In the windows firewall with advanced security mmc snap-in, which of the following involve ipsec?

IPSec Monitoring in Windows Firewall with Advanced Security

IPSec monitoring can be done in the Monitoring section of Windows Firewall with Advanced Security. There are two nodes that will provide you the information you need: Connection Security Rules and Security Associations.

Configuring IPsec Rules on Windows Firewall with Advanced Security

In order to use connection security rules, both of the computers involved in the communications must have IPsec policies configured. Authentication for connection security rules can be based on Kerberos in an Active Directory domain, or on certificates or preshared keys. There are five different types of connection security rules that you can create:

Isolation—allows you to restrict communication to only those hosts that can authenticate using specific credentials. For example, you can allow communications only to computers that are joined to an Active Directory domain.

Authentication exemption—allows you to configure exemptions to the isolation rules, such as an exemption to our previous example that would allow connections to a DNS server without the requirement to authenticate.

Server-to server—allows you to secure the connections between two specific computers, such as a connection between a database and an application server.

Tunnel—allows you to create rules that work in the same way as server-to-server rules but are implemented through tunnels (site-to-site connections).

Custom—allows you to create rules with special settings based on your specific needs.

The first step in securing communications with IPsec is to create a rule. In the WFAS console, right-click Connection Security Rules in the left pane and select New Rule… or select it in the Action menu or the right Action pane. The New Connection Security Rule Wizard opens by asking you to select the rule type from the list discussed above, as shown in Figure 11.30.

When you create an isolation rule, the next step is to select when you want authentication to take place. You have three choices here, as shown in Figure 11.31:

You select Request authentication for inbound and outbound connections to have the communications authenticated whenever possible, but authentication is not required so communication can still be established if the computer on the other end does not support it.

You can select Require authentication for inbound connections and request authentication for outbound connections if you want to ensure that only authenticated incoming communications will be allowed. If the computer sending the request is unable to authenticate, the connection will be rejected. Outbound communications will be treated in the same way as above—authenticated when possible but allowed without authentication.

For the highest level of security, you can select Require authentication for inbound and outbound connections. With this choice, only authenticated connections are allowed.

On the next page of the wizard, shown in Figure 11.32, you specify what authentication method you want to use for this rule.

You have four choices here:

You can choose Default and use the authentication methods that are defined in the IPsec settings.

You can choose Computer and User to use Kerberos v5 and restrict communications to connections from domain-joined users and computers only.

You can choose Computer to use Kerberos v5 and restrict communications to connections from domain-joined computers only.

You can choose the Advanced option and specify custom settings for first and second authentication methods.

When you choose to customize the authentication methods, you can list multiple methods to be tried, and they will be tried in the order in which you place them in the list. You do this for both first and second authentication, and you can also choose whether to make first or second authentication optional. You will not be able to specify a second authentication if a preshared key is listed in the first authentication methods list.

The next step is to select the network type(s) to which the rule applies, just as you do with firewall rules (domain, private, or public).

Then you give the rule a name (and description if you want) and it will appear in your list of Connection Security Rules in the middle pane of the WFAS console, as shown in Figure 11.33.

To disable or delete it, right-click it and choose the appropriate option. To modify it, choose Properties. This opens its Properties sheet with tabs for General info, Remote Computers, Protocols and Ports, Authentication, and Advanced, as shown in Figure 11.34. Here, you can make changes to the selections you made in the wizard and also configure some settings that did not appear in the wizard.

On the Remote Computers tab, you can specify the IP addresses of the endpoints to which you want the rule to apply. On the Protocols and Ports tab, you can apply the rule only to specific protocol types (for example, IPv6 or L2TP) or specific ports on each of the endpoints. On the Authentication tab, you can change the authentication mode (Request/require on inbound/outbound) and/or the authentication method that you set in the wizard. On the Advanced tab, you can not only change the network type(s) to which the rule applies but also specify that it applies only to certain interface types (local area network, remote access, and/or wi-fi), and you can specify whether IPsec tunneling should be used. When tunneling is used, you need to set the authentication mode to “Require inbound and outbound.”

You can also create IPsec policies through the IP Security Policies snap-in in the Microsoft Management Console, via the command-line netsh tool or PowerShell, but that is beyond the scope of this chapter.

Configuring an Isolation Rule

To configure an isolation connection security rule, select Isolation from the screen shown in Figure 6.29 and then click Next. You will then be prompted to select one of the following three authentication requirements for the new isolation rule:

Request authentication for inbound and outbound connections

Require authentication for inbound connections and request authentication for outbound connections

Require authentication for inbound and outbound connections

Once you have made your choice, click Next. You will then be prompted to select the authentication method that this rule should use. Choose among the following:

Default.

Computer and User (Kerberos V5).

Computer (Kerberos V5).

Computer Certificate. If you select this option, you will be prompted to enter the name of a CA on your network. You will also have the option to accept only NAP health certificates.

Advanced. If you select this option, you will be prompted to configure a custom authentication method as described in the “Authentication Method” section, earlier in this chapter.

Once you have made your choice, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles.

Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click on the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard.

Advanced Firewall Settings

The basic firewall settings are limited to only allowing certain applications through the Windows Firewall. Microsoft included in Windows 7 an MMC console called Windows Firewall with Advanced Settings for this reason. This console may be accessed from the Local Group Policy Editor, Local Security Policy, or Windows Firewall Control Panel console and is illustrated in Figure 8.27. This MMC allows much more granular configuration of the Windows Firewall, Inbound Rules, Outbound Rules, Connection Security Rules, and Monitoring.

The main window of Windows Firewall with Advanced Security provides an overview of the firewall profiles. As shown in Figure 8.27, there are three different profiles: domain profile for the domain network location, private profile for the home and work network location, and public profile for the public network location. Under each profile is the Windows Firewall Properties associated with the profile. On the left panel, there are the different rule sets including Inbound Rules, Outbound Rules, Connection Security Rules, and Monitoring, which is a simple view of each rule type. The Action menu in the main view allows administrators to import or export firewall policy. This is very important for backing up Windows Firewall Policy and distributing a policy among other computers. The Action menu also can restore the policy to default.

To configure the Windows Firewall Properties:

Click Windows Firewall Properties from the Overview window or from the Action menu.

Select the profile to edit from the tabs: Domain Profile, Private Profile, or Public Profile (Figure 8.28). Note that the options are the same for each tab.

State:

Firewall state – This option sets the firewall on or off for the selected profile.

Inbound connections – This option can be set to block all inbound connections, allow all inbound connections, or block (default). Block will block all inbound connections except the ones specifically allowed through a rule.

Outbound connections – This option can be set to block or allow outbound connections except the ones specifically allowed or denied through a rule.

Protected network connections – This option chooses what network connections may use the selected profile.

Settings – Clicking the Customize button will allow you to configure:

Display a notification – This will show a notification in the Action Center when an inbound connection is blocked as shown in Figure 8.28.

Allow unicast response – This allows the sending of unicast responses to multicast or broadcast network traffic as shown in Figure 8.28.

Rule merging – This can merge local policy rules with Group Policy rules as shown in Figure 8.28.

Logging – Clicking the Customize button will allow you to configure:

Name – The location to store firewall logs. Default is %SystemRoot%\system32\logfiles\firewall\pfirewall.log.

Size limit – The maximum size of the log file. When the log is full, it will begin overwriting the oldest data first.

Log dropped packets – This will log when packets are dropped. This may be useful to troubleshoot network issues.

Log successful connections – This will log every successful connection to the local computer.

IPsec settings – This configures the settings for connection security rules. IPsec settings include Key exchange (main mode), data protection (quick mode), and authentication method.

Click OK.

The Windows Firewall Properties are important because the Inbound and Outbound Rules depend on the configuration. To view any of these rules, one must expand the Windows Firewall with Advanced Security node in the MMC and select the desired rules to view. Each rule has a number of tabs and configurations. Understanding these properties will make creating Inbound and Outbound Rules much easier. To view the properties of a rule:

Double-Click the rule

Right-click the rule and select Properties

Select Properties from the Action menu

The Properties for an Inbound or Outbound Rule are:

General – The General rule information and action.

General – The name and description of the rule. A check box to enable or disable the rule.

Action – The options are to allow the connection, allow the connection only if secure, or block the connection. If setting only to allow the connection if secure, the administrator much choose to:

Allow the connection if it is authenticated and integrity-protected – This uses IPsec.

Require the connections to be encrypted – This requires encryption as well as IPsec.

Allow the connection to use null encapsulation – This only requires authentication.

Override block rules

Programs and Services – This can configure the rule to a certain program or service or both.

Programs – This option is to allow all programs that meet the conditions or specify a program in particular.

Services – This specifies a particular service for the rule.

Computers – This can set the rule to only allow connections from certain computers or to skip the rule for certain computers. To only allow connections from certain computers, allow only if secure must be used in the General tab.

Protocols and ports – This is the basic network firewall configuration to select the following:

Protocol Type – Any or from a list of protocol types including: HOPOPT, ICMPv4, IGMP, TCP, UDP, IPv6, IPv6-Route, IPv6-Frag, GRE, ICMPv6, IPv6-No Nxt, IPv6-Opts, VRRP, PGM, L2TP.

Protocol Number – This sets if the customer Protocol Type is set.

Local Port – This sets all ports, specific ports (allows ranges), RPC Dynamic Ports, RPC Endpoint Mapper, or IPHTTPS.

Remote Port – This sets for all ports or specific ports (allows ranges).

ICMP Settings – This can be set to apply to all ICMP types or specific ICMP types.

Scope – This sets the scope to any or specific local or remote IPs.

Advanced – This sets profiles, interface types, and edge traversal.

Profiles – This specifies which profiles the rule applies to.

Interface types – This applies the rule to all network interfaces or only selected interfaces.

Edge traversal – Setting for accepting unsolicited inbound packets through an edge device. One may block, allow, or defer to user or application.

Users – Setting to only allow connections from certain users or exceptions for certain users.

As one can see the advanced settings for Inbound Rules and Outbound Rules contain many settings that can be tweaked to a very granular level. This flexibility proves the advances that Windows 7 has made with Windows Firewall from its introduction in Windows XP.

Creating an Inbound Rule or Outbound Rule is very similar and uses the New Rule wizard. Right-click Inbound Rules or Outbound Rules on the left panel depending on which will be created and select New Rule…. The New Rule wizard will ask a number of questions in reference to the rule that will be created. The first screen will ask you to select a Program, Port, Predefined connection, or Custom rule type. Custom will allow you to create a more specific rule as referenced in this section.

The Connection Security Rules configure IPsec, which is a newer more secure Internet Protocol (IP). It uses authentication and encryption for each IP packet at the beginning and during the session. IPsec may be enabled between two hosts such as a client and a server or between a security gateway and a host. Configuring IPsec is more complex than an Inbound or Outbound Rule. To create an IPsec rule, right-click Connection Security Rules on the left pane and select New Rule…. The first screen of the Rule wizard will ask for the rule type to be used. The options are:

Isolation – This bases authentication on domain membership or health status.

Authentication exemption – This does not authenticate from certain computers.

Server-to-server – This authenticates between two hosts.

Tunnel – This authenticates between security gateways.

Custom – This uses any of the above options or a combination of the above options.

The monitoring console displays a more detailed view of the current firewall profile and the properties associated with it. Expanding the monitoring node will display Firewall, Connection Security Rules, and Security Associations where each of these may be viewed in a single location.

Finally, Microsoft has changed the command line command for configuring the firewall. The new command is netsh advfirewall. For a list of commands use netsh advfirewall /? as shown in Figure 8.29 or netsh advfirewall firewall /? in an elevated command prompt. These commands configure the firewall policy through the command line for scripts or remote management.

802.1x Wired and Wireless Access

IEEE 802.1x standards define an effective framework for controlling and authenticating clients to a wired or wireless protected network—in this case a NAP infrastructure. These standards define port-based authentication on supported devices. These devices could be switches or wireless access points that support the IEEE 802.1x standard. The IEEE standard is significant because it has been accepted by hardware and software vendors—their products will be designed with the standards in mind. What does this mean for you and me? All hardware that is 802.1x based should work with RADIUS and NAP.

An 802.1x deployment consists of three major components that allow for the authentication process to work correctly (see Figure 4.6).

Supplicant a device that requests access to our network and is connected via a pass-through authenticator.

Pass-through authenticator a switch or access point that is 802.1x compliant.

Authentication server when the supplicant connects to the pass-through authenticator, the request is passed to the authentication server by the pass-through authenticator. The authentication server decides whether the client is granted access or denied.

Authentication is handled using the Extensible Authentication Protocol (EAP). EAP messages used in the authentication process are transmitted between the supplicant and pass-through authenticator using EAP over LAN (EAPoL). The pass-through authenticator talks to the RADIUS using RADIUS messages and EAP.

When NAP uses IEEE 802.1x, the authenticating pass-through authenticator uses the RADIUS protocol. NPS instructs the pass-through authenticator (wireless access-point or switch) to place supplicants that are not in compliance with NPS into a restricted network. The restricted network could be a separate VLAN or a network with IP filters in place to isolate it from the secured network.

WLAN Authentication Using 802.1x and 802.3

NPS is responsible for network security and is used to provide secure wireless access through NPS. Windows Server 2008 also provides features that enable you to deploy 802.1x authenticated wired service for IEEE 802.3 Ethernet network clients. In conjunction with 802.1x capable switches and other Windows Server 2008 features, you can control network access through Wired Network Policies in Windows Server 2008 Group Policies. Recall that NPS is used to configure remote connections. The 802.3 wired network specification allows you to use the 802.1x specification to provide wired networking access. This is configured via NPS and uses Protected Extensible Authentication Protocol (PEAP) authentication. It is outside the scope of this book to discuss how to plan, configure, and deploy a WLAN authentication method, but we will discuss these concepts to the extent you need to understand the changes in the Windows Server 2008 environment.

Let's start with some definitions as a review. The 802.11 standard defined the shared key authentication method for authentication and Wired Equivalent Privacy (WEP) for encryption for wireless communications. 802.11 ultimately ended up being a relatively weak standard and newer security standards are available and recommended for use. The 802.1x standard that existed for Ethernet switches was adapted to the 802.11 wireless LANs to provide stronger authentication than the original standard. 802.1x is designed for medium to large wireless LANs that have an authentication infrastructure, such as AD and RADIUS in the Windows environment. With such an infrastructure in place, the 802.1x standard supports dynamic WEP, which are mutually determined keys negotiated by the wireless client and the RADIUS server. However, the 802.1x standard also supports the stronger Wi-Fi Protected Access (WPA) encryption method. The 802.11i standard formally replaces WEP with WPA2, an enhancement to the original WPA method.

Wireless and Wired Authentication Technologies

Windows Server 2008 supports several authentication methods for authenticating that a computer or user is attempting to connect via a protected wireless connection. These same technologies support 802.1x authenticated wired networks as well. These Extended Authentication Protocols (EAP) methods are:

▪

EAP–TLS

▪

PEAP–TLS

▪

PEAP–MS–CHAPv2

Extended Authentication Protocol–Transport Layer Security (EAP–TLS) and Protected Extended Authentication Protocol–Transport Layer Security (PEAP–TLS) are used in conjunction with Public Key Infrastructure (PKI) and computer certificates, user certificates, or smart cards. Using EAP–TLS, a wireless client sends its certificate (computer, user, or smart card) for authentication and the RADIUS server sends its computer certificate for authentication. By default, the wireless client authenticates the server's certificate. With PEAP–TLS, the server and client create an encrypted session before certificates are exchanged. Clearly, PEAP–TLS is a stronger authentication method because the authentication session data is encrypted.

If there are no computer, user, or smart card certificates available, you can use PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAPv2). This is a password-based authentication method in which the exchange of the authentication traffic is encrypted (using TLS), making it difficult for hackers to intercept and use an offline dictionary attack to access authentication exchange data. That said, it's the weakest of these three options for authentication because it relies on the use of a password.

A Windows-based client running Windows Vista or Windows Server 2008 can be configured in the following ways:

▪

Group Policy

▪

Command line

▪

Wired XML profiles

Using Group Policy, you can configure the Wired Network (IEEE 802.3) Policies Group Policy extension, which is part of Computer configuration Group Policy that can specify wired network settings in the AD environment. The Group Policy extension applies only to Windows Server 2008 and Windows Vista computers. The command line can be used within the netsh context using the lan command (netsh lan). You can explore the available comments by typing netsh lan /? at the command line prompt. Wired XML profiles are XML files that contain wired network settings. These can be imported and exported to Windows Server 2008 and Windows Vista clients using the netsh context as well. You can use netsh lan export profile or netsh lan add profile to export or import a wired profile using the command line.

For Windows XP SP2 or Windows Server 2003-basec computers, you can manually configure wired clients by configuring 802.1x authentication settings from the Authentication tab of the properties dialog box of a LAN connection in the Network Connections folder, as shown in Figure 4.7, which shows the Network Connections Properties dialog box from a Windows XP Pro SP2 computer.

Figure 4.7. 802.1x Settings on Wired Windows XP SP2 Client

Implementing Secure Network Access Authentication

Although it's outside the scope of this chapter to go into the details of PKI, it is useful to look at some of the ways PKI can be used as part of a Windows-based authentication infrastructure for secure network access using the protocols discussed in this section.

▪

When using PEAP–MS-CHAPv2 for network access authentication, configure Group Policy for autoenrollment of computer certificates to install computer certificates on the NPS servers.

▪

When using certificates for computer-level network access authentication, you should configure Group Policy for autoenrollment of computer certificates. This applies if you're using EAP–TLS or PEAP–TLS for computer-level wireless authentication.

▪

When you are using certificates for user-level network access authentication, configure a certificate template for user certificates and also configure Group Policy for autoenrollment of user certificates. As with computer-level certificates, this is needed when using EAP–TLS and PEAP–TLS.

Group Policy is also an important part of securing network access and authenticating computers and users. You can use Group Policy to deploy settings to install a root certificate on a domain member computer to validate computer certificates of the NPS servers. It can also be used to autoenroll user and computer certificates on domain member computers for user- and computer-level certificate-based authentication.

In addition to being useful in the deployment of certificate-based authentication, Group Policy is also useful in deploying configuration settings for:

▪

802.11 wireless network profiles

▪

802.1x wired network profiles

▪

Windows Firewall with Advanced Security connection security rules to protect traffic

▪

NAP client configuration

Notes from the Underground…

Changes to Authentication Protocols

PPP-based connections no longer support the SPAP, EAP-MD5-CHAP and MS-CHAPv1 authentication protocols. Remote access PPP-based connections now support the use of Protected EAP (PEAP) with PEAP-MS-CHAP v2 and PEAP-TLS. Keep this in mind as you plan out your new Windows Server 2008 remote access options.

EAPHost architecture in Windows Server 2008 and Windows Vista includes new features not supported in Windows Server 2003 and Windows XP including:

▪

Support for additional EAP methods

▪

Network discovery (as defined in RFC 4284)

▪

RFC 3748 compliance and support for expanded EAP types including vendor-specific EAP types

▪

Coexistence of multiple EAP types (Microsoft and Cisco, for example)

Configuring 802.1x Settings in Windows Server 2008

You can configure wired policies from the Computer Configuration | Policies | Windows Settings | Security Settings | Wired Network (IEEE 802.3) Policies node in the Group Policy Management Editor snap-in via the MMC. By default, there are no wired policies in place. To create a new policy, use the following steps:

1

Right-click the Wired Network (IEEE 802.3) Policies in the console tree of the GP Editor snap-in.

2

Click Create A New Windows Vista Wired Policy.

3

The New Windows Vista Wired Policy Properties dialog is displayed, shown in Figure 4.8. It has two tabs: General and Security. The General tab is selected by default. Enter the policy name and description and ensure the checkbox for “Use Windows Wired Auto Config service for clients” is checked.

Figure 4.8. New Vista Wired Network Policy Properties Security Tab

4

Click the Security tab to set security options. On this tab, click the checkbox next to “Enable use for IEEE 802.1X authentication for network access” then click the dropdown box to select a network authentication method (EAP, PEAP, MS-CHAPv2). Also select the “Authentication Mode” from the second dropdown box. The options are User re-authentication, computer only, user authentication, or guest authentication. Also select the number of times the authentication can fail before it is abandoned (1 is the default). The last setting in the Security tab is a checkbox whether to “Cache user information for subsequent connections to this network.” If this checkbox is cleared, the credential data is removed when the user logs off. If the checkbox is checked, the credential data will be cached after user log off.

5

To access advanced settings, click the Advanced button on the Security tab. There are two Advanced segments: IEEE 802.1X and Single Sign On, shown in Figure 4.9.

Figure 4.9. Advanced Settings for New Vista Wired Network Policy Properties

6

In the IEEE 802.1X section, click the checkbox to the left of “Enforce advanced 802.1X settings” to enable these options: Max Eapol-Start Msgs:, Held Period (seconds), Start Period (seconds), Auth Period (seconds), Eapol-Start Message. In most cases, the default settings are fine; it you believe you need these advanced settings, check the Microsoft documentation for details on how to set these.

7

In the Single Sign On section, click the checkbox next to “Enable Single Sign On for this network” to enable the following options: Perform immediately before User Logon, Perform immediately after User Logon, Set Max. delay for connectivity (seconds), Allow additional dialogs to be displayed during Single Sign On, and This network uses different VLAN for authentication with machine and user credentials. Again, as with the IEEE 802.1X Advanced settings, these can be modified if you have a specific need to do so. Check Microsoft documentation for details on using these options within your network environment. A good starting place is www.microsoft.com/technet/technetmag/issues/2008/02/CableGuy/default.aspx.

8

Click OK to accept configuration; click Cancel to exit without saving changes.