusted branch office administrator If the branch office administrator is up to this level of challenge, responsibility, and authority in the enterprise, in which the branch office is its own domain, making the branch office administrator a domain administrator in his or her home domain could be a viable option It is generally better . http://blogs.technet.com/nap/archive/2007/07/10/nap-80 2-1 x -enforcement-switches-we-ve-tested-w-nap.aspx. When examining compliance, look for specific RADIUS support. The Microsoft NAP supports the following vendor-specific attributes. enforcement: ■ Filter-ID for identifying the ACL ■ Tunnel-Medium-Type ■ Tunnel-Pvt-Group-ID ■ Tunnel-Type ■ Tunnel-Tag For setting the periodic re-authentication interval, the standard Session-Timeout RADIUS attribute. Policies in Windows Server 2008” white paper from Microsoft at http://www .microsoft. com/downloads/details.aspx?FamilyID =8e4 764 9e- 962 c-42f 8-9 e6f-21c5ccdcf490&displaylang=en. ■ Practice 2 Read