Inbound/Outbound Filters
Windows
Server 2008 features a variety of inbound and outbound features that
you will need to be able to implement for your exam. The old version of
Windows Firewall has been upgraded and is now called Windows Firewall
with Advanced Security (WFAS).
This new version of WFAS has a number of advanced components that will help with you security needs.
New GUI Interface MMC is a snap-in that is available to help configure the advanced firewall.
Bi-directional Filters Unlike past versions of Windows Firewall, WFAS filters both outbound traffic as well as inbound traffic.
Better IPSec Compatibility WFAS rules and IPSec encryption configurations are both integrated into the same singular interface.
Enhanced Rules Generation Using WFAS, you can create firewall rules for Windows Active Directory service accounts and groups. This includes source/destination
IP addresses, protocol numbers, source and destination TCP/User
Datagram Protocol (UDP) ports, Internet Control Message Protocol
(ICMP), IPv6 traffic, and interface all on the Windows Server.
With the addition to having inbound and outbound filters, the WFAS has advanced rules configuration.
The
first concern of any server administrator in using a host-based
firewall is “What if it prevents critical server infrastructure
applications from functioning? While that is always a possibility with
any security measure, WFAS will automatically configure new rules for
any new server roles that are added to the server. However, if you run
any non-Microsoft applications on your server that need inbound network
connectivity, you will have to create a new rule for that type of
traffic.
By using
the advanced windows firewall, you can better secure your servers from
attack and secure your servers from attacking others, and really nail
down what traffic is going in and out of your servers.
Configuring Remote Authentication Dial-In User Service (RADIUS) Server
RADIUS
is protocol used for controlling access to network resources by
authenticating, authorizing, and accounting for access, and is referred
to as an AAA protocol. RADIUS is the unofficial industry standard for
this type of access. It is more common today than ever before, being
employed by ISPs, large corporations that need to manage access to the
Internet, and also internal networks that operate across a large
variety of access providing technologies such as modems, DSL, wireless
and VPNs. To better understand what RADIUS does, let’s try to
understand each of its required functions as an AAA protocol.
Authentication
The server seeking access sends a request to NAS. The NAS then creates
and sends a RADIUS Access Request to the RADIUS Server. This request
acts as an authorization to grant access. Typically, a user name and
password or some other means of establishing identity is requested for
this process, which must then be provided by the user seeking access.
The request will also contain other means of verification that the NAS
collected, such as physical location of the user and/or the phone
number or network address of the user.
Authorization
Upon receipt of the request, the RADIUS server processes the new
request for access. Most times, the RADIUS server will have access to a
list of accounts or be able to query an external database to cross
reference the provided information on the user. RADIUS will verify the
user information and, if configured to do so, other information such as
the user’s network address or phone number that it has access to
against the information it has stored. Based on the result of the
check, the RADIUS server will respond with one of three responses to
the NAS responsible for enforcing the access decision of the RADIUS
server:
Access Accept
This result indicates that the user is granted access. The terms of
access are based on the information the RADIUS server has on file, and
is conveyed to the NAS, which allows the conditional access based on
these terms. A variety of terms could be stipulated, such as time
restrictions, bandwidth restrictions, security access control
restrictions, and others.
Access Challenge
This requests further verification from the user before access will be
granted. These types of verification can include a secondary password,
PIN, or token card challenge response.
Access Reject
This indicates that there has been a failure to prove the user’s
identity or that their account is inactive or unusable. This means that
the user has been completely denied access to all network resources
requested.
Accounting If network access is granted to the user by the NAS based on the authentication and authorization phases, NAS then sends an Accounting Start
request to the RADIUS Server to indicate that the user has begun
accessing the network. These types of records will contain a variety of
information concerning the identity, point of attachment, and unique
session ID for the user. Active session may have periodic updates sent
out called Interim Accounting
records. These records may update the session duration and information
on current data usage. When the user exits the network and the access
point (AP) is again closed, the NAS will send a final Accounting Stop record to the RADIUS server. This informs it of the final information related to the user’s network access.
NAS
devices communicate with the RADIUS via the link-layer protocol, using
PPP for example. The RADIUS server responds using the RADIUS protocol.
The RADIUS server authenticates using security schemes such as PAP,
CHAP or EAP.
Remember
that just because the user is authenticated, it does not give him or
her total access to all resources the network has to offer, so the
RADIUS server will often check that the user is authorized to use the
network service requested. There are a number of specifications that
access can be based on once authenticated. These include:
The specific IP Address that will be assigned to the user.
The total amount of time that the user is permitted to remain connected.
Limited access or priority based access to certain resources.
L2TP parameters.
Virtual Local Area Network (VLAN) parameters.
Other Quality of Service (QoS) parameters.
In
previous incarnations of Windows Server 2003, Internet Authentication
Service (IAS) was Microsoft’s implementation of a RADIUS server and
proxy. IAS performed centralized connection AAA Protocol for many types
of network access, including wireless and VPN connections.
For
Windows Server 2008, Microsoft has replaced IAS with a new feature
called NPS. NPS is the Microsoft implementation of a RADIUS server and
proxy in Windows Server 2008, and promises to be even simpler to use
than IAS. You will need to know how to set up a RADIUS server using
NPS. Begin by installing NPS and setting up your RADIUS Server.
1. | Open Server Manager and click on the Add Roles.
|
2. | Choose the Network Policy and Access Services shown in Figure 8, and review the overview screen (see Figure 9).
|
3. | Select the Network Policy Service
role. You may notice that the Network Policy Service is actually the
RADIUS server that you are used to seeing with previous versions of
Windows Server in IAS.
|
4. | Click Next. You will see a final confirmation screen, as seen in Figure 11.10.
|
5. | Click Install.
|
6. | Once the software has been loaded, click on Network Policy Server
under administrator tools. You will see that the RADIUS Client and
Server Tabs are available and can be configured according to your needs
by right-clicking on them and selecting Properties.
|
NPS
can be used as a RADIUS proxy to provide the routing of RADIUS messages
between RADIUS clients (access servers) and RADIUS servers that perform
user AAA for the connection attempt. When used as a RADIUS proxy, NPS
is a central switching or routing point through which RADIUS access and
accounting messages flow. NPS records information about forwarded
messages in an accounting log.