Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist...
-
Upload
donavan-potterfield -
Category
Documents
-
view
215 -
download
1
Transcript of Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist...
![Page 1: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/1.jpg)
Seguridad en redes 802.1x y NAP
Alberto Camina AlvarezEMEA GTSC Spain Platform Support SpecialistMicrosoft Product Support Services
![Page 2: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/2.jpg)
El modelo de Defensa en profundidad
Antivirus/ OS hardening, authentication, patch management, HIDS
Firewalls, Network Access Quarantine ControlGuards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening,
ACLs, encryption, EFS
Policies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Physical SecurityPhysical Security
Perimeter
Internal Network
Host
Application
Data
![Page 3: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/3.jpg)
Defensas Perimetrales.
Los firewalls bien configurados y los routers externos forman la principal frontera y punto de defensa de la seguridad de red.Internet y los nuevas tendencias en movilidad incrementan los problemas de seguridad.Las VPN han desdibujado el perímetro y junto con las redes wireless han hecho que el perímetro clásico de red haya desaparecido.
![Page 4: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/4.jpg)
Defensas en el cliente.
Las defensas en el cliente se encargan de bloquear los ataques que han sobrepasado el perímetro de red externa o se han originado en la red interna.Las defensas en el Cliente incluyen:
Mejoras en seguridad en el sistema operativoAntivirusFirewalls Personales
En entornos sin administrar los usuarios pueden sobrepasar y desactivar las defensas en el cliente.
![Page 5: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/5.jpg)
Metas de la seguridad en redes.
Perimeter
Defense
Client Defens
e
Intrusion
Detection
Network
Access Control
Confi-dentiali
ty
Secure
Remote
Access
ISA Server
ICF
802.1x / WPA
IPSec
![Page 6: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/6.jpg)
Usando Defensas Perimetrales.
![Page 7: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/7.jpg)
Visión de las redes actuales.Main OfficeMain Office
LAN
Business PartnerBusiness Partner
LAN
Branch OfficeBranch Office
Wireless
Network LAN
Remote User
Remote User
Network perimeters include connections to:
Network perimeters include connections to:
The InternetBranch officesBusiness partnersRemote usersWireless networksInternet applications
The InternetBranch officesBusiness partnersRemote usersWireless networksInternet applications
Internet
![Page 8: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/8.jpg)
Diseño de Firewalls.
Screened SubnetInternet
LAN
Firewall
![Page 9: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/9.jpg)
Diseño de Firewalls
Screened SubnetInternet
ExternalFirewall
LAN
InternalFirewall
![Page 10: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/10.jpg)
Contra que no nos protegen los Firewall
Trafico malicioso que pasa por puertos abiertos y que no son inspeccionados por el Firewall.Cualquier tipo de trafico que pase dentro de un túnel o sesión encriptados.Ataques después de penetrar en la red.Usuarios y administradores que intencionadamente o accidentalmente instalan virus.Administradores que usan passwords débiles.
![Page 11: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/11.jpg)
Software vs. Hardware Firewalls
Decision Factors Description
Flexibility Updating for latest vulnerabilities and patches is often easier with software-based firewalls
Extensibility Many hardware firewalls allow only limited customizability.
Choice of Vendors
Software firewalls allow you to choose from hardware for a wide variety of needs, and there is no reliance on single vendor for additional hardware.
Cost
Initial purchase price for hardware firewalls might be less. Software firewalls take advantage of low CPU costs. The hardware can be easily upgraded, and old hardware can be repurposed.
Complexity Hardware firewalls are often less complex.
Overall Suitability
The most important decision factor is whether a firewall can perform the required tasks. Often the lines between hardware and software firewalls are blurred.
![Page 12: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/12.jpg)
Tipos de Firewalls.Filtrado de Paquetes.Inspección a nivel de aplicación.
Multi-layer Inspection(Including Application-Layer Filtering)
Multi-layer Inspection(Including Application-Layer Filtering)
Internet
![Page 13: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/13.jpg)
META: Parar el 95% de los ataques en el perímetro de nuestra red.
![Page 14: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/14.jpg)
Ataques de Denegación de servicio
Mandan trafico no esperado o malformado.Habitualmente atacan una vulnerabilidad conocida pero no parcheada.DoS puede:
Crear grandes perdidas de negocio.Puede dañar la reputación de los negocios.
![Page 15: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/15.jpg)
DDoS
Wake up!
Ping!
Reply!
![Page 16: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/16.jpg)
Securizando redes wireless
![Page 17: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/17.jpg)
Problemas de seguridad en Wireless.Limitaciones de Wired Equivalent
Privacy (WEP)Static WEP keys are not dynamically changed and therefore are vulnerable to attack.There is no standard method for provisioning static WEP keys to clients.Scalability: Compromise of a static WEP key by anyone exposes everyone.
Limitations of MAC Address FilteringAttacker could spoof an allowed MAC address.
![Page 18: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/18.jpg)
Posible soluciones. Password-based Layer 2 Authentication
IEEE 802.1x PEAP/MSCHAP v2Certificate-based Layer 2 Authentication
IEEE 802.1x EAP-TLSOther Options
VPN Connectivity L2TP/IPsec (preferred) or PPTPDoes not allow for roamingUseful when using public wireless hotspotsNo computer authentication or processing of computer settings in Group Policy
IPSecInteroperability issues
![Page 19: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/19.jpg)
Comparación de seguridad en WLAN.
WLAN Security Type
Security Level
Ease of Deployme
nt
Usability and
Integration
Static WEP Low High High
IEEE 802.1X PEAP
High Medium High
IEEE 802.1x TLS
High Low High
VPNHigh (L2TP/IPSec)
Medium Low
IPSec High Low Low
![Page 20: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/20.jpg)
802.1xDefines port-based access control mechanism
Works on anything, wired or wirelessNo special encryption key requirements
Allows choice of authentication methods using Extensible Authentication Protocol (EAP)
Chosen by peers at authentication timeAccess point doesn’t care about EAP methods
Manages keys automaticallyNo need to preprogram wireless encryption keys
![Page 21: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/21.jpg)
802.1x en 802.11
RADIUS802.11802.11 Associate
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request/Identity
EAP-Response (credentials)
Radius-Access-Request
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
EAPOL-Key (Key)
EAP-Success
Access AllowedAccess Allowed
Access BlockedAccess Blocked
Association
Access PointLaptop
Computer
Wireless
EthernetRadius Server
![Page 22: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/22.jpg)
Requerimientos para 802.1x
Client: Windows XPServer: Windows Server 2003 IAS
Internet Authentication Service—our RADIUS serverCertificate on IAS computer
802.1x on Windows 2000Client and IAS must have SP3See KB article 313664No zero-configuration support in the clientSupports only EAP-TLS and MS-CHAPv2
Future EAP methods in Windows XP and Windows Server 2003 might not be backported
![Page 23: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/23.jpg)
802.1x SetupConfigure Windows Server 2003 with IASConfigure Windows Server 2003 with IAS11
Join a domainJoin a domain22
Enroll computer certificateEnroll computer certificate33
Register IAS in Active DirectoryRegister IAS in Active Directory44
Configure RADIUS loggingConfigure RADIUS logging55
Add AP as RADIUS clientAdd AP as RADIUS client66
Configure AP for RADIUS and 802.1xConfigure AP for RADIUS and 802.1x77
Create wireless client access policyCreate wireless client access policy88
Configure clientsDon’t forget to import the root certificateConfigure clientsDon’t forget to import the root certificate
99
![Page 24: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/24.jpg)
Políticas de acceso.
Policy conditionNAS-port-type matches Wireless IEEE 802.11 OR Wireless OtherWindows-group = <some group in AD>
Optional; allows administrative controlShould contain user
and computer accounts
![Page 25: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/25.jpg)
Políticas de acceso.Profile
Time-out: 60 min. (802.11b) or 10 min. (802.11a/g)No regular authentication methodsEAP type: protected EAP; use computer certificateEncryption: only strongest (MPPE 128-bit)Attributes: Ignore-User-Dialin-Properties = True
![Page 26: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/26.jpg)
Wi-Fi Protected Access WPA A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless (local area network ) LAN systemsWPA Requires 802.1x authentication for network accessGoals
Enhanced data encryptionProvide user authenticationBe forward compatible with 802.11iProvide non-RADIUS solution for Small/Home offices
![Page 27: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/27.jpg)
Practicas Recomendadas.Use 802.1x authenticationUse 802.1x authentication
Organize wireless users and computers into groupsOrganize wireless users and computers into groups
Apply wireless access policies using Group PolicyApply wireless access policies using Group Policy
Use EAP-TLS for certificate-based authentication and PEAP for password-based authenticationUse EAP-TLS for certificate-based authentication and PEAP for password-based authentication
Configure your remote access policy to support user authentication as well as machine authentication
Configure your remote access policy to support user authentication as well as machine authenticationDevelop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education
Develop a method to deal with rogue access points, such as LAN-based 802.1x authentication, site surveys, network monitoring, and user education
![Page 28: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/28.jpg)
Securizando comunicaciones con IPsec.
![Page 29: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/29.jpg)
IPSecWhat is IP Security (IPSec)?
A method to secure IP trafficFramework of open standards developed by the Internet Engineering Task Force (IETF)
Why use IPSec?To ensure encrypted and authenticated communications at the IP layerTo provide transport security that is independent of applications or application-layer protocols
![Page 30: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/30.jpg)
Basic permit/block packet filteringSecure internal LAN communicationsDomain replication through firewallsVPN across untrusted media
Escenarios de IPSec
![Page 31: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/31.jpg)
Implementando el filtrado de Paquetes IPSec
Filters for allowed and blocked trafficNo actual negotiation of IPSec security associationsOverlapping filters—most specific match determines actionDoes not provide stateful filteringMust set "NoDefaultExempt = 1" to be secure
From IP To IP
Protocol
Src Port
Dest Port Action
AnyMy
Internet IP
Any N/A N/A Block
AnyMy
Internet IP
TCP Any 80 Permit
![Page 32: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/32.jpg)
Trafico no filtrado por IPSecIP broadcast addresses
Cannot secure to multiple receivers Multicast addresses
From 224.0.0.0 through 239.255.255.255Kerberos—UDP source or destination port 88
Kerberos is a secure protocol, which the Internet Key Exchange (IKE) negotiation service may use for authentication of other computers in a domain
IKE—UDP destination port 500Required to allow IKE to negotiate parameters for IPSec security
![Page 33: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/33.jpg)
Rendimiento de IPSecIPSec processing has some performance impact
IKE negotiation time—about 2–5 seconds initially
5 round tripsAuthentication—Kerberos or certificatesCryptographic key generation and encrypted messagesDone once per 8 hours by default, settable
Session rekey is fast—<1–2 seconds, 2 round trips, once per hour, settableEncryption of packets
![Page 34: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/34.jpg)
How to improve?Offloading NICs do IPSec almost at wire speedUsing faster CPUs
Rendimiento de IPSec
![Page 35: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/35.jpg)
Practicas Recomendadas.Plan your IPSec implementation carefullyPlan your IPSec implementation carefully
Choose between AH and ESPChoose between AH and ESP
Use Group Policy to implement IPSec PoliciesUse Group Policy to implement IPSec Policies
Consider the use of IPSec NICsConsider the use of IPSec NICs
Never use Shared Key authentication outside your test labNever use Shared Key authentication outside your test lab
Choose between certificates and Kerberos authenticationChoose between certificates and Kerberos authenticationUse care when requiring IPSec for communications with domain controllers and other infrastructure servers
Use care when requiring IPSec for communications with domain controllers and other infrastructure servers
![Page 36: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/36.jpg)
Los problemas de 802.1X
![Page 37: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/37.jpg)
Que es 802.1X?
Port-based access control method defined by IEEE http://standards.ieee.org/getieee802/download/802.1X-2001.pdf
EAP provides mutual authentication between devices ftp://ftp.rfc-editor.org/in-notes/rfc3748.txt
Works over anythingWiredWireless
ftp://ftp.rfc-editor.org/in-notes/rfc2549.txthttp://eagle.auc.ca/~dreid
![Page 38: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/38.jpg)
Que necesitas para 802.1X?
Network infrastructure that supports it
Switches, mostly
Clients and servers that support itSupplicants included in Windows XP, 2003,VistaDownload for Windows 2000
![Page 39: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/39.jpg)
Porque es perfecto en entornos wireless?
The supplicant (client) and authentication server (RADIUS) generate session keysKeys are never sent over the airNothing for an attacker to use to conduct impersonation or man-in-the-middle attacksCan manage centrally with GPOs
![Page 40: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/40.jpg)
Por que no es tan perfecto para entornos wired?
No GPOs—and we can’t retrofitWorse…a fundamental protocol design flaw802.1X authenticates only at the start of traffic between client and switchAfter the switch port opens, everything after that is assumed to be valid
These kinds of assumptions allow MITM attacks!Does require physical access to the network
![Page 41: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/41.jpg)
Ataques contra 802.1x
1.2.3.4aa:bb:cc:dd:e
e:ff
1.2.3.4aa:bb:cc:dd:e
e:ff
drop all inbound not for
me
…authenticate…
…authenticate…
![Page 42: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/42.jpg)
Como funciona.
802.1X lacks per-packet authenticationIt assumes that the post-authentication traffic is valid—based on MAC and IP onlySwitch has no idea what’s happened!
Attacker can communicate only over UDP
Victim would reset any TCP reply it received but didn’t send (victim sees reply to shadow)
![Page 43: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/43.jpg)
Ataques contra 802.1x
1.2.3.4aa:bb:cc:dd:e
e:ff
1.2.3.4aa:bb:cc:dd:e
e:ff
SYN
ACK-SYN
ACK-SYNACK-SYN
RST
ACK-RST
ACK-RSTACK-RST
![Page 44: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/44.jpg)
Se puede mejorar!!
If the victim computer happens to run a personal firewall……which drops unsolicited ACK-SYNs…
It gets better!
![Page 45: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/45.jpg)
El ataque … mejorado.
1.2.3.4aa:bb:cc:dd:e
e:ff
1.2.3.4aa:bb:cc:dd:e
e:ff
SYN
ACK-SYN
ACK-SYNACK-SYN
ACK
![Page 46: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/46.jpg)
Soluciones.
Despite what the networking vendors claim, 802.1X is inappropriate for preventing rogue access to the networkGood security mechanisms never assume that computers are playing nicely
802.1X makes this incorrect assumptionIPsec does not
If you’re worried about bad guys flooding your network…
Then 802.1X + IPsec is the way to go
![Page 47: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/47.jpg)
Trusted users disclosing high value dataCompromise of trusted credentialsUntrusted computers compromising other untrusted computersLoss of physical security of trusted computersLack of compliance mechanisms for trusted computers
![Page 48: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/48.jpg)
Preparándose para Network Access Protection ( NAP ).
Deploy domain isolation to become familiar with IPsec conceptsNAP will provide a richer enforcement mechanism, while adding to server and domain isolationPlan and model to add health authentication and other compliance enforcement mechanisms network access protection provides
More guidance available during Longhorn beta
![Page 49: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/49.jpg)
El futuro de IPsec
Server 2003, Windows XP
Isolation by domain or server• Authentication of machine, but no
health check
Windows firewall integration• Authenticated bypass capability
Overhead offload• 10/100mb NIC—lower CPU
“Longhorn” and beyond
Extensible isolation• User and machine credentials• Health certificates
Firewall integration• Windows filtering platform
Improved administration• One-size-fits-all policy
Extensible performance• Gig-E offload for lower CPU
![Page 50: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/50.jpg)
Protección de redes con NAP
![Page 51: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/51.jpg)
Internet
Intranet
`
Remote Employees
Remote Access Gateway
Web Server
Customers
Perimeter
X Infrastructure ServersExtranet
Server
`
Un mundo conectado
Interconnected networksDistributed dataMobile workersBusiness extranetsRemote access Web servicesWirelessMobile smart devices
![Page 52: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/52.jpg)
Visión de la arquitectura de NAP
MS Network Policy Server
Quarantine Server (QS)
Client
NAP Agent
Health policyUpdates
HealthStatements
NetworkAccessRequests
System Health Servers
Remediation Servers
HealthCertificate
Network Access Devices and Servers
System Health Agent MS and 3rd Parties
System Health Validator
Enforcement Client (DHCP, IPsec, 802.1X, VPN)
Client• SHA – Health agents check client state• QA – Coordinates SHA/EC• EC – Method of enforcement
Remediation Server• Serves up patches, AV signatures, etc.
Network Policy Server• QS – Coordinates SHV • SHV – Validates client health
System Health Server• Provides client compliance
policies
![Page 53: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/53.jpg)
Network Access Protection enforcement methods
Internet Protocol security (IPsec)-protected communicationsIEEE 802.1X-authenticated network connectionsRemote access virtual private network (VPN) connectionsDynamic Host Configuration Protocol (DHCP) configuration
![Page 54: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/54.jpg)
Requesting access. Here’s my new
health status.
Protección con NAP
MS NPSClient
802.1xSwitch
Remediation Servers
May I have access?Here’s my current health status.
Should this client be restricted basedon its health?
Ongoing policy updates to Network Policy Server
You are given restricted accessuntil fix-up.
Can I have updates?
Here you go.
According to policy, the client is not up to date. Quarantine client, request it to update.
Restricted Network
Client is granted access to full intranet.
System Health Servers
According to policy, the client is up to date.
Grant access.
![Page 55: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/55.jpg)
NAP client with limited access
DHCP server
Remediation servers
VPN server
Network Policy Server (NPS)
Active Directory
Intranet
Restricted network
Perimeter network
Health certificate server (HCS)
IEEE 802.1X devices
Internet
Policyservers
Componentes de NAP
![Page 56: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/56.jpg)
NAP client
DHCP server
Remediation server
NPS
DHCP messages
Remote Authentication Dial-in User Service (RADIUS) messages
Systemhealth
updates
HCSHypertext Transfer Protocol over Secure
Sockets Layer (SSL) (HTTPS) messages
Interacción de los componentes de NAP
![Page 57: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/57.jpg)
NAP client NPS
System health requirement
queries
VPN serverProtected Extensible Authentication
Protocol (PEAP) messages over the
Point-to-Point Protocol (PPP)
IEEE 802.1X devices
PEAP messages over EAP over LAN (EAPOL)
Policy server
Interacción de los componentes de NAP(2)
RADIUS messages
![Page 58: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/58.jpg)
Componentes de arquitectura cliente de NAP
System Health Agent (SHA)NAP AgentNAP Enforcement Client (EC)
IPsec NAP ECEAPHost NAP ECVPN NAP ECDHCP NAP EC
![Page 59: Seguridad en redes 802.1x y NAP Alberto Camina Alvarez EMEA GTSC Spain Platform Support Specialist Microsoft Product Support Services.](https://reader035.fdocuments.us/reader035/viewer/2022062620/5519a8e4550346c4608b47df/html5/thumbnails/59.jpg)
PREGUNTAS ?