Perimeter Networks and Remote Access Strategies

25 Aug

Providing secure remote connectivity involves designing access through a perimeter network.
Therefore, design a secure perimeter network and decide which services will reside within it
first. Services to consider deploying within the perimeter network will most likely include various
RADIUS components, VPN servers, publicly accessible application servers, wireless
devices, and supporting network infrastructure devices.
Due to the current security-minded environment, your network undoubtedly contains a firewall
along with one or more supporting infrastructure devices such as switches and routers as
well as application servers such as Web and File Transfer Protocol (FTP) servers that are publicly
accessible. In addition, the network might also have a RADIUS service to authenticate virtual
private network (VPN) connections or partner access to existing extranets, or possibly to
provide secure authentication for a preexisting wireless infrastructure. These network devices
and application servers will comprise the current perimeter network that you inherit or are
currently administering.
As the enterprise administrator, you are responsible for upgrading the current environment to
provide support for:
■ An updated RADIUS solution to provide support for an eventual NAP solution.
■ A remediation network for the NAP solution.
This lesson provides the background to build a remote access solution and help lay the
groundwork for designing a NAP solution.
After this lesson, you will be able to:
■ Understand the technical requirements when designing perimeter networks.
■ Understand which services to provide in a perimeter network.
■ Determine appropriate firewall services to provide for various types of perimeter
networks.
■ Design VPN solutions.
■ Design a RADIUS solution for a small enterprise.
■ Design a RADIUS solution to support branch offices within the same forest.
■ Design a RADIUS solution to support a multi-forest environment.
Estimated lesson time: 45 minutes
Lesson 1: Perimeter Networks and Remote Access Strategies 231
Designing the Perimeter Network
Most perimeter network designs involve one or two firewall devices to protect the edge network.
Traffic from the outside passes through one or more inspection points before it is
allowed into the perimeter network to access services deployed there or into the secure environment.
Typical designs involve a single perimeter device with two or more network interfaces
or two inspection points with two security devices, one inspecting traffic into the
perimeter network from an untrusted external environment and another inspecting traffic as
it enters the secure environment from the perimeter network.
As the enterprise administrator, you must assess the type of traffic you allow into your perimeter
network and what traffic is permitted into the secure network. You need to determine how
and at what layer you inspect this traffic to fulfill your security requirements successfully. You
must assess the services to be deployed in the perimeter network for public accessibility as
well as for a secure remote access solution.
Types of Perimeter Network Architectures
There are many types of perimeter network layouts. The design guides here provide descriptions
for the basic security feature sets included in most designs. Network architectures will
generally include three distinct regions or zones:
■ Border network
■ Perimeter network
■ Internal network
The border network provides the direct connection to the external environment, which usually
is a connection to an ISP, that is often through a router. The border router can offer some
protective features such as access lists to manage specific unwanted traffic from certain Internet
Control Message Protocol (ICMP) types such as echo requests associated with pinging. A
perimeter firewall along with associated security devices and services provides the bulk of protection
for the border network. Other than a switch used to provide connectivity to the perimeter
security services, there are usually no other network application services of significance
within this zone.
The perimeter network is a semi-protected area secured by a perimeter firewall and, possibly,
an internal firewall. Services located in this area include Web servers for public access that connect
to internal SQL servers along with many other application servers. Most of the discussion
in this lesson focuses on other services located within this area.
The internal network is the location of the secure environment. It houses the corporate user
and server environment. Some security designs include another firewall service separating the
internal user network from the server farms.
232 Chapter 5 Designing a Network Access Strategy
Figure 5-1 displays the typical architecture of the three-zone network environment, using two
firewall services.
Figure 5-1 Perimeter network design employing two firewall devices
If the perimeter firewall is composed of three or more network interfaces, an internal firewall
is more of a logical association with the same physical device providing the services for the
perimeter firewall than of a physical association with its network interfaces. Figure 5-2 displays
an alternative architecture of the network environment employing three or more zones,
using a single physical firewall service dividing up separate logical security domains.
Figure 5-2 Perimeter network design employing a single firewall device
Internet
Border Network
Perimeter Firewall
Perimeter Network
Internal Firewall
Internal Network
Internet
Border Network
Perimeter Firewall
Perimeter Network
Internal Network
Lesson 1: Perimeter Networks and Remote Access Strategies 233
These logical designs display a basis for targeting services and security features when designing
the perimeter network. As the enterprise administrator, you are responsible for the security
of the services that are deployed in the perimeter network. Consider questions such as:
■ Which services should be deployed in the perimeter network to provide secure VPN
connections?
■ Which supporting services are necessary to provide secure VPN connections?
■ Do internal users require a secured wireless connection?
■ Should the access points for wireless users be deployed as part of the perimeter network
design?
■ If RADIUS is to be used to centralize management of authentication for remote access
and wireless users, which RADIUS components, if any, should be deployed in the perimeter
network?
Securing the Perimeter Network
What is not shown in either design is the type of security services offered by the firewall
devices at the perimeter or the internal location in the two firewall device designs. Knowing
the types of security devices used to secure access into the perimeter network as well as into
the internal environment offers you, the enterprise administrator, a better idea of how services
deployed in the perimeter network can be protected. Different types of security devices provide
varying levels of security. This lesson focuses only on enterprise-class devices. These
devices typically provide one or more of the following:
■ Network Address Translation (NAT)
■ Stateful inspection
■ Circuit-level inspection
■ Proxy services
■ Application-layer firewalls
NAT uses private IP addresses that have significant meaning when used within your organization.
When traffic is sent out to the Internet, these addresses require translation to an acceptable
public IP address. NAT was originally devised to overcome the eventual shortage of public
IP addresses. One of the benefits of using NAT in your firewall design is that your internal
addressing structure is hidden from outside attackers—not a major source of security but a significant
fact. A possible detriment when using NAT is that certain services, when run through
it, have problems and require services such as NAT editors for Point-to-Point Tunneling Protocol
(PPTP) tunnels or NAT Traversal (NAT-T) for IPsec tunnels and Layer 2 Tunneling Protocol
(L2TP) tunnels.
234 Chapter 5 Designing a Network Access Strategy
Stateful inspection firewalls provide an accounting of all traffic that originated on an interface
in a state table. When the connection traffic is returned, the state table determines whether the
traffic originated on that interface.
Circuit-level firewalls provide a more in-depth inspection of traffic than does a stateful firewall.
Circuit-level firewalls provide session maintenance and enable the use of protocols that
require secondary connections such as FTP. Circuit-level firewalls are usually the way stateful
inspection services are carried out in today’s retail firewalls.
Proxy servers are intermediaries that provide security by requesting a service on behalf of a client;
the client is not directly connected to the service. The proxy service can inspect all headers
involved in the transaction, providing an extra layer of protection. Frequently requested content
can be cached and reused to reduce bandwidth. Proxy servers can also provide authenticated
requests, NAT, and authentication request forwarding.
The ultimate in protection is an application-layer firewall. Not only are all the incoming and
outgoing packet headers inspected and state tables maintained, but the data streams can be
inspected to provide security against attacks hidden in the data payloads of ordinary Web service
packets such as HTTP, other Web-related request and data packets, and many other applicationspecific
request and response packets.
MORE INFO Types of firewall services
The information presented here on types of firewall services is just an overview to provide a
basis for discussion on perimeter network design and services deployed within the perimeter
network. There is much additional information about firewall types that you can view at http://
www.microsoft.com/technet/security/guidance/networksecurity/firewall.mspx.
Planning for ISA Server Protecting the perimeter network has been a primary focus of
Microsoft Internet Security and Acceleration (ISA) Server. ISA Server 2006 is the current version
and provides an integrated edge security gateway for remote access, branch office connectivity,
and Internet access protection. ISA Server figures prominently in any Microsoft solution
because it integrates well with Microsoft remote access services as well as provides secure tunneling
for site-to-site VPNs.
NOTE Forefront Edge Security and Access
ISA Server 2006 is now part of the new Microsoft Forefront Edge Security and Access product line.
The Microsoft Forefront line of products provides a comprehensive set of security products from
the edge of the network starting with Internet Security and Acceleration (ISA) Server all the way to
the desktop, providing firewall services, protection from malware and spyware, network edge security
services, and much more.
Lesson 1: Perimeter Networks and Remote Access Strategies 235
A common use of ISA Server in the perimeter network is in a back-to-back design. The perimeter
network is protected by ISA Server operating as a firewall against the outside while providing
filtering and reverse proxying of services offered in the perimeter network. A second
server running ISA Server stationed between the perimeter network and the internal network
acts as an application-layer firewall and proxy server, inspecting and securing all requests as
they move inbound to the internal network. The servers running ISA Server at the perimeter
firewall or at the internal edge can be deployed in a variety of fashions to provide high availability
and load balancing.
Figure 5-3 displays some of the roles that ISA Server can play when deployed in the perimeter
network.
Figure 5-3 ISA Server deployed in a back-to-back design
ISA Server 2004 and ISA Server 2006 support Network Access Quarantine Control as a complementary
service to Microsoft Windows Server 2003. ISA Server 2004 or ISA Server 2006,
when installed on Windows Server 2003 SP1 or later, can use Quarantine Control, which is
provided by the Routing and Remote Access service of Windows Server 2003 and is limited to
providing access control to VPN and remote access clients only. The service requires custom
connection profiles on the clients, along with server-side scripts to check for compliance by
remote access clients. The Quarantine Control service does not at this time have any components
that allow for integration with the newer NAP service and Network Policy Server (NPS)
services in Windows Server 2008 other than NPS providing RADIUS services to VPN clients
using ISA Server as the VPN server.
Internet
Border Network
External ISA
Server Firewall
Perimeter Network Internal ISA
Server Firewall
Internal Network
236 Chapter 5 Designing a Network Access Strategy
MORE INFO ISA Server help
A site often helpful with ideas that involve ISA Server is http://www.isaserver.org. This site is well
maintained and well organized and offers a wealth of ideas about design, add-ons, and configuration
in ISA Server.
NOTE ISA Server 2006 and Windows Server 2008
ISA Server 2006, at the time of this writing, is not available for installation on Windows Server 2008
and is available as a 32-bit application server only. Plans for the next version of ISA Server and the
Forefront Security products are tailored for Windows Server 2008 and will be available for 64-bit
platforms.
Third-Party Firewall Products With the security field growing at an increasing pace, thirdparty
firewall products are plentiful. Many of these products fit a paradigm similar to ISA
Server. Many of the major firewall product vendors have also included multiple feature sets in
their firewall product offerings. This makes it even more attractive to pair a firewall product
from one of these top-selling vendors with ISA Server. A common scenario is to use a firewall
appliance for the perimeter firewall and an ISA Server cluster for the internal firewall. Many of
these third-party products provide an integrated assortment of security services such as:
■ Stateful firewall services
■ Intrusion prevention services
■ Anti-malware services
■ Application-layer firewall services
At a minimum, the firewall appliance should provide circuit-level services along with an inline
intrusion prevention service module to ensure inspection at the application layer for inbound
requests from the border network. ISA Server or an ISA Server cluster installed as the internal
firewall can provide proxy, packet filtering, circuit-level firewall services, and application-layer
inspection of packets originating from either the border network or the perimeter network for
access to internal hosts or responses returned to internal clients.
Deploying Strategic Services in the Perimeter Network
The perimeter network was originally designed to contain Web services for public use. Over
time, the decision to deploy specific applications and services there has undergone much
change. The perimeter network might contain not only Web services but also many of the following
suggested services:
■ Application servers for extranets
■ VPN servers for remote access
Lesson 1: Perimeter Networks and Remote Access Strategies 237
■ Wireless access points to provide public wireless access in your enterprise as well as
wireless local area networks (WLANs) for internal corporate use
■ Terminal Services (TS) Gateway server role
■ Components of RADIUS to provide authentication for wireless access, VPNs, and application
servers
■ Online Certificate Status Protocol (OCSP) servers to provide timely information regarding
the revocation status of a certificate in use
This list is not exhaustive but does describe the more commonly deployed services in the
perimeter network. This lesson focuses on the Microsoft best practices for perimeter network
design and server placement of these services.
Planning Web Services Deployment in the Perimeter Network
Web server services commonly deployed in the perimeter network consist of the following:
■ Web servers for Internet and extranet access
■ FTP servers
■ Publicly accessible Domain Name System (DNS) servers
Web servers offer access over HTTP and HTTPS. Even custom applications built for delivery
through a Web server use the same ports, minimizing the number of ports to be opened up
through the perimeter firewall. This is the strength of using application servers running Internet
Information Services (IIS) 7.0 as the application platform for delivery.
Extranet application servers using Secure Socket Layer (SSL) connections might require the
services of an OCSP responder, a server responding to requests for certificate revocation similar
to what is provided by a lookup on a certificate revocation list, but an OCSP request and
response is less resource intensive and more timely concerning the currency of the information.
An OCSP responder can be deployed in the perimeter network because there is usually
little concern over security. The OCSP responder signs its response, and the one waiting for
the response can check the validity of it by using the public key of the OCSP responder.
DNS servers deployed in the perimeter network provide name resolution for publicly accessible
Web services and should be restricted to providing responses only to DNS requests for
those services. A host-based firewall that includes anti-malware services along with the
removal of all unnecessary services is part of the preliminary setup of a secured host in the
perimeter zone.
These Web server services should be deployed at the corporate site and can include an alternate
site for site redundancy when providing a solution for a disaster recovery plan. Services
at the alternate site should be provided the same considerations regarding security.
238 Chapter 5 Designing a Network Access Strategy
Planning IPv6 Access for Web Services Windows Server 2008 provides complete support
for all related Web services over IPv6 although no special consideration is required because all
Internet related services require an IPv4 address for appropriate access for the immediate
future. Options for migration to IPv6 are already available in Windows Server 2008 for networks
employing IPv6 alongside IPv4 for all Web services.
Designing a Remote Access Strategy
In designing remote access, an enterprise administrator must consider all required avenues of
access. The traditional methods of access have given way to various types of VPN connections
and Remote Desktop connections. These two general categories involve many considerations.
This portion of the lesson concentrates on deploying VPN servers and providing access for
Terminal Server clients.
Planning for VPN Remote Access Connections
As the enterprise administrator, you must make decisions concerning the following:
■ Which VPN protocols for remote access are available?
■ Which authentication methods should be supported, considering an eventual NAP
deployment?
■ How should VPN servers deployed for Internet and extranet access be secured?
■ What public key infrastructure (PKI) support is needed for VPN access methods?
■ How should NAP be integrated with VPN enforcement?
Each of these items has its own unique set of requirements and dependencies. A decision for
one can affect the decisions about others. For instance, choosing to use authentication involving
certificates can require a supporting PKI. You must then decide how this choice affects
your deployment of a NAP solution. In addition, you might require multiple encryption or
authentication protocols and services if you are supporting guest access, extranets with partner
firms, and your own remote access clients. Each of these groups of users can have different
requirements.
You might want to enforce a stringent security policy, but other factors always come into play.
These factors, not listed in any order, include:
■ Cost
■ Compatibility with existing operating systems
■ Compatibility with existing application services
■ The inevitable politics involved with enforcing security features on guests and extranets
Lesson 1: Perimeter Networks and Remote Access Strategies 239
Designing a VPN Protocol Solution
Deciding which VPN protocols to use for your remote access policies depends upon several
issues such as:
■ Which operating systems your VPN clients use.
■ Which security requirements exist regarding encrypted communications.
■ Which security policies exist to secure communication through your corporate firewall.
■ Which authentication mechanisms are acceptable.
■ Whether a need exists to deploy a PKI to support the VPN infrastructure.
VPN Tunneling Protocols Windows Server 2008 provides support for three tunneling protocols
when configuring remote access connections:
■ Point-to-Point Tunneling Protocol (PPTP)
■ Layer 2 Tunneling Protocol (L2TP)
■ Secure Socket Tunneling Protocol (SSTP)
Point-to-Point Tunneling Protocol PPTP provides a high level of security, still, as a VPN
tunneling protocol. Many of the past arguments concerning vulnerabilities were addressed
long ago. Its simplicity of deployment as a solution is one of its greatest assets. It is well supported
by the operating systems of Microsoft Windows 2000 Professional, Windows 2000
Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. PPTP
has garnered broad support from the IT industry as well as from many vendors, who support
its use within their products.
PPTP, when used in a perimeter network, engenders some concerns when a NAT service is
between a PPTP client and a server connection. The NAT service must include a NAT editor
such as the one found in the Routing and Remote Access service of Windows Server 2003 and
Windows Server 2008. Because ISA Server 2004 and ISA Server 2006 both run on Windows
Server 2003 and use the services of the Routing and Remote Access service of Windows Server
2003, a NAT editor is also available for use through ISA Server.
To secure the connections to the VPN server, establish inbound and outbound filters for all
communication to ensure that only VPN traffic is allowed. Table 5-1 displays filters you should
configure to ensure the security of the VPN server.
Table 5-1 PPTP Filters on Firewall for VPN Server Deployed in the Perimeter Network
Filter
Direction
Source Port and IP
Address
Destination Port and IP
Address
Filter Action
Inbound Greater than TCP 1023
and source IP address
(any) of client
TCP 1723 and IP address
of perimeter interface of
VPN server
Allows PPTP tunnel
maintenance traffic from
the PPTP client to the
PPTP server
240 Chapter 5 Designing a Network Access Strategy
Layer 2 Tunneling Protocol L2TP provides a more secure connection than PPTP due to
several aspects. L2TP provides the same user authentication that PPTP provides as well as
computer authentication using IPsec authentication. L2TP with IPsec uses 168-bit triple DES
(3DES) encryption for the data and provides per-packet data origin authentication, proving
the identity of the user and providing data integrity and replay protection while providing a
high level of confidentiality.
L2TP has some constraints, however. Every computer must have a computer certificate. The
certificate used by the VPN server and the VPN client computer must come from the same
trusted root certification authority (CA). If both the VPN server and the VPN client computer
are members of a domain, both computers can use autoenrollment to acquire the necessary
computer certificate. If one or both computers are not domain members, an administrator
must request certificates on their behalf, using the CA Web enrollment tool. The administrator
then needs to install the certificate on the computers by using a flash drive or some other
external but secure access method. Computer certificates at the time of this writing cannot be
issued to smart cards for use with L2TP certificate authentication of the tunnel.
NOTE Preshared key vs. a computer certificate
Although you can use a preshared key instead of a computer certificate for L2TP/IPsec computer
authentication, it is considered to be a test lab feature only. This is because using a preshared key
is significantly less secure.
L2TP has an issue as well with firewall services using NAT. L2TP requires NAT Traversal (NAT-T)
to pass through a NAT. This means that an extra UDP port, UDP 4500, must be open on the
Inbound IP 47 and Source IP
address (any) of client
IP 47 and IP address of
perimeter interface of
VPN server
Defines the PPTP data
tunnel from the PPTP client
to the PPTP server
Outbound TCP Port 1723 and IP
address of perimeter
interface
TCP port of client
request (any) and IP
address of client (any)
Allows PPTP tunnel
maintenance traffic from
the PPTP server to the
PPTP client
Outbound IP 47 and IP address of
perimeter interface
IP 47 and IP address of
client (any)
Defines the PPTP data
tunnel from the PPTP
server to the PPTP client
Table 5-1 PPTP Filters on Firewall for VPN Server Deployed in the Perimeter Network
Filter
Direction
Source Port and IP
Address
Destination Port and IP
Address
Filter Action
Lesson 1: Perimeter Networks and Remote Access Strategies 241
firewall. The clients connecting to a VPN server behind a firewall using L2TP must also support
NAT-T. L2TP requires the filters in Table 5-2 for the perimeter firewall’s Internet interface.
Secure Sockets Tunneling Protocol SSTP is a new VPN tunnel supported by Windows
Vista SP1 and Windows Server 2008. It uses SSL-encrypted HTTP connections for the VPN
connection. More specifically, Point-to-Point Protocol (PPP) sessions are encrypted by SSL and
transferred over an HTTP connection. This makes using SSTP a great benefit because most
companies and organizations such as hotels, Internet cafes, and other Internet hotspots allow
TCP port 443 for outbound access. Thus, changes to the firewall are not a great concern when
implementing SSTP and deploying the VPN server in the perimeter network.
Another advantage is that SSTP is quite secure. An SSL tunnel is initially formed prior to the
transfer of user credentials. SSTP also supports the Extensible Authentication Protocol (EAP)
types, Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), and Protected
Extensible Authentication Protocol-Transport Layer (PEAP-TLS) for user authentication as
well as the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) v2 authentication
methods.
Table 5-2 L2TP Filters on Firewall for VPN Server Deployed in the Perimeter Network
Filter
Direction
Source Port and IP
Address
Destination Port and IP
Address
Filter Action
Inbound Source IP address (any IP
address) of client
UDP port 500 and IP
address of perimeter
interface of VPN server
Allows Internet Key
Exchange (IKE) traffic to
the VPN server
Inbound Source IP address (any IP
address) of client
IP 47 and IP address of
perimeter interface of
VPN server
Allows IPsec NAT-T traffic
to the VPN server
Inbound Source IP address (any IP
address) of client
IP 50 and IP address of
perimeter interface of
VPN server
Allows IPsec Encapsulating
Security Protocol
(ESP) traffic to the VPN
server
Outbound UDP port 500 and IP
address of perimeter
interface of VPN server
IP address (any IP
address) of client
Allows IKE traffic from
the VPN server
Outbound UDP port 4500 and IP
address of perimeter
interface of VPN server
IP address (any IP
address) of client
Allows IPsec NAT-T traffic
from the VPN server
Outbound IP 50 and IP address of
perimeter interface of
VPN server
IP address (any IP
address) of client
Allows IPsec ESP traffic
from the VPN server
242 Chapter 5 Designing a Network Access Strategy
There are some drawbacks to using SSTP. It is supported on Windows Vista SP1 as a VPN client
only and on Windows Server 2008 as a VPN client or server. SSTP support will not be
added to Windows XP. In addition, users must trust the root certification authority that issued
the certificate to the VPN server. VPN clients must have the root CA certificate installed as one
of their trusted root CAs to validate this certificate.
Allowing access to a VPN server offering SSTP is fairly simple. More than likely, your firewall
is already set to allow access through TCP port 443 for HTTPS. An additional rule is needed
only to ensure the passage of TCP port 443 from the border network into the perimeter network
to the VPN server perimeter interface.
Authentication Protocols Windows Server 2008 provides support for quite a few authentication
protocols. The list now includes:
■ PAP
■ MS-CHAP
■ MS-CHAP v2
■ PEAP-MSCHAP v2/EAP-MSCHAP v2
■ EAP-TLS
■ PEAP-TLS

No comments yet

Leave a Reply

You must be logged in to post a comment.