svr402: directaccess technical drilldown, part 2 of 2: putting it all together
Post on 12-Nov-2014
1.771 Views
Preview:
DESCRIPTION
TRANSCRIPT
DirectAccess Technical Drilldown Part 2Putting it all together
John CraddockInfrastructure & Security ArchitectXTSeminars LtdSession Code: SVR402
Part1: Internet to Intranet 6to4Relay
6to4Host/Router
IPHTTPSHost
NAT Device
IPHTTPSserver
TeredoHost
Teredoserver & relay
NAT Device
Corporateintranet
Internet
Part1: IPv6/IPv4 Intranet
IPv4
IPv6
IPv6
ISATAP Router
IPv6\IPv4
IPv6\IPv4
IPv4
NAT-PTor NAT64
Native IPv6
What’s Left?
Corporate IntranetInternet
Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required
Client location detection: Internet or corporate intranet
Don’t Give Up Now
Part 1IPv6 IntroTransition TechnologiesEnd-to-end connectivity
Part 2IPsecConfiguring Direct AccessNetwork location and name resolution policiesIt all works – just like that!
Home
Demo Environment
Corporate intranetInternet
DC1
APP1
NAT1 DA1
DC, DNS,CA
IIS for CRLdistribution
EX1DNS
WIN7WIN7 WIN7
All servers Windows 2008 R2
Securing the Tunnel
DirectAccess uses IPsec to secure network traffic
Traffic over the Internet is encrypted and authenticatedAccess via IPHTTPs is double encrypted
Encrypted IPv6 within HTTPS
Corporate IntranetInternet
IPsec to the Rescue
IPsec is managed through Windows Firewall with Advanced Security
Best deployed through group policyConnection rules create:
IPsec tunnels (authenticated and encrypted)Authenticated connects (computer and user authentication
Inbound / outbound rules set requirements for encryption
Traffic Profile
Rules are based on a traffic profileConnection Security Rule
Authenticate all TCP traffic between A & B on ports W & X
Inbound/Outbound RuleEncrypt authenticated TCP traffic between A & B on ports W & X
Traffic profile: <Protocol> <source IP> <destination IP> <source port> <destination port>
IPsec Primer
AuthIP AuthIPCreate shared secret between hostsUses Diffie-Hellman
Main modesecurity associationKey life configurableDefault: 8 hours
Quick mode:IPsec SAKey life configurableDefault 1 hour/100 MBDrops after 3 Minsof inactivity
Exchange data
Integrityor
Integrity + encryption
IPsec SAIPsec SA Create Security Association for session
AuthIP AuthIPEstablish IPSec session Keys
AuthIP AuthIPAuthenticate over secure channelKerberos / certificates
Computer and/or user authentication AuthIP
Main Mode Association
Quick Mode Association
Data Exchange
IP Header IP payloadAH
IP Header ESPIP payloadESP
Signed - ignoring ICV field andfields that change in transport
Protocol ID 51Authentication Header (AH) contains:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV) calculated with SHA1 or MD5
ICV
Protocol ID 50 Encrypted
signed
Encrypted Security ProtocolESP headers contain:Protocol ID of payload (TCP/UDP/ICMP…)Sequence number – prevents replaySecurity Parameters Index – Identifies IPsec SAIntegrity Check value (ICV)
When you just want integrity through NAT use ESP-Null
Negotiated Security Options
Do not authenticateRequest inbound and outbound
A host responds to both IPsec and unauthenticated (non-IPsec) requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communications
Require inbound and request outboundA host responds to inbound traffic secured by IPsec, and ignores unauthenticated requestsIt initiates communications with IPsec, and if that fails, falls back to unauthenticated communications
Require inbound and require outboundA host requires IPsec-secured communications for both inbound and outgoing requests
Require inbound and clear outbound
Integrity / encryption / authentication Intranet
IPsec Tunnel
End points can be single host or act as a gatewayThe gateway acts as the end-point for integrity encryption and authentication
Traffic on the Intranet is not protected by IPsec
IPsec Gateway includes IPsec DoS PreventionReduces DoS attacks from key management protocols IKE & AuthIP
IPsec Access Options
Integrity / encryption / authentication Intranet
Tunnel 1: Machine Auth
Tunnel 2: Machine & User Auth
ESP NULL (transport mode) machine and user auth to intranet server
ESP (transport mode) encryption and authentication to intranet server
Selective authentication onto endpoint servers
Internet
Client Location
To resolve names on the InternetDirectAccess host queries DNS 1
To resolve names on the IntranetDirectAccess host queries DNS 2
Corporate Intranet
corp.example.com zone
DNS 1 DNS 2IP configuredDNS address
How Does It Do that?
Name Resolution Policy Table (NRPT) to the rescueNRPT allows the definitions of which DNS servers to query based on the namespace to be resolved
The NRPT can point DNS queries for corp.example.com to the intranet DNS serverAll other DNS queries are sent to the DNS server address configured in the client IP settings
NRPT
There is a special entry in the table to direct DNS queries for an internalHTTPS website to the DNS servers configured in the client IP settingsFor example: queries for nls.corp.example.com always go to IP configured DNS address and this is not resolvable on the internet
Internet Corporate Intranet
corp.example.com zone
DNS 1 DNS 2IP configuredDNS address
nls.corp.example.com
NRPT:corp.example.com: query DNS 2All other name spaces query DNS server configured in client IP settings
No NRPT
Viewing the NRPT
NRPT Inside/Outside
NRPT enabled by defaultIf the client can access an internal HTTPS website (https://nls.corp.example.com)
Considered to be on the intranet NRPT disabled
No access to secure website Considered to be on the Internet NRPT remains enabled
Corporateintranet
Internet
Putting it All Together6to4Relay
6to4Host/Router
IPHTTPSHost
NAT Device
HTTPSserver
TeredoHost
Teredoserver & relay
NAT Device
ISATAP Router
DirectAccess Server
DirectAccess Management Console
Before Running Setup
DNS server requires isatap block to be removedComputer certificates must be issued to computersServer certificates must be issued to
DA server with external DNS name in certificateNLS web server with nls url address in certificate
CRL distribution should be configured in certificate
CRL distribution location must be available on both the Internet and intranet
Authentication to Servers
IPsec ESP NULL can be used for authentication to end-point servers
Provides another layer of protectionCan control which servers are available from DA hostRequires 2008 end-point servers
IPSEC does not work over IPv6 for Windows 2003
Two factor authentication can be enabled for end-to-end authentication
Requires 2008 domain functional level
DirectAccess Setup
Configures on DA server6to4 relayTeredo server and relayIPHTTPS serverISATAP
Creates group policy for IPSec rules forDA server IPsec TunnelDA client IPsec TunnelDA clients and servers requiring end point authentication
DirectAccess Setup (continued)
Creates group policy for client configurationEnable and supply addresses for
6to4 relayTeredo server and relay IPHTTPS server
Enable and configure NRPTEnable inside/outside probe
DA server and DA clients must be members of the domain
Windows DirectAccess
The DA server represents a single point of failure
Functionality can be split across multiple servers for performance
For HA, run DA server as VM in a Hyper-v clusterDoes not guarantee DA service availabilityLive Migration available in Windows 2008 R2
Load balancing option available with UAG
All Done
Corporate IntranetInternet
Tunnelling technologies for the Internet and Intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required
Client location detection: Internet or corporate intranet
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
Breakout Sessions:SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SIA306 Microsoft Forefront Unified Access Gateway: DirectAccess and BeyondSVR315 IPv6 for the Reluctant: What to Know Before You Turn It Off
Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
My Sessions at TechEd
Breakout Sessions:SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition TechnologiesSVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together
Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
top related