Windows Server 2008 : Planning for Network Access

Within the limits of network access, you also have to consider the concept of NAT pools, routing, and network policies (formally referred to as remote access policies in previous versions of Windows Server). On the enterprise level, you combine these technologies into a very broad scope. In fact, there's a strong possibility that some advanced enterprises may require almost every single, if not all, of the technologies available for network access to be in use at the same time. The days of an individual user working only from the office and then going home for the day are gone. Now, an employee can sit from home, log into the corporate network, and conduct business without ever having to leave their home.

1. Password-Based Policy Authentication Protocols

When in the "authentication" portion of network policies, you are most likely using some form of password protocol on your WAN or LAN link as information is transmitted across your link. If this wasn't done, then passwords could be seen in plain-text format and could be easily compromised. Now, although this is an option (particularly with PAP), it's normally not recommended. Within Windows Server 2008 there are typically four password authentication protocols used:

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is an earlier, now mostly outdated, one-way authentication protocol that is used to support legacy clients such as Windows 98. If, on the certification exam, you encounter a question that asks you about this particular protocol, pay careful attention because it is usually necessary only if you need to support legacy equipment.

MS-CHAPv2

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) is a newer, more improved two-way authentication method that requires both the server and the client to authenticate. If certificates are not available, this is the recommended policy protection by Microsoft.

CHAP

Challenge Handshake Authentication Protocol (CHAP) is an authentication similar to MS-CHAP that is designed for clients who do not use Windows. If you are utilizing a realm trust or Unix-based machine, this may be an excellent suggestion for your infrastructure.

PAP

Password Authentication Protocol (PAP) is a plain-text, unencrypted password system that authenticates password strings and verifies them for accuracy. If the password doesn't match, authentication is denied. Both Microsoft and I strongly recommend against this method.

2. Certificate-Based Authentication

The far more recommended and secure method of authenticating user identities for network policies is using certificates. Certificates, as you know, are individualized methods for ensuring user identity with a combination of public and private keys, normally utilizing 128-bit encryption. These certificates are assigned by a certificate authority, such as VeriSign, or any machine running Active Directory Certificate Services (AD CS).

In Windows Server 2008, remote network users authenticated by certificates using remote protocols such as VPN utilize powerful authentication protocols, such as Extensible Authentication Protocol-Transport Level Security (EAP-TLS), Protected Extensible Authentication Protocol (PEAP), or Internet Protocol Security (IPsec) to protect against unauthorized access:

EAP-TLS and PEAP

EAP-TLS and PEAP are two-way, certificate-based authentications that always authenticate on the server end and can be configured to require both client and server authentication. To implement one of these types of security certificates, they must have a purpose configured in the extended key usage (EKU) that matches the certificate use. Additionally, they must meet the requirements of X.509 for certificates and the requirements for Secure Sockets Layer (SSL).

IPsec

IPsec is a very secure, network layer authentication protocol that can support certificates. Its most common use is for VPN access, but it can be used for various network authentication purposes through the enterprise. However, IPsec is limited in that it is designed to work only over IP, so it is highly specified. But, it is available on Windows Server 2008, 2003, and Windows 2000 operating systems.

Additionally, IPsec has the ability to be configured within Group Policy at the domain, site, or OU level. This allows an administrator to create powerful authentication policies for individuals at a very granular level.

3. Network Access Policies and the Network Policy Server

With the release of Windows Server 2008, Microsoft has included a new server role called the network policy server (NPS). The network policy server is responsible for (as the name implies) the maintenance and enforcement of network access policies for services such as VPN, Routing and Remote Access (RRAS), and other features. NPS is a replacement for the Windows Internet Authentication Service (IAS) available on Windows 2000 and Windows Server 2003. In total, NPS is responsible for the following:

• Routing of LAN/WAN traffic

• Resource access via VPN and dial-up

• Network access policies

• VPN connection services

• Dial-up connection services

• RRAS

• 802.1X switch authentication

In effect, NPS is the Microsoft implementation of a RADIUS server and proxy. It's incredibly powerful in that it allows a lot more utilization than previous incarnations of Windows Server and doesn't require much setup or configuration. In addition, NPS is a prerequisite for NAP, which is responsible for maintaining the health of your network.

RADIUS

RADIUS stands for Remote Authentication Dial-In User Service and provides authentication for dial-up, VPN, and even wireless client authentication. Within Windows Server 2008, this is managed by the network policy server. The advantage of it is that you can configure RADIUS policies in each RADIUS server. Additionally, it supports auditing and logging in a centralized users database that is easily accessed by administrators. Specifically, RADIUS supports the following:

• Event logging

• Authentication and account logging

• RADIUS-based logging

VPN

A virtual private network (VPN) is a remote authentication technology that allows a computer that exists outside the LAN to act as part of that network via the WAN connection. VPNs are low-cost, low-upkeep solutions that utilize encryption in order to maintain security within the organization. From a broad perspective, you should be concerned with the type of encryption used on the links established from the Internet to the intranetwork. You need to pay attention to two of these encryptions:

PPTP

The Point-to-Point Tunneling Protocol (PPTP) is an extension of the Point-to-Point Protocol (PPP) that encapsulated PPP packets over the IP layer in TCP/IP networks. It is defined in RFC 1171, has been in existence for a very long time, and is someone antiquated. The advantage to PPTP in VPNs is that it is relatively secure and fairly easy to set up.

L2TP

The Layer 2 Tunneling Protocol (L2TP) is a standard established by the Internet Engineering Task Force. It combines Cisco's Layer 2 forwarding and Microsoft's PPTP. Technically, L2TP is an extension of PPP, it allows for vendor independence and multihops, and it is capable of being combined with IPsec to form a very secure connection. Recently, L2TP has gained popularity over the seemingly obsolete PPTP, and it has the added bonus of allowing tunneling of the already accepted PPP standard.

3.1. Network Access Policies

Network access policies are policies given to remote users that determine where, when, who, and how a network is remotely accessed. The way these particular policies are determined is by examining the number of users, type of environment, and overall feel of the organization in order to accommodate the exact needs of the users involved. Each of these policies is set in the network policy server under a certain set of conditions:

Groups

This can be Windows groups, machine groups, or user groups.

HCAP

Host Control Authorization Protocol Location Groups and User Groups (HCAP) is used to communicate between the network policy server and the network access server.

Day and time

This specifies when a policy can be active (specified by date and time).

Network access

This is a condition that occurs based on NAP policies.

Connection

This specifies conditions based on IP address type, authentication type, protocol type, and tunnel type (PPTP/L2TP).

RADIUS client

This specifies what type of role the client is playing in the RADIUS setup.

Gateway

This defines conditions based on the network access server role.

These conditions are further refined by certain constraints:

Authentication methods

This defines clients by authentication type.

Idle timeout

This defines the maximum idle time.

Session timeout

This defines how long a session can last.

Called station ID

This specifies the phone number of the network access server.

Day and time restrictions

These are date and time restrictions.

NAS port type

This defines the media type allowed to connect.

Lastly, these conditions and constraints are refined by settings, based on the type of connection being used:

• RADIUS attributes

• Network access protection

• RRAS

4. Perimeter Networks

A perimeter network is a network that exists internally but is completely exposed to the outside world and devoid of security. Outside the Windows Server world, a perimeter network is also called a demilitarized zone (DMZ). The purpose of a DMZ is to serve as a place set apart from the rest of the network that first exposes itself to any potential attack. More often than not, a DMZ will also be backed up by a honey pot, which is a machine designed to appear as if it has vital information to an organization that may be of interest to a malicious hacker but in reality is merely a trap to isolate the malicious user and identify them in order to prevent access or aid in prosecution. However, there are now certain legal issues in place that have made these less popular.

Almost always, a DMZ is separated from the internal network by a firewall, which is a hardware or software device that filters packets and determines where they will and will not be allowed to forward based on their origin, destination, protocol, and other such information. When designing a perimeter network, you have to take into account the available budget for your network, number of users, redundancy requirements, availability, and scalability. Each of these factors will determine what type of firewall you can use and how many of them you can use.

4.1. Possible Perimeter Intrusion Attacks

Although it may not be a complete list, Microsoft has listed in its recommendation for perimeter network design a list of possible attacks you will need to plan against in case of network instruction:

Packet sniffers

These are applications of hardware that monitor the network at the packet level for the purpose of exploitation.

IP spoofing

This is falsifying an IP address for the purpose of gaining false authorization.

Denial-of-service attacks

These are attacks that attempt to deny a service from running by compromising the service through constant software or with a hardware attack.

Application layer attacks

These are exploitations of software at the application level.

Network reconnaissance

This is using detailed information gained by extensive study to find weak points in the network.

Viruses

These are malicious programs designed to penetrate a network and cause adverse effects.

4.2. Firewall Classes

Firewalls can be either hardware or software and come in many different shapes, sizes, and capabilities. Microsoft has defined five classes of firewalls, as outlined in Table 1.

4.3. Firewall Options

Whenever you are setting up your firewall initially, you have a choice of three design options to use, each of which has advantages and disadvantages based on your overall network design. Usually, the firewall option will be of the following: bastion host, three-homed firewall, or back-to-back firewalls.

4.3.1. Bastion Host

A bastion host is a single firewall that is placed up front and is the only existing firewall on the network. The advantage of this design is that is cheap, easy, and usually pretty effective. However, it is also the single point of failure and, if bypassed, can cause serious concerns throughout the rest of the network.

4.3.2. Three-Homed Firewall

A three-homed firewall is connected to three different locations on the network. This sounds a bit more complicated than it actually is. In reality, a three-homed firewall is connected to the following three networks:

• The internal network, where all the internal user computers are located

• The perimeter network, where the honey pot or AD FS proxy may be located

• The Internet, from where the external requests and most of the filtering originate

4.3.3. Back-to-Back Firewalls

The inherent design of back-to-back firewalls is to have one firewall connected to another, which requires double authentication when crossing beyond the second firewall. Usually, this type of design is either implemented to reduce hardware/software load on a firewall or implemented in order to have a perimeter network.

5. Server Placement

Within Windows Server 2008 infrastructures you're going to have a lot of options in complex environments regarding where to place your network components. Accordingly, you should follow a few general guidelines when considering VPN, RADIUS, and DHCP server locations.

5.1. VPN Server Placement

VPN servers can be placed either in front of or behind a firewall. In truth, there are advantages to both. On one hand, VPN servers that are placed in front of a firewall ease the load on the overall infrastructure and can directly pass data received from Internet requests onto the rest of the network; on the other hand, VPN servers placed in front of the firewall are exposed to malicious users. When servers are placed behind the firewall, however, the VPN server is more protected, but it requires more load to be placed on the firewall and additional overhead from an administrator during setup to ensure traffic can be easily sent across the perimeter network.

5.2. NPS Placement

The easy rule of thumb when placing a network policy server is as follows: place it near or on a domain controller and near the user population that will be taking advantage of it. By placing the NPS near or on a domain controller, it enables the server to easily authenticate user accounts it will be using, and by placing it near the user accounts that may be using it for a feature such as RADIUS, you will ensure that they have the shortest link requirements possible.

5.3. DHCP Server Placement

When opting to use DHCP in your infrastructure, two options are available:

• Connecting directly to the subnet

• Using DHCP relay

Ideally, DHCP servers will be placed within the subnet. This is because by default DHCP servers can assign dynamic addresses only to the subnet to which they have been assigned without using a DHCP relay. Thus, if you require only one DHCP server in one particular subnet, the placing becomes simple: the DHCP server goes in the subnet.

However, if this isn't an option, the best place to place a DHCP server is in a secure location within your infrastructure that can be handed packets from all subnets. The exception to this is if you have multiple DHCP servers, in which case you would want each DHCP server to be placed in a location where it can easily access the subnets to which it needs access via router links. In either case, a DHCP server will need to be forwarded DHCP/BOOTP packets via a DHCP relay agent, which can be installed on any given Windows Server machine. All this requires is for you to assure that communication can be established with the appropriate server and that each relay agent points to the appropriate DHCP server for that subnet.