Servicio de VPN VPN de cuarentena

Presentación del tema: "Servicio de VPN VPN de cuarentena"— Transcripción de la presentación:

1 Servicio de VPN VPN de cuarentena
Código: HOL-ISA02 Servicio de VPN VPN de cuarentena Juan Luis García Rambla

2 Agenda Introducción. Servicios VPN. RRAS.
Soluciones VPN con ISA Server 2004. VPN de cuarentena.

3 Introducción

4 Introducción VPN define una “Virtual Private Network” o Red Privada Virtual. Básicamente una VPN establece una conexión segura a través de un medio inseguro como pueda ser Internet. Cualquier red que utilice conexiones IP puede considerarse una VPN.

5 Clasificación Según el punto de terminación.
Basadas en el CE (overlay). Basadas en el PE (peer-to-peer). Según el tráfico de cliente transportado. VPN de nivel 3. VPN de nivel 2. Según el tipo de red del proveedor. IP, IP/MPLS, ATM, Frame Relay, SONET/SDH, red telefónica, etc. Según la tecnología de túneles. Túneles IPSec, L2TP, PPTP, MPLS-LSP, ATM-VP/VC. Frame Relay VC, SONET/SDH VT, PPP/Dial-up. Número de sedes conectadas. Punto a punto: 2 sedes. Multipunto: más de dos sedes. CE = Customer Edge PE= Provider Edge

6 Evolución 1ª Generación: Terminadas en el CE y basadas en líneas dedicadas que se alquilaban al proveedor. 2ª Generación: Terminadas en el CE a base de circuitos virtuales ATM/Frame Relay sobre una red de conmutación de paquetes del proveedor. 3ª Generación: Los proveedores ofrecen servicios para gestionar los routers del cliente usados en las terminaciones en el CE. 4ª Generación: VPNs de nivel 3 terminadas en el PE y basadas en IP/MPLS . 5ª Generación: VPNs de nivel 2 terminadas en el PE y basadas en IP/MPLS. CE = Customer Edge PE= Provider Edge

7 Topologías N2. FR y ATM VPN de Nivel 2 IP Frame Relay y ATM.
Definición estática de Circuitos Virtuales (PVCs). Encaminamiento basado en DLCI. No proporcionan ni autenticación ni cifrado. Escalabilidad y Flexibilidad Limitadas. IP X.25 ATM Frame Relay

8 Topologías basadas en túneles N2
Establecimiento y validación previo a la consecución del túnel. Aparecen diversos procesos de encapsulamiento que introducen un mayor “overhead” dentro de la red. No existe QoS . PPP IP Layer-2 Transport Protocol (L2TP) Forwarding (L2F) Point-to-Point Tunneling Protocol (PPTP)

9 Topologías basadas en túneles N3
VPN de Nivel 3. IPSec Túneles GRE y sobre todo IPSec. Autenticación y cifrado de los datos en Internet. Encaminamiento basado en IP del túnel. Aceleración de cifrado por HW y SW. Generic Routing Encapsulation (GRE) IP Security (IPSec) IP

10 Servicio de VPN

11 Características de las VPN
Se requiere de un encapsulado capaz de proveernos de: Autenticación. Usuario. Equipo. Datos. Compresión de datos. Cifrado de datos. Direccionamiento dinámico. Resolución de nombres. Gestión de claves. Soporte Multiprotocolo (IP, IPX, etc…).

12 Encapsulado Poner un paquete dentro de otro.
Se encapsulan o envuelven los datos con otra cabecera con información de enrutamiento para que puedan atravesar una red publica hasta su destino. Puede encapsularse trafico a dos niveles del modelo OSI. Nivel 2: encapsulan tramas al nivel de conexión. PPTP. L2F. L2TP. Nivel 3: encapsulan paquetes al nivel de red. IPSEC.

13 Protocolos de encapsulado Nivel 2
Point to Point Tunneling Protocol (PPTP). Microsoft, Ascend, otros.. Layer Two Forwarding (L2F). Propuesto por Cisco. Layer Two Tunneling Protocol (L2TP). Unifica PPTP y L2F en un único estándar para VPN. PPTP is a Microsoft-developed protocol that has become the de facto industry standard due to its wide deployment in Windows; PPTP clients ship with all versions of Windows since Microsoft® Windows® 95, with Mac OS X, and with most Linux distributions. PPTP supports a variety of authentication methods, which we’ll discuss later, and it encrypts connections in both directions using a randomly generated, and periodically changed, symmetric key. You may have heard from customers that PPTP is insecure; in fact, there were some vulnerabilities discovered in the NT 4.0 timeframe, but Microsoft moved quickly to fix them. A few non-Microsoft PPTP implementations on Linux still have a number of implementation flaws. Unlike PPTP, the Layer 2 Tunneling Protocol (L2TP) is a pure tunneling protocol. It doesn’t incorporate any authentication or encryption, which makes it unsuitable for use on its own. L2TP is almost always combined with the IPsec extensions for VPN functionality: this combination provides strong encryption and authentication, plus tunneling that can be used either to link two remote networks or a single remote client to a network (we’ll discuss these two modes in the IPsec module). For the remainder of this course, we’ll treat the L2TP+IPsec combination as though it were a single protocol.

14 Protocolos de túnel PPTP. L2TP.
Desarrollado por Microsoft, es un estándar de facto. Esta ampliamente implementado y existen varias implementaciones compatibles. Suficientemente seguro para casi todas las aplicaciones. L2TP. Estándar de la “Internet Engineering Task Force” (IETF) . Unión. Algunos problemas de interoperabilidad. Tanto PPTP como L2TP utilizan PPP por debajo, lo que les proporciona gran parte de los requerimientos necesarios. PPTP is a Microsoft-developed protocol that has become the de facto industry standard due to its wide deployment in Windows; PPTP clients ship with all versions of Windows since Microsoft® Windows® 95, with Mac OS X, and with most Linux distributions. PPTP supports a variety of authentication methods, which we’ll discuss later, and it encrypts connections in both directions using a randomly generated, and periodically changed, symmetric key. You may have heard from customers that PPTP is insecure; in fact, there were some vulnerabilities discovered in the NT 4.0 timeframe, but Microsoft moved quickly to fix them. A few non-Microsoft PPTP implementations on Linux still have a number of implementation flaws. Unlike PPTP, the Layer 2 Tunneling Protocol (L2TP) is a pure tunneling protocol. It doesn’t incorporate any authentication or encryption, which makes it unsuitable for use on its own. L2TP is almost always combined with the IPsec extensions for VPN functionality: this combination provides strong encryption and authentication, plus tunneling that can be used either to link two remote networks or a single remote client to a network (we’ll discuss these two modes in the IPsec module). For the remainder of this course, we’ll treat the L2TP+IPsec combination as though it were a single protocol.

15 PPP Diseñado para enviar datos a través de conexiones bajo demanda o punto a punto. Encapsula Paquetes IP. Cuatro fases en la negociación de la conexión: Establecimiento de la conexión (LCP). Autenticación de usuario (PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP). Control de devolución de llamada (CBCP). Protocolos de nivel de Red (IPCP, CCP, MPPC, MPPE). Fase de transmisión de Datos. Se encapsula los datos con una cabecera PPP y se comprimen y cifran según lo acordado en fase 1 y negociado en la fase 4. Point-to-Point Protocol (PPP) Because PPTP and L2TP depend heavily on the features originally specified for PPP, it is worth examining this protocol more closely. PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames, and then transmits the PPP-encapsulated packets across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up client and a NAS. There are four distinct phases of negotiation in a PPP connection. Each of these four phases must complete successfully before the PPP connection is ready to transfer user data. Phase 1: PPP Link Establishment PPP uses the Link Control Protocol (LCP) to establish, maintain, and terminate the logical point-to-point connection. During Phase 1, basic communication options are selected. For example, authentication protocols are selected, but they are not actually implemented until the connection authentication phase (Phase 2). Similarly, during Phase 1, a decision is made as to whether the two peers will negotiate the use of compression and/or encryption. The actual choice of compression and encryption algorithms and other details occurs during Phase 4. Phase 2: User Authentication In the second phase, the client computer sends the user’s credentials to the remote access server. A secure authentication scheme provides protection against replay attacks and remote client impersonation. A replay attack occurs when a third party monitors a successful connection and uses captured packets to play back the remote client’s response so that it can gain an authenticated connection. Remote client impersonation occurs when a third party takes over an authenticated connection. The intruder waits until the connection has been authenticated and then traps the communication parameters, disconnects the authenticated user, and takes control of the authenticated connection. Phase 3: PPP Callback Control The Microsoft implementation of PPP includes an optional callback control phase. This phase uses the Callback Control Protocol (CBCP) immediately after the authentication phase. If configured for callback, both the remote client and NAS disconnect after authentication. The NAS then calls the remote client back at a specified phone number. This provides an additional level of security to dial-up connections. The NAS allows connections from remote clients physically residing at specific phone numbers only. Callback is only used for dial-up connections, not for VPN connections. Phase 4: Invoking Network Layer Protocol(s) Once the previous phases have been completed, PPP invokes the various network control protocols (NCPs) that were selected during the link establishment phase (Phase 1) to configure protocols used by the remote client. For example, during this phase, IPCP is used to assign a dynamic address to the PPP client. In the Microsoft implementation of PPP, the Compression Control Protocol (CCP) is used to negotiate both data compression (using MPPC) and data encryption (using MPPE). Data-Transfer Phase Once the four phases of PPP negotiation have been completed, PPP begins to forward data to and from the two peers. Each transmitted data packet is wrapped in a PPP header that is removed by the receiving system. If data compression was selected in phase 1 and negotiated in phase 4, data is compressed before transmission. If data encryption is selected and negotiated, data is encrypted before transmission. If both encryption and compression are negotiated, the data is compressed first, and then encrypted.

16 PPTP Proporciona tunelación a las tramas PPP.
Utiliza la seguridad de PPP para asegurar las comunicación sobre el túnel. Autenticación de usuario PPP (PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP). Confidencialidad y cifrado PPP (MPPE). RC4 con claves de 40 o 128 bits.

17 PPTP-Tipos de Tramas Control Datos
Creación de un control de conexión PPTP Conexión lógica que representa el túnel PPTP. El servidor utiliza el puerto TCP 1723 y el cliente un puerto dinámico. Determina los ID de la cabecera GRE entre cliente y servidor que identifican el túnel PPTP específico. Mantenimiento del control de conexión PPTP Finalización del control de conexión PPTP Datos Encapsulado y transmisión de datos PPP mediante (GRE). Generic Routing Encapsulation PPTP encapsulates PPP frames in IP datagrams for transmission over an IP internetwork, such as the Internet. PPTP can be used for remote access and router-to-router VPN connections. PPTP is documented in RFC 2637. The Point-to-Point Tunneling Protocol (PPTP) uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. The payloads of the encapsulated PPP frames can be encrypted and/or compressed. Figure 6 shows the structure of a PPTP packet containing an IP datagram. A PPTP control connection A logical connection representing the PTPP tunnel that must be created, maintained, and terminated through a series of PPTP messages. PPTP control connection traffic uses a dynamically allocated TCP port on the PPTP client, and the IANA-reserved TCP port of 1723 on the PPTP server. GRE encapsulation for data When data is sent across the PPTP connection, PPP frames are encapsulated with a Generic Routing Encapsulation (GRE) header, which includes information that identifies the specific PPTP tunnel for the data packet.

18 ID Protocolo IP (GRE) Conexión de Datos
PPTP-Conexiones ID Protocolo IP (GRE) Conexión de Datos Internet Pc Remoto Servidor RAS PPTP Puerto TCP 1723 Control de Conexión

19 L2TP Combina PPTP y L2F en un único estándar para VPN propuesto por la IETF. Encapsula tramas PPP que pueden ser enviadas a través de IP, X.25, Frame Relay o ATM. El estándar permite que se pueda utilizar la seguridad de PPP para asegurar las comunicación sobre el túnel. Autenticación PPP. Confidencialidad y cifrado PPP (MPPE). La Implementación de Microsoft, no utiliza PPP para asegurar las comunicaciones. Utiliza IPSEC, lo que da lugar a L2TP/IPSec.

20 L2TP/IPSec Encapsulado L2TP de la trama PPP.
Encapsulado IPSec del mensaje L2TP. Cifrado IPSEc del contenido de los paquetes L2TP. De los protocolos de IPSec (AH y ESP) se utiliza ESP (Encapsulating Security Payload).

21 Encapsulado L2TP/IPSec sobre IP
Header TCP Header Payload Data Encapsulado PPP PPP Header IP Header TCP Header Payload Data L2TP Interface L2TP Header PPP Header IP Header TCP Header Payload Data UDP Interface UDP Header L2TP Header PPP Header IP Header TCP Header Payload Data IPSec Inteface IPSec ESP Header UDP Header L2TP Header PPP Header IP Header TCP Header Payload Data IPSec ESP Trailer IPSec AUTH Trailer Encapsulation for L2TP/IPSec packets consists of two layers: 1.L2TP encapsulation A PPP frame (an IP datagram or an IPX datagram) is wrapped with an L2TP header and a UDP header. 2.IPSec encapsulation The resulting L2TP message is then wrapped with an IPSec Encapsulating Security Payload (ESP) header and trailer, an IPSec Authentication trailer that provides message integrity and authentication, and a final IP header. In the IP header is the source and destination IP address that corresponds to the VPN client and VPN server.The following illustration shows L2TP and IPSec encapsulation for a PPP datagram. IP Inteface IP Header IPSec ESP Header UDP Header L2TP Header PPP Header IP Header TCP Header Payload Data IPSec ESP Trailer IPSec AUTH Trailer Paquete TCP/IP Ehernet

22 L2TP/IPSec: Fases Negociación de las SA de IPSec para el trafico L2TP
SA en modo principal: Autenticación IPSec. SA en modo secundario: Se establece el nivel y modo de cifrado de los datos. Negociación de la Conexión L2TP. Se establece el control de conexión y la sesión L2TP. Negociación de la Conexión PPP. Establecimiento de la conexión (LCP). Autenticación de usuario (PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP). Protocolos de nivel de Red (IPCP, CCP, MPPC, MPPE).

23 Autenticación PPTP L2TP/IPSec
Autenticación a nivel de Usuario proporcionada por PPP. L2TP/IPSec Autenticación a nivel de máquina proporcionada por IPSec. Claves preestablecidas. Certificados Digitales de máquina.

24 Metodos de Autenticación
Password Authentication Protocol (PAP). Envía la password en texto claro. Shiva Password Authentication Protocol (SPAP). Utiliza cifrado reversible. Challenge Handshake Authentication Protocol (CHAP). Utiliza MD5 para proporcionar autenticación mediante desafío-respuesta. Requiere almacenar las contraseñas con cifrado reversible en el servidor (DC). MS-CHAP. Existen debilidades conocidas. For backward compatibility, the Windows 2000 and Windows 2003 RRAS services include support for a number of authentication methods that nonetheless shouldn’t be used in production networks. While these protocols may sometimes be turned on to support legacy systems, you should be careful to point out the security implications of doing so to your customers. PAP sends the user name and password in cleartext. CHAP uses MD5 to provide challenge-response authentication. It is broadly supported, but it requires you to configure AD to allow storage of reversibly encrypted passwords. Doing so means that an attacker who can compromise a domain controller can obtain passwords for all users, so this is a really, really bad idea, especially since you normally have to force a password change so that users get their passwords changed. MS-CHAP is a Microsoft-developed variant of CHAP that provides a similar MD5-based challenge-response protocol but that doesn’t depend on reversible encryption of users’ passwords. This makes it a better choice than CHAP; however, the original protocol has a number of design weaknesses that have been known for several years. Accordingly, its use is not recommended. By default, the Windows Server 2003 family implementation of MS-CHAP v1 does not support LAN Manager authentication. If you want to allow the use of LAN Manager authentication with MS-CHAP v1 for older operating systems such as Microsoft® Windows NT® 3.5 and Windows 95, you must set the HKLM\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication value to 1 on the authenticating server. Microsoft® Windows® 2000 Server supports LAN Manager authentication by default. Upgrading a computer running Windows 2000 Server to a member of the Windows Server 2003 family preserves the existing Allow LM Authentication setting.

25 Metodos de Autenticación
MS-CHAP v2. Versión mejorada de MS-CHAP. Usada frecuentemente. Desde el punto de vista del cifrado es mas fuerte que PAP, CHAP, MS-CHAP. Recomendada cuando no es posible implementar EAP-TLS. MS-CHAP version 2 (v2) addresses several weakness in the original MS-CHAP protocol: MS-CHAP allows LAN Manager encoding for responses, and that’s cryptographically weak. MS-CHAPv2 doesn’t use LAN Manager encoding for anything, including password changes. MS-CHAP provides one-way authentication: the server can authenticate the client, but there’s no way for the client to authenticate the server’s identity. MS-CHAPv2 provides two-way mutual authentication. MS-CHAP uses a key generation process that results in using the same key each time a user with the same password connects. MS-CHAPv2 adds random data to the password generation process so that cryptographic keys aren’t ever reused. MS-CHAP uses a single key for transmitting and receiving data. MS-CHAPv2 uses two separate cryptographic keys.

26 Metodos de Autenticación
EAP Extensible Authentication Protocol Soporta varios tipos de Autenticación EAP-MD5: Desafió/Respuesta. No muy seguro. EAP-TLS: Basado en cerificados; requiere pertenencia a un dominio; diseñado para ser utilizado con Smart Cards EAP-RADIUS: Mecanismo proxy de reenvió de datos en un formato EAP especifico a un servidor RADIUS El tipo a utilizar se puede especificar en el servidor o mediante políticas a un grupo especifico de usuarios. With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a remote access connection. The exact authentication scheme to be used is negotiated by the remote access client and the authenticator (either the remote access server or the RADIUS server). Routing and Remote Access includes support for EAP-TLS and MD5-Challenge by default. You can plug in other EAP modules to the server running Routing and Remote Access to provide other EAP methods.EAP allows for an open-ended conversation between the remote access client and the authenticator. The conversation consists of authenticator requests for authentication information and the responses by the remote access client. For example, when EAP is used with security token cards, the authenticator can separately query the remote access client for a name, PIN, and card token value. As each query is asked and answered, the remote access client passes through another level of authentication. When all questions have been answered satisfactorily, the remote access client is authenticated.A specific EAP authentication scheme is known as an EAP type. Both the remote access client and the authenticator must support the same EAP type for successful authentication to occur. Windows 2000 and 2003 support several EAP types: EAP-MD5 is used for challenge-response authentication between servers; it shouldn’t be used for user authentication, and Windows RRAS doesn’t let you choose it for such. However, third-party products that request EAP-MD5 challenges for RADIUS traffic will work. EAP-TLS uses digital certificates to exchange keys that are then used to establish a secure connection for authentication. This is the most secure EAP type supported by Windows 2000 (Windows 2003 supports PEAP, covered in the next slide). However, it requires clients to have client certificates, so it is mostly used with deployments that include smartcards or tokens that can hold the necessary certificates. EAP-RADIUS is a proxy pass-through mechanism that allows an RRAS server to accept data in a specified EAP type and pass it to a RADIUS proxy. It can’t be used for direct authentication. The specific EAP types used on a server can be set on a per-server basis; in addition, you can use remote access policies to determine which types may or must be used for specific groups of users.

27 Metodos de Autenticación
PEAP: Protected EAP Proteje las negociaciones EAP envolviéndolas con TLS. Se usa solo para conexiones wireless Soporta reconexiones rpáidas para entornos grandes con roaming. Puede usar PEAP plus EAP-MS-CHAPv2: añade autenticación mutua; requiere que el cliente confíe en los certificados del servidor; fácil de implementar. EAP-TLS: muy seguro; requiere una infraestructura PKI. Protected Extensible Authentication Protocol (PEAP) is a new member of the family of EAP types. PEAP uses Transport Level Security (TLS) to create an encrypted link between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, usually an IAS server. PEAP itself does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MSCHAPv2, that can operate through the TLS-protected channel provided by PEAP. PEAP is used as an authentication method for wireless client computers, but is not currently supported for VPNs or other remote access clients.To enhance both the EAP protocols and network security, PEAP provides: Protection for the EAP method negotiation that occurs between client and server through a TLS channel. This helps prevent an attacker from injecting packets between the client and the RRAS server to cause the negotiation of a less secure EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the IAS server. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this. A way for wireless clients to authenticate the IAS or RADIUS server. Because the server also authenticates the client, mutual authentication occurs. Protection against the deployment of an unauthorized wireless access point (WAP) when the EAP client authenticates the certificate provided by the IAS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP. PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the response by the IAS or RADIUS server, and allows wireless clients to move between access points without repeated requests for authentication. This reduces resource requirements for both client and server. You can deploy PEAP for wireless access in two methods: PEAP with EAP-MS-CHAPv2 (PEAP-EAP-MS-CHAPv2) is easier to deploy than EAP-TLS because user authentication is accomplished with password-based credentials (user name and password) instead of certificates or smart cards--only the IAS or RADIUS server is required to have a certificate. PEAP-EAP-MS-CHAPv2 provides improved security over MS-CHAPv2 by using mutual authentication, preventing an unauthorized server from negotiating the least secure authentication method, and providing key generation with TLS. PEAP-EAP-MS-CHAPv2 requires that the client trust certificates provided by the server.Additionally, the server certificate can be issued by a public CA. that is trusted by the client computer (that is, the public CA certificate already exists in the Trusted Root Certification Authority folder on the client computer certificate store. In this case, the server certificate is not downloaded and added to the client trusted root certificate store, and the user is not prompted to make a decision about whether to trust the server. PEAP with EAP-TLS provide a much stronger authentication method than those that use password-based credentials. PEAP with EAP-TLS (PEAP-EAP-TLS) uses certificates for server authentication and either certificates or smart cards for user and client computer authentication. To use PEAP-EAP-TLS, you must deploy a PKI because the client has to have a certificate issued by the same CA that the server's using.

28 Enrutamiento y acceso remoto

29 Soluciones de VPN microsoft.
Microsoft presenta tecnología VPN de nivel 2 y las implementa vía software mediante los siguientes productos. Familia de Servidores Windows. NT 4.0. Instalado SP3 y Option Pack. Windows Con RRAS + IAS (RADIUS). Windows Con RRAS + IAS (RADIUS). ISA Server 2000/2004.

30 RRAS Este servicio multipropósito presenta diferentes soluciones relativas a comunicaciones: Acceso remoto mediante marcado. Soluciones VPN. Enrutamiento. NAT.

31 Enrutamiento y acceso remoto
Enrutamiento y acceso remoto combina los servicios de enrutamiento IP y de redes privadas virtuales (VPN). Enrutamiento IP. Estático, Routing Information Protocol (RIP) v1, RIP v2, Open Shortest Path First (OSPF). Asignación de IP mediante DHCP a los clientes de VPN. Conexiones de marcado bajo demanda a sedes remotas. VPN. Point-to-Point Tunneling Protocol (PPTP). Layer 2 Tunneling Protocol (L2TP). The RRAS server in Microsoft® Windows® 2000 and Microsoft® Windows Server™ 2003 was originally built for Microsoft® Windows NT® 4.0 as part of the Windows NT 4.0 Option Pack. It has gained significant functionality since then, but its core functionality remains unchanged. RRAS incorporates two primary services: routing and remote access. Its routing functionality allows Routing and Remote Access to act as a gateway/border router, exchanging routing and link state information with peers using the Routing Information Protocol (RIP) or the Open Shortest Path First (OSPF) protocol, both of which are in wide use on the Internet. When used as a router, Routing and Remote Access can work with dedicated or demand-dial connections, and the demand-dial connections may be made using VPNs, ISDN, modems, or any other mechanism that supports initiating and terminating a link through the standard Windows remote access interfaces. Routing and Remote Access can also function as a VPN server, either alone or in conjunction with routing functionality. In this mode, Routing and Remote Access accepts connections using two protocols: the Point-to-Point Tunneling Protocol (PPTP) and the Layer 2 Tunneling Protocol (L2TP).

32 Soluciones de clientes
Windows 98. Windows Milenium. Windows NT 4.0. Windows 2000. Windows XP. Windows 98, NT y Milenium necesitan un cliente para VPN con L2TP/IPSec.

33 Autentificación y conexión
El servicio de RRAS permite la conexión de clientes mediante un sistema de políticas. La política por defecto deniega cualquier tipo de conexión a todos los usuarios. El sistema permite la autentificación mediante el servicio de Radius.

34 RADIUS RADIUS esta definido en las RFC 2865 y 2866 de la IETF.
Protocolo Simple. El cliente envía una petición de inicio de sesión al servidor RRAS. El servidor RRAS envía una solicitud de acceso RADIUS al servidor IAS. El IAS puede actuar de proxy y reenviar la solicitud. El IAS puede usar las credenciales para solicitar una autenticación local o a un controlador de dominio. El IAS devuelve un mensaje de Acceso-Permitido o Acceso-Denegado a el servidor RRAS. El servidor RRAS acepta o deniega la conexión del cliente. The RADIUS protocol is defined by two IETF RFCs: RFC 2865 describes the protocol itself, and RFC 2866 describes extensions to RADIUS for performing accounting (chargebacks, usage tracking, etc.) The RADIUS protocol itself is fairly simple (see for an extended explanation): The client (e.g. a user on a laptop, handheld, or other mobile or wireless device) establishes a connection to the RAS server. The client provides credentials to the RAS server. The RAS server creates a RADIUS Access-Request packet. This packet contains the user credentials supplied in step 2 plus some attributes specified by the RAS server. The RAS server sends the Access-Request packet to its RADIUS server. The receiving server inspects the attributes; it may be configured to use the provided credentials itself, or to pass the Access-Request on to another RADIUS server. Eventually, the request reaches the final server in the proxy chain unpacks the attributes and extracts the credentials. The IAS evaluates the credentials, either against its local SAM or its domain AD. It then fabricates either an Access-Accept or Access-Reject message, which is returned to the RAS device. The RAS device accepts or terminates the connection. Each RADIUS packet may contain zero or more attributes; each RADIUS attribute specifies a piece of information about the connection attempt. For example, there are RADIUS attributes for the user name, the user password, the type of service requested by the user, and the IP address of the access server. RADIUS attributes are used to convey information between RADIUS clients, RADIUS proxies, and RADIUS servers. For example, the list of attributes in the Access-Request message includes information about the user credentials and the parameters of the connection attempt. In contrast, the list of attributes in the Access-Accept message includes information about the type of connection that can be made, connection constraints, and any vendor-specific attributes (VSAs).

35 Introducción a IAS Internet Authentication Service (IAS) es la implementación del servidor RADIUS de Microsoft. Principales características. Interoperabilidad RADIUS con Juniper, Cisco, Linux, etc. Integración con Active Directory® para autenticación y autorización. Soporta EAP (Extensible Authentication Protocol). Soporta políticas de acceso remoto. Depende de una clave compartida. A RADIUS server and proxy, named Internet Authentication Service (IAS), is included in Microsoft® Windows Server™ 2003, Standard Edition; Microsoft® Windows Server™ 2003, Enterprise Edition; and Microsoft® Windows Server™ 2003, Datacenter Edition. When a remote client tries to connect to an access server configured to use the RADIUS protocol, the access server sends the connection request to the IAS server by using the RADIUS protocol. IAS offers four major areas of value for securing Windows deployments: IAS provides RADIUS-based interoperability with remote access hardware and VPN concentrators from most major manufacturers. By having other RADIUS-capable devices act as proxies, their authentication traffic can be directed to an IAS server and thus centrally authenticated. When the IAS server is a member of an Active Directory® domain, IAS uses the directory service as its user account database, effectively providing single sign-on for remote access (including wireless) service; the same set of credentials is used for network access control and to log on to an Active Directory domain. The Extensible Authentication Protocol (EAP) specifies a set of authentication types that may be used for various purposes; it also specifies a mechanism by which a client and server agree on an authentication method. EAP provides certificate/smartcard-based authentication in conjunction with conventional password-based systems. IAS allows you to specify remote access policies that instruct the IAS server to accept or reject the request based on conditions that you specify. These policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. Access to the network resources can be controlled by applying policies to users or groups of users. Note: When using IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range. However, when using Windows Server 2003, Standard Edition, you can configure IAS with a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query.RADIUS is a client/server protocol that requires a RADIUS client and a RADIUS server to provide network access. An access server or a RADIUS proxy is a RADIUS client, and the computer making the determination of authentication and authorization is a RADIUS server.

36 Soluciones de VPN en ISA Server 2004

37 VPN Establece un nivel de seguridad para asegurar la comunicación a través de un sistema inseguro. ISA Server permite una integración de las conexiones remotas con la solución firewall. Las VPN están sujetas a las reglas de la red.

38 Consola de administración VPN

39 Conexiones VPN Túneles VPN. Conexiones clientes VPN.
Conexión de redes mediante VPN. Gestión como red integrada. Conexiones clientes VPN. Soporte multiprotocolo. Soporte extendido de autenticación. Soporte de red de cuarentena. Integrada con Isa Server 2004. Integrada con IAS mediante políticas.

40 Características VPN Control de la conexión y seguridad.
Establecimiento de reglas y clientes. Balanceo de carga con VPN en ISA 2004. Puesta en cuarentena de las conexiones de VPN hasta el cumplimiento de las condiciones que se establecen.

41 Clientes VPN Pueden establecerse como cliente cualquier S.O. de la familia Windows. Hay soporte para los protocolos de comunicaciones PPTP y L2TP. Se pueden establecer diferentes sistemas de autentificación para clientes remotos: PAP, CHAP, MS-CHAP, MS-CHAP v2, SPAP y EAP

42 Conexión de Sitios mediante VPN
Establece una conexión entre dos sedes mediante una conexión VPN. La conexión puede establecerse mediante: PPTP. L2TP/IPSEC. Túnel IPSEC. Se deben establecer las credenciales que garanticen el inicio de sesión para cada sitio correspondiente.

43 VPN de cuarentena

44 Introducción Permite a los administradores restringir el acceso a la red de VPN hasta que un script o comando se ejecute en la maquina cliente. El sistema diferencia las redes VPN de los clientes de cuarentena. Network Access Quarantine Control, a new feature in the Windows Server 2003 family, delays normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-provided script. When a remote access computer initiates a connection to a remote access server, the user is authenticated and the remote access computer is assigned an IP address. However, the connection is placed in quarantine mode, with which network access is limited. The administrator-provided script is run on the remote access computer. When the script notifies the remote access server that it has successfully run and the remote access computer complies with current network policies, quarantine mode is removed and the remote access computer is granted normal remote access. The quarantine restrictions placed on individual remote access connections consists of the following: A set of quarantine packet filters that restrict the traffic that can be sent to and from a quarantined remote access client. A quarantine session timer that restricts the amount of time the client can remain connected in quarantine mode before being disconnected. You can use either restriction, or both, as needed.

45 Cuarentena – Paso a Paso
Cliente :Conecta Servidor: Nuevo cliente agregado a la red de cuarentena Cliente :Ejecuta scripts para comprobar que la máquina es segura Cliente: Securizado? SI NO Cliente : Notifica al usuario que acciones debe realizar Cliente :Envía “Clear Quarantine” al servidor Servidor: Mover el cliente a la red “VPN clients”

46 Cuarentena - Objetivos
Máquinas clientes fortificadas. Todas las máquinas deben ser seguras antes de acceder a la red corporativa. Ej: Tener Antivirus actualizado. No fortificadas – Hazlas seguras. Si la máquina cliente no es segura – puede acceder a la red corporativa? SI – pero únicamente a los recursos necesarios para hacerla segura (servidor Anti Virus…).

47 Cuarentena - Requerimientos
Servidor. Windows Server 2003 Routing and Remote Access Listener that receives script messages. Rqs.exe del Kit de Recursos de Windows Server 2003 o directamente con el SP1. Se pueden escribir scripts personalizados. ISA Server 2004. Cliente. Microsoft® Windows® 98 Second Edition o posterior. Connection Manager Admin Kit (CMAK) profile. Script con los requerimientos de la Política. A quarantine-compatible remote access server requires the following: A computer running a member of the Windows Server 2003 family and RRAS; the Windows 2003 RRAS supports the use of a listener component and the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs) to enforce quarantine settings. A listener component, which listens for messages from quarantine-compatible remote access clients. These messages indicate that their scripts have been run successfully. You can create your own custom listener component (matched with your own custom notifier component), or you can install the Remote Access Quarantine Agent service (Rqs.exe) from the Windows Server 2003 Resource Kit. If you create your own listener component, it must be designed to listen for a message from the notifier component and use the MprAdminConnectionRemoveQuarantine() application programming interface (API) to remove the quarantine restrictions from the remote access connection. For more information, see MSDN. With these components installed, the remote access server computer can use quarantine mode for connecting remote access clients and listen for notifier messages, indicating that they have satisfied network policy requirements and can be taken out of quarantine mode.If you are using Rqc.exe and Rqs.exe, the notification message sent by Rqc.exe contains a text string that indicates the version of the quarantine script being run. This string is configured for Rqc.exe as part of its command-line parameters, as run from the quarantine script. Rqs.exe compares this text string to a set of text strings stored in the registry of the remote access server. If there is a match, the quarantine conditions are removed from the connection. Routing and Remote Access can be configured with either the Windows or RADIUS authentication provider. If Routing and Remote Access is configured with the Windows authentication provider, then quarantine-compatible RADIUS servers are not required and you configure the quarantine attributes for a remote access policy that is stored on the remote access server. Clients require some related pieces: A post-connect action that runs a network policy requirements script. This is configured when the CM profile is created with CMAK. A network policy requirements script. This script performs validation checks on the remote access client computer to verify that it conforms to network policies. It can be a custom executable file or as simple as a command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters. If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance .A notifier component, which sends a message that indicates a successful execution of the script to the quarantine-compatible remote access server. You can use your own notifier component or you can use Rqc.exe, which is provided with the Windows Server 2003 Resource Kit. (For a custom script and notifier component, it is possible to combine them into a single component.)With these components installed, the remote access client computer uses the CM profile to perform network policy requirements tests and indicate its success to the remote access server as part of the connection setup. It is possible to use a third-party dialer program instead of a CM profile, as long as there is a way to configure a post-connect action to run the quarantine script and to embed the script and notifier component with the dialer or otherwise install the script and notifier component on the remote access client.

48 Cuarentena – Módulos cliente y servidor
FW / VPN Gateway. Red de clientes cuarentena. Espera que el cliente señalice que está securizado. Cliente. Comprueba que el cliente está securizado. Señaliza al servidor que el cliente es seguro o no. Notifica al usuario que el cliente no está securizado. No protege contra usuarios maliciosos.

49 Servidor ISA Server 2004 Controla el acceso:
Políticas Radius. Políticas ISA. Delimita el tiempo máximo de conexión. Establece excepciones.

50 Cuarentena – Paquete cliente
Basado en CMAK de Windows Server 2003. Ejemplos en ISA Server 2004 SDK: Paquete cliente. Durante la conexión, descargar nuevos scripts del servidor. Ejecutar scripts en el cliente. Enviar notificación “clear quarantine” al servidor. Scripts: Comprobar AV, configurar ICF.

51 Boletín quincenal TechNews

52 Contactos Informática 64 Profesor http://www.informatica64.com
Profesor