Zaverecna Prace

Mendel University of Agriculture and Forestry in Brno
Faculty of Business and Economics
Design of the hotel Savannah

computer network using IPsec
protocol
Bachelor thesis
Thesis supervisor:
Josef Málek
Ing. Martin Pokorný Ph.D.
Znojmo 2009
I would like to hereby thank my thesis supervisor Ing. Martin Pokorný Ph.D.
for all the assistance, guidance, valuable advice and comments during writing of
bachelor thesis.
I declare that I have written this thesis independently, using materials that present
in the bibliography
Znojmo, 20 May 2009 ....................................................

4
Abstrakt
Málek, J.,Návrh počítačové sítě hotelu Savannah s vyuzitím protokolu IPsec,
Bakalářská práce. Znojmo, 2009
Tato bakalářská práce popisuje návrh sítě hotelu Savannah, její zabezpečení a
vytvoření zabezpečeného VPN spojení s pomocí IPsec protokolu a technologie NAP
firmy Microsoft.
Klíčová slova
IPsec, NAP, Doménová izolace, VPN, Windows Server2008
Abstrakt
Málek, J.,Design of the hotel Savannah computer network using IPsec protocol,
Bachelor thesis. Znojmo, 2009
This bachelor thesis describes a computer network design of hotel Savannah,
its security and the creation of a secure VPN connection using the IPsec protocol,
and Microsoft NAP technology.
Keywords
IPsec, NAP, Domain isolation, VPN, Windows Server2008
OBSAH 5
Obsah
1 Introduction, thesis objectives 7
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 Thesis objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Present state analysis 8

2.1 Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Wi–Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Workstations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Analysis summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Utilized technology 15
3.1 Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Group policy object (GPO) . . . . . . . . . . . . . . . . . . . . . . . 16
3.3 Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . 17
Aspects of NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Scenarios for NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Components of NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
How IPsec Enforcement Works . . . . . . . . . . . . . . . . . . . . . . 21
3.5 Domain isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Components of Domain Isolation . . . . . . . . . . . . . . . . . . . . 23
Communication Processes . . . . . . . . . . . . . . . . . . . . . . . . 23
Communication with an isolated host initiated by another isolated host 24
Communication with a non-isolated host initiated by an isolated host 25
Communication with an isolated host initiated by a non-isolated host 25
3.6 IPsec protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
IPsec Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
AH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.7 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4 Implementation 33
4.1 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.2 Removable media access control . . . . . . . . . . . . . . . . . . . . . 33
4.3 Network Access protection . . . . . . . . . . . . . . . . . . . . . . . . 34
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Creating Active directory groups . . . . . . . . . . . . . . . . . . . . 35
OBSAH 6
Configuration of Enterprise Root CA on SVN-DC1 . . . . . . . . . . 35

Creating a certificate for NAP exceptions group . . . . . . . . . . . . 36
Publishing and Distributing the Certificate . . . . . . . . . . . . . . . 37
Installation of the NPS server – certificate . . . . . . . . . . . . . . . 39
Installation of the NPS server – roles . . . . . . . . . . . . . . . . . . 39
Installation of subordinate certification authority . . . . . . . . . . . 41
Changing permission for Health Registration Authority (HRA) . . . . 42
Configuration of the HRA issue Health Certificates . . . . . . . . . . 43
NAP IPSec Enforcement Policy configuration . . . . . . . . . . . . . 43
Windows Security Health Validator configuration . . . . . . . . . . . 44
NAP client configuration in Group policy . . . . . . . . . . . . . . . . 46
Windows Firewall policies configuration . . . . . . . . . . . . . . . . . 48
NAP settings verification . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.4 Domain Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.5 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5 Conclusions and economical evaluation 62
6 Reference 63
attachments 64
A Hotel Savannah’s networks topological diagram 65

1 INTRODUCTION, THESIS OBJECTIVES 7
1 Introduction, thesis objectives

1.1 Introduction
Before IP Security, known as IPSec, no type of security mechanism for the inter-
net protocol (IP) transmissions sending data over anonymous networks existed. A
number of methods have evolved over the years to address the need for security,
but most of these are focused at the higher layers of the OSI protocol stack, i.e.
Secure Sockets Layer (SSL) for applications like WWW or FTP. What was really
needed was a solution to allow security at the IP level so all higher-layer protocols
in TCP/IP could take advantage of it.
When the decision was made to develop a new version of IP (IPv6), there was
opportunity to resolve not just the addressing problem of IPv4 but also security
problem of IP layer. New security standards developed for IPv6 included IPSec
standards compatible both with IPv6 and older IPv4.
IPSec is not a single protocol, but rather a set of services and protocols that
provide a complete security solution for an IP network, moreover, is able to provide
security for upper layers without those specific layers knowing that IPSec is running.
This is one of bigest IPSec advantages.
1.2 Thesis objectives

Objectives of the bachelor thesis is to analyse the current design of the internal
computer network as a part of hotel Savannah’s IT infrastructure, localize weak
points in the security and eliminate them. Existing network is fully operational but
it does not provide any protection against viruses, hacker’s attack or undesirable
users’ activity. Taking advantage of new or enhanced features of Microsoft Windows
Server2008 all this problems can be addressed - the network security issues are elim-
inated by implanting IPSec protocol in network, IPSec domain isolation prevents
rogue machines from connecting to the network, network access protection technol-
ogy ensures that all PCs connected comply with computer health policy and users’
activity could be restricted by domain policy.
The company’s emails with sensitive information traverse between the unit
and headquarters the Internet, IPSec tunnel can guarantee secured communication
between two distant networks.
Integral part of the thesis is also the technological and economical evaluation.
2 PRESENT STATE ANALYSIS 8
2 Present state analysis

2.1 Company
TRANS WORLD CORPORATION (TWC), is a publicly traded, small capitaliza-
tion company (OTC Bulletin Board: TWOC.OB) that owns and operates casinos in
the Czech Republic along the German and Austrian borders, and manages one casino
near Split, Croatia. TWCs strength lies in the operation of small-to-medium-sized
casinos and hotels. The Company emphasizes strong marketing programs, superior
customer service, and solid operational policies and procedures for its properties.
For the casino division, TWC created the brand name of American Chance Casinos
(ACC), and currently operates four casinos in the Czech Republic: Ceska Kubice,
Dolni Dvoriste, Znojmo-Hate and Rozvadov. As a complement to its casino gaming
operations, TWC is pursuing a strategy of expansion into the hospitality industry.
TWCs objective is to become one of the premier owner/operators of small to midsize
hotels in Europe through the development of a division of TWC branded, four star
hotel properties. First of the TWC’s hotels, the Hotel Savannah, opened on January
2009, adjacent to the Znojmo-Hate casino, located just across the Austrian-Czech
border between Vienna and Znojmo, offers a new standard of luxury for the region.
Hotel Savannah’s goal is to provide the highest level of customer satisfaction in a
sleek and stylish environment. The hotel offers 70 double rooms and 6 luxury suites
which provide each guest with the highest level of comfort.
2.2 Technology
The hotel has 6 floor levels – basement with building’s technical background and
garage, ground floor with main entrance which leads to lobby with reception, restau-
rant, bar, five conference rooms and the background with offices, kitchen, laundry.
One floor up is mezzanine with 2 offices and 3 conference rooms, then follows 3 floors
of guest rooms. On each floor there are 24 guest rooms, divided according to size
and furnishing into 3 groups - comfort, business and apartments.
The main server room is in the basement, on each floor there is air-conditioned
small server room with rack for IT equipment and electricity distribution board,
which is central location for all data wall sockets on the floor, using CAT5E cabling.
Each server room on the floor has an eight CAT5e and four optical links 50/125
multimode connections to the central server room in the basement.
The hotel was built next to existing casino building, built ten years ago. Because
the hotel and the casino are operated by same company, it is sharing common
background including connections to data and telephone providers. Both buildings
are connected by eight pairs optical cable 50/125 connecting casino’s server room
and server room in hotel’s basement , which ensures enough capacity for current
and future needs.
2.2 Technology 9
Virtual LANs
From the beginning it was decided to segment networks at hotel and casino into
independent LAN’s which allows that networks are available through both buildings
as required. This solution has many advantages:
• higher security. Networks are independent and separated according to purpose.
• higher performance. With smaller network there are less broadcast requests.
• less costs. VLAN enables to transfer multiple networks over single line.
There are 9 computer’s networks at the hotel and casino, which are divided into
two groups independently routed to the internet.
Tabulka 1: Overview of casino and hotel networks
group VLAN ID Name IP range
company 1 Admin 10.0.10.0/24
company 100 Casino 192.168.3.0/24
company 200 Hotel 10.0.2.0/24
company 300 Fidelio 10.0.3.0/24
company 400 Infopanels 10.0.4.0/24
public 500 Internet public IP
public 501 public 1024 10.0.6.0/24
public 502 public 512 10.0.5.0/24
public 503 public 256 10.1.0.0/21
Company networks
In the first group are the networks belonging to the company, i.e. hotel and
casino network. These networks are routed by Kerio firewall software running on
Windows2008 server (HT–FWL), which is located in the casino. All users in the
network are authenticated on the firewall before the connection to the internet is
established, then traffic statistics and visited pages are logged.
This router is also used for interVLAN routing on L3 layer, following rules are
applied between the VLAN’s :
Tabulka 2: Overview of L3 interVLAN routing
Source Destination Open ports
Casino Hotel TCP:53,88,135,445,636,3268,3269,1024–65535 UDP:53,88,389
Hotel Casino TCP:53,88,135,445,636,3268,3269,1024–65535 UDP:53,88,389
Hotel Fidelio TCP 1521,1522 (Oracle)
Hotel Infopanels RDP and VNC
VLAN 1 is for switches administration purpose. Any access to web console of

the switches could be done from this network only. This is strengthen by password
protection and together it protect against any unauthorized changes of the settings.
2.2 Technology 10
VLAN 100 is casino internal network, contains all casino servers, computers
and network devices and should be accessed by casino employees only.
VLAN 200 is hotel internal network, contains all network connected IT equip-
ment at hotel, to be accessed by hotel employees.
VLAN 300 is for Micros Fidelio system which provides restaurants with an
enterprise information system comprised of point of sale systems and operational
applications, and also provides information technologies for the hotel including sales
and catering systems, central reservation systems, customer information systems and
revenue management systems. System includes the Micros Fidelio server – Oracle
based database running on MS Windows 2003 server and four point of sale systems,
two are at the casino, two are at the hotel.
VLAN 400 is for Infopanels, information and navigation system inside the hotel.
System uses 8 small wall-mounted screens, every conference room has its own display
plus one big 42 inch panel next to reception desk. As the service provider works MS
Windows 2003 based server with SQL express broadcasting presentations about
current events to the screens.
Public networks
In the second group are the networks used for hotel’s guest internet access.
These network are completely separate from company networks to enhance the se-
curity. They are using same network infrastructure, but are routed to the internet
by FreeBSD-based server, located in hotel’s basement server room. FreeBSD server
(SVN–INET) works for connected networks as the router, DHCP and DNS server.
There is no interVLAN routing enabled. Networks summary:
VLAN 500 transfers internet connection from provider’s endpoint at casino to
the server in hotel’s server room.
VLAN 501 with IP network 10.0.6.0/24 has a speed limit 1024 kb/s and is
available at business class rooms, business centres and apartments
VLAN 502 with IP network 10.0.5.0/24 has a speed limit 512 kb/s and is
available at comfort class rooms.
VLAN 503 with IP network 10.1.0.0/21 has a speed limit 256 kb/s and is avail-
able by Wi–Fi signal in public areas and at two public PC kiosks at the reception.
Wi–Fi
There are five Wi–Fi access points installed at hotel, four in ground floor covering
all public areas and conference rooms, one AP is installed in mezzanine covering
conference rooms, all hidden under the ceiling. The access points are D-Link Air-
Premier DWL-3200, 802.11 b/g business class AP with metal body, 802.3af PoE
and excellent security support. VLAN and multi SSID support is utilized, the AP
are connected to the switch ports in trunk mode with hotel and public internet net-
work VLAN, thus broadcasting both network independently under separated SSID
names. The hotel network (VLAN 200) is protected by WPA2 preshared password,
the public network (VLAN 503) is protected by WEP password, which hotel guest
2.2 Technology 11
receive upon request. The rooms are not covered by Wi–Fi signal, the internet access
is available only with cable connection.
Servers
In my writing I will focus on hotel’s internal network. It interconnect all hotel’s IT
equipment, as servers, computers and printers on the ground floor and mezzanine.
There is just one physical server, all the hotel’s servers are virtualized under MS
Server 2008 hypervisor, this solution enables to make the best use of the server
hardware investments by consolidating multiple server roles as separate virtual ma-
chines running on a single physical machine.
Figure 2.1. Hotel Savannah’s network (VLAN200)

The server configuration:
• Dell 2950 III
• Processor QuadCore Xeon E5420 (2.5Ghz, 2x6 MB, 1333 FSB)
• 16 GB RAM, expansible to 64 GB
• 2x 450 GB SAS 15k 3,5” hot swap disks, in RAID1 array
• 2x 146 GB SAS 15k 3,5” hot swap disks, in RAID1 array
• DVD-ROM
• Dual gigabit network card
• 2x redundant power supply
In case of power interruption the server is connected to APC UPS 1500i which
covers the supply before hotel’s backup generator starts. Further expansion of the
server is possible, there is slot for another processor, slots for memory upgrade and
also connections for another two SAS hard drives. The server was bought OEM
2.2 Technology 12
Microsoft Server2008 x64 Enterprise version license, which covers host server instal-
lation plus four more virtual systems and includes 25 windows client license (CAL)
which covers all current needs.
Currently three virtual server are hosted:
• DNS name: CK-DC1
– IP address: 10.0.2.10
– OS: MS Windows 2008 x64 server
– Provides following service:
– Domain controller for Hotel.local domain
– Domain certification authority
– DNS server
– File server
– Print server
– WINS server
• DNS name: CK-EX1
– IP address: 10.0.2.15
– OS: MS Windows 2008 x64 server
– Provides email service: Exchange 2007 server installed
• DNS name: Infopanels
– IP address: 10.0.4.10
– OS: MS Windows 2003 server
– Provides following service:
– Domain controller for Infopanels.local domain
– Domain certification authority
– DNS server
Does not belong to hotel.local domain and is connected through separate
connection.
Network
The network core are switches and router. In casino, hotel basement, hotel ground
floor and hotel mezzanine is used Dell PowerConnect 5448, for first, second and third
floor where are guest rooms is used Dell switch PowerConnect 2748. Both types are
48 ports switches with 4 SPF combo ports, working on layer 2 of OSI model.
Type 2748 is a low entry switch with with switching capacity 144 Gbps and
forwarding rate 71 Mbps. It supports up to 64 VLAN’s and its only web manageable.
Type 5448 has only 95 Gbps switching capacity, on the other hand, it has built-
in iSCSI optimization and robust security and management features. It supports
up to 4096 VLAN’s, various spanning tree protocols, multiple configuration files,
enhanced port aggregation and is L3 aware.
All interVLAN routing for company networks is provided by HT-FWL. Due
to performance reasons has the server separate network card for each VLAN, the
interVLAN traffic can be easily configured from Kerio admin console.
2.2 Technology 13
The network provides following services for users:

• Internet access
Uses casino firewall as the gateway for the Internet connection, currently the
connection speed is 8 Mb/s for download and 4 Mb/s for upload. Casino firewall
is connected by optical the cable directly to the provider’s point of presence,
providing excellent availability and enough transmission capacity.
• File sharing
Files to be shared between users are located on domain controller which act
as a files server, also every user’s document are redirected by domain policy to
central server location and shared between other users.
• Email service
Microsoft Exchange server 2007 is installed on one of virtual servers and pro-
vides email service for all users inside the company and act as primary mail
server for hotel-savannah.com domain. Notebook users and users with windows
mobile based communicators can connect to the email from any location using
HTTPS protocol.
• Print server
there are four network printer, installed and managed centrally. Users can
choose printer in active directory and install on their own, no limitations for
printer access is set. The colour printing is not required too often, the only
colour printer is in mezzanine The HP M5035 has many functions, except stan-
dard printer and fax, its excellent copy machine and digital sender – documents
can be scanned and send at the given email address in jpg or pdf format.
Tabulka 3: Overview of hotel printers

Location Reception Reception Ground fl. offices Mezzanine offices
Type HP M5035 Dell 2330dn Dell 2330dn Dell 3115cn
Format A3 A4 A4 A4
Colours no no no yes
Other functions scanner,fax scanner,fax
Resolution 1200x1200 600x600 600x600 600x600
Pages per min 35 33 33 30
Workstations
All work stations were bought in same configuration:
Dell Optiplex 760
• Processor Intel Core2Duo E7200 (2.5GHz,3MB,1066 FSB)
• 2 GB RAM
• 160 GB HDD
2.2 Technology 14
• DVD-RW
• 22” Wide LCD
• MS Vista Business
• MS Office 2007 Basic
notebook Dell Latitude D830
• Processor Intel Core2Duo T8300 (2.4GHz,3MB,800 FSB)
• 2 GB RAM
• 160 GB HDD
• DVD-RW
• 15,4” WSVGA TFT display
• MS Vista Business
• MS Office 2007 Small Business
On the ground floor there are three computers are at the reception and six
computers + one notebook PC in the offices. In the mezzanine there are 2 notebook
users, connected via cable with access to hotel Wi–Fi network if needed.
Analysis summary
The network is designed well, segmenting the network according to it’s purpose helps
to control the traffic between the networks and increases the security. The problem
could be, that there is no control of users’ behaviour at the stations. Limited users
have user rights only, but notebook users – company management has the admin-
istrator level access. Generally, there is no antivirus installed, no control of firewall
status, removable media access and flash discs, which is currently together with en-
abled autorun function the most popular way for spreading computer viruses. Also
as the windows systems are installed, the regular updating is vital preventing pos-
sible network attacks. Although it is very difficult to get access to hotel internal
network for unauthorized persons - the network connection point are at controlled
places only, the network is not secured against unauthorized connections from em-
ployees’ private computers. Some of these problems can be addressed by forcing
security settings by active domain politics, others by implementing Network access
protection technology (NAP) together with domain isolation protecting the network
communication by IPSec encryption – computers compliant with company security
policy receives a health certificate, which is used for IPSec communication with
other computers, computers without IPSec encryption are not allowed to establish
the communication within network.
3 UTILIZED TECHNOLOGY 15
3 Utilized technology
3.1 Active Directory
Microsoft Windows networks support two directory service models: the workgroup
and the domain. The domain model is characterized by a single directory of enter-
prise resources called Active Directory, that is trusted by all secure systems that
belong to the domain. Those systems can therefore use the security principals (user,
group, and computer accounts) in the directory to secure their resources. Active
Directory then acts as an identity store, providing a single trusted list of objects in
the domain. (Mackin,2003)
Active Directory itself is more than just a database. It is a collection of sup-
porting files including transaction logs and the system volume, called Sysvol, that
contains logon scripts and group policy information. It is the services that support
and use the database, including Lightweight Directory Access Protocol (LDAP),
Kerberos security protocol, replication processes, and the File Replication Service
(FRS).(Mackin,2003) The database and its services are installed on one or more
domain controllers. A domain controller is a server that has been promoted – once
a server has become a domain controller, it hosts a copy of Active Directory and
changes to the database on any domain controller are replicated to all domain con-
trollers within the domain. Active Directory cannot exist without at least one do-
main, and vice versa. A domain is the core administrative unit of the Windows
Server directory service. An enterprise may have more than one domain in its Ac-
tive Directory, in this case multiple domain models create logical structures called
trees when they share contiguous DNS names.
If domains in an Active Directory do not share a common root domain, they
create multiple trees. This structure is called forest, it is the largest structure in
an Active Directory. An Active Directory forest includes all domains within that
Active Directory. A forest may contain multiple domains in multiple trees, or just
one domain. When more than one domain exists, a component of Active Directory
called the Global Catalog becomes important because it provides information about
objects that are located in other domains in the forest.
Enterprise resources are represented in Active Directory as objects, or records
in the database. Each object has own attributes that define it. For example, a user
object includes the user name and password; a group object includes the group name
and a list of its members.
Structure is the function of a specific object type called an organizational unit,
or OU. OUs are containers within a domain that allows to group objects that share
common administration or configuration and also provide important administrative
capabilities, as they provide a point to which group policies can be linked.
3.2 Group policy object (GPO) 16
3.2 Group policy object (GPO)

OUs are used to collect objects, computers and users, that are configured similarly.
This configuration can be managed centrally through a feature of Active Directory
called Group Policy. Group Policy allows to specify security settings, deploy software,
and configure operating system and application behaviour from the central point.
GPOs are collections of possible configuration settings, from user logon rights and
privileges to the software that is allowed to be run on a system. (Mackin, 2003) A
GPO is linked to a container within Active Directory, typically to an OU, but can
also be domains, or sites, and all the users and computers beneath that container
are affected by the settings contained in the GPO.
3.3 Windows Firewall

Windows Firewall with Advanced Security is a stateful, host-based firewall that
blocks incoming and outgoing connections according to the rules configured by an
administrator. (Microsoft, 2009) Connected computers face the following challenges:
• Mobile workers and devices complicate a networks physical topology, making it
difficult to prevent unauthorized access to trusted network assets.
• Viruses, worms, and denial of service (DoS) attacks are increasing in complexity,
making it more open for malware and other threats.
• Data is a critical asset for almost every employee in most organizations, making
it difficult to limit access to authorized users while still providing ease of access.
Windows Firewall with Advanced Security address these challenges by the following
functions:
• Reduces the risk of network security threats.
Windows Firewall with Advanced Security reduces the attack surface of a com-
puter, providing an additional layer to the defence model. Network Access Pro-
tection (NAP) helps ensure client computers comply with policies that define
the required software and system configurations for computers that connect to
the network. The integration of NAP helps prevent communications between
compliant and noncompliant computers.
• Safeguards sensitive data and intellectual property.
With its integration with IPsec, Windows Firewall with Advanced Security
provides a simple way to enforce authenticated, end to end network commu-
nications. It provides scalable access to trusted network resources, enforcing
integrity of the data, and optional confidentiality.
• Extends the value of existing investments.
Because Windows Firewall with Advanced Security is a host-based firewall that
is included with Windows Vista, as well as Windows Server 2008, and because
it is tightly integrated with Active Directory Domain Services (AD DS) and
Group Policy, there is no additional hardware or software required.
3.4 Network Access Protection 17
Windows Firewall with Advanced Security is an important part of a layered security

model. By providing host based, two way network traffic filtering for a computer,
Windows Firewall with Advanced Security blocks unauthorized network traffic flow-
ing into or out of the local computer.
3.4 Network Access Protection

Network Access Protection (NAP) for Windows Server 2008, Windows Vista, and
Windows XP Service Pack 3 provides components and an application programming
interface (API) that help administrators enforce compliance with health requirement
policies for network access or communication. (Microsoft, 2008) With NAP, network
administrators can create solutions for validating computers that connect to their
networks, provide needed updates or access to needed health update resources, and
limit the access or communication of noncompliant computers. The enforcement
features of NAP can be integrated with software from other vendors or with custom
programs.
NAP is not designed to protect a network from malicious users. It is designed
to help administrators automatically maintain the health of the computers on the
network, which in turn helps maintain the networks overall integrity. For example,
if a computer has all the software and configuration settings that the health policy
requires, the computer is compliant and will be allowed unlimited access to the
network. NAP does not prevent an authorized user with a compliant computer from
uploading a malicious program to the network.
Aspects of NAP
NAP has three important and distinct aspects:
• Health state validation.
When a computer attempts to connect to the network, the computers health
state is validated against the health requirement policies as defined by the
administrator. Administrators can also define what to do if a computer is not
compliant. Computers that do not comply with health requirement policies can
have their access limited to a restricted network.
• Health policy compliance.
Administrators can help ensure compliance with health requirement policies by
choosing to automatically update noncompliant computers with missing soft-
ware updates or configuration changes through management software. In a mon-
itoring only environment, computers will have access to the network before they
are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates
and configuration changes are completed.
• Limited access.
Administrators can protect their networks by limiting the access of noncompli-

ant computers, as defined by the administrator. Limited network access can be
based on a specific amount of time or on what the noncompliant computer can
access. Administrators can define a restricted network containing health update
resources and the limited access will last until the noncompliant computer is
brought into compliance. Administrators can also configure exceptions so that
computers that are not compatible with NAP do not have their network access
limited.
Scenarios for NAP

NAP helps provide a solution for the following common scenarios:
• Verifying the health state of roaming laptops
Portability and flexibility are two primary advantages of laptops, but these
features also present a health threat. Company laptops frequently leave and
return to the company network. While laptops are away from the company, they
might not receive the most recent software updates or configuration changes.
Laptops might also become infected while they are exposed to unprotected
networks. By using NAP, network administrators can check the health state of
any laptop when it reconnects to the company network.
• Verifying the health state of desktop computers
Although desktop computers do not usually leave the company’s premises, they
still can present a threat to a network. To minimize this threat, administrators
must maintain these computers with the most recent updates and required
software. By using NAP, network administrators can automate health state
checks to verify each desktop computers compliance with health requirement
policies. When administrators change health requirement policies, computers
can be automatically provisioned with the most recent updates.
Depending on their needs, administrators can configure a solution to address
any or all of these scenarios for their networks.
Components of NAP
NAP is an extensible platform that provides infrastructure components and an API
for adding components that verify and amend a computers health and enforce various
types of network access or communication. (Microsoft, 2008)
• Components of the NAP infrastructure known as system health agents (SHAs)
and system health validators (SHVs) provide health state tracking and vali-
dation. Windows Vista and Windows XP Service Pack 3 include a Windows
Security Health Validator SHA that monitors the settings of the Windows Se-
curity Center. Windows Server 2008 includes a corresponding Windows Security
Health Validator SHV. NAP is designed to be extensible, it can interoperate
with any vendors software that use the NAP API.
• Components of the NAP infrastructure known as enforcement clients (ECs) and

enforcement servers (ESs) require health state validation and enforce limited
network access for noncompliant computers for specific types of network access
or communication. Windows Vista, Windows XP Service Pack 3, and Windows
Server 2008 include NAP support for the following types of network access or
communication:
– Internet Protocol security (IPsec) protected traffic
With IPsec enforcement, a computer must be compliant to initiate com-
munications with other compliant computers. Because IPsec enforcement
is leveraging IPsec, requirements can be defined for protected communi-
cations with compliant computers on a per IP address or per TCP/UDP
port number basis. IPsec enforcement confine communication to compli-
ant computers after they have successfully connected and obtained a valid
IP address configuration. IPsec enforcement is the strongest form of lim-
ited network access or communication in NAP. The components of IPsec
enforcement consist of a Health Registration Authority (HRA) running
Windows Server 2008 and an IPsec Relying Party EC in Windows Vista,
Windows XP Service Pack 3, and Windows Server 2008. The HRA obtains
X.509 certificates for NAP clients when they prove that they are compliant.
These health certificates are then used to authenticate NAP clients when
they initiate IPsec protected communications with other NAP clients.
– IEEE 802.1X authenticated network connections
With 802.1X enforcement, a computer must be compliant to obtain unlim-
ited network access through an 802.1X authenticated network connection,
such as to an authenticating Ethernet switch or an IEEE 802.11 wireless
access point (AP). For noncompliant computers, network access is limited
through a restricted access profile placed on the connection by the Eth-
ernet switch or wireless AP. The restricted access profile can specify IP
packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to
the restricted network. 802.1X enforcement enforces health policy require-
ments every time a computer attempts an 802.1X-authenticated network
connection. 802.1X enforcement also actively monitors the health status of
the connected NAP client and applies the restricted access profile to the
connection if the client becomes noncompliant.
The components of 802.1X enforcement consist of NPS in Windows Server
2008 and an EAP in Windows Vista and Windows Server 2008. 802.1X
enforcement provides strong limited network access for all computers ac-
cessing the network through an 802.1X authenticated connection.
– Remote access VPN connections
With VPN enforcement, a computer must be compliant to obtain unlimited
network access through a remote access VPN connection. For noncompliant
computers, network access is limited through a set of IP packet filters that
are applied to the VPN connection by the VPN server. VPN enforcement
enforces health policy requirements every time a computer attempts to

obtain a remote access VPN connection to the network. VPN enforcement
also actively monitors the health status of the NAP client and applies the
IP packet filters for the restricted network to the VPN connection if the
client becomes noncompliant. The components of VPN enforcement consist
of NPS in Windows Server 2008 and a Remote Access Quarantine EC in
Windows Vista, Windows XP Service Pack 3, and Windows Server 2008.
VPN enforcement provides strong limited network access for all computers
accessing the network through a remote access VPN connection.
– Dynamic Host Configuration Protocol (DHCP) address configurations
With DHCP enforcement, a computer must be compliant to obtain an
unlimited access IPv4 address configuration from a DHCP server. For non-
compliant computers, network access is limited by an IPv4 address configu-
ration that allows access only to the restricted network. DHCP enforcement
enforces health policy requirements every time a DHCP client attempts to
lease or renew an IP address configuration. DHCP enforcement also ac-
tively monitors the health status of the NAP client and renews the IPv4
address configuration for access only to the restricted network if the client
becomes noncompliant. The components of DHCP enforcement consist of
a DHCP ES that is part of the DHCP Server service in Windows Server
2008 and a DHCP Quarantine EC in Windows Vista, Windows Server
2008, and Windows XP Service Pack 3. Because DHCP enforcement relies
on a limited IPv4 address configuration that can be overridden by a user
with administrator level access, it is the weakest form of limited network
access in NAP.
These types of network access or communication are known as NAP enforcement
methods. Network Policy Server (NPS) in Windows Server 2008 acts as a health
policy server for all of these NAP enforcement methods.
• NPS is a Remote Authentication Dial-In User Service (RADIUS) server and
proxy in Windows Server 2008. As a RADIUS server, NPS provides authentica-
tion, authorization, and accounting (AAA) services for various types of network
access. For authentication and authorization, NPS uses Active Directory to ver-
ify user or computer credentials and obtain user or computer account properties
when a computer attempts an 802.1X authenticated connection or a VPN con-
nection. NPS also acts as a NAP health policy server. Administrators define
system health requirements in the form of health policies on the NPS server.
NPS servers evaluate health state information provided by NAP clients to de-
termine health compliance, and for noncompliant, the set of remediation actions
that must be done by the NAP client to become compliant. The role of NPS as
a AAA server is independent from its role as a NAP health policy server. These
roles can used separately or combined as needed. For example:
– NPS can be a AAA server on an Intranet that has not yet deployed NAP.
– NPS can be a combination of AAA server and a NAP health policy server
for 802.1X-authenticated connections on an Intranet that has deployed
NAP and 802.1X enforcement.
– NPS can be a NAP health policy server for DHCP configuration on an
Intranet that has deployed NAP and DHCP enforcement.
• Remediation Servers Remediation servers consist of servers, services, or other
resources that a noncompliant computer that has been placed on the restricted
network can access. These resources might perform name resolution or store
the most recent software updates or components needed to make a noncompli-
ant computer meet system health requirements. For example, a Domain Name
System (DNS) server, an antivirus signature file server, and a software update
server could all be remediation servers. An SHA can communicate with a re-
mediation server directly or use the facilities of installed client software.
How IPsec Enforcement Works

The following process describes how IPsec enforcement works for a NAP client
1. The IPsec Relying Party EC component sends its current health state to the
HRA.
2. The HRA sends the NAP clients health state information to the NAP health
policy server.
3. The NAP health policy server evaluates the health state information of the
NAP client, determines whether the NAP client is compliant, and sends the
results to the HRA. If the NAP client is not compliant, the results include
health remediation instructions. The HRA sends the NAP client the health
evaluation results.
4. If the health state is compliant, the HRA obtains a health certificate for the NAP
client. The NAP client can now initiate IPsec protected communication with
other compliant computers using its health certificate for IPsec authentication,
and respond to communications initiated from other compliant computers that
authenticate using their own health certificate.
5. If the health state is not compliant, the HRA does not issue a health certificate.
The NAP client cannot initiate communication with other computers that re-
quire a health certificate for IPsec authentication. However, the NAP client can
initiate communications with remediation servers to correct its health state.
6. The NAP client sends update requests to the appropriate remediation servers.
7. The remediation servers provision the NAP client with the required updates for
compliance with health requirements. The NAP client updates its health state
information.
8. The NAP client sends its updated health state information to the HRA and
the HRA sends the updated health state information to the NAP health policy
server.
3.5 Domain isolation 22
9. Assuming that all the required updates were made, the NAP health policy
server determines that the NAP client is compliant and sends that result to the
HRA.
10. The HRA obtains a health certificate for the NAP client. The NAP client can
now initiate IPsec protected communication with other compliant computers.
3.5 Domain isolation

Domain isolation is enforced network policy that allows domain member comput-
ers to accept incoming communication requests only from computers that can au-
thenticate themselves with domain credentials. This network policy isolates domain
member computers (managed computers) from nondomain computers (unmanaged
computers). Isolating the domain provides an additional layer of protection for the
network traffic. (Microsoft, 2009)
Security technologies, such as (IEEE) 802.1X, require a computer to authenti-
cate itself before sending frames on a network. However, 802.1X does not protect
the traffic sent by an 802.1X-authenticated computer after it has been granted ac-
cess to the network. Secure Sockets Layer (SSL) provides computer authentication
and data confidentiality (encryption) for SSL-enabled client and server applications.
However, SSL works only if the client and server application support SSL. Whereas
802.1X works at the Data Link layer of OSI model and SSL works at the Application
layer, domain isolation works at the Network layer, providing additional protection
for IP-based traffic. Domain isolation provides many benefits by:
• Restricting incoming connections to managed computers.
In Windows, a managed computer is a computer that is a member of an Ac-
tive Directory domain. These computers can be managed centrally configur-
ing network policies using Group Policy and by applying those policies to all
managed computers. Managed computers use their domain credentials to au-
thenticate communication attempts with each other. Unmanaged computers are
standalone, unknown, and guest computers do not have domain credentials and,
therefore, cannot authenticate communication attempts with managed comput-
ers.
• Supplementing other security mechanisms designed to prevent unwanted com-
munications.
Domain isolation supplements the security provided by security mechanisms
already deployed on the network. For example, if the domain is isolated and
then the firewall was compromised, malicious users from the Internet could not
initiate communications with the managed computers.
• Protecting traffic between managed computers.
Traffic sent between managed computers is cryptographically protected so that
the receiving computer can verify that an authenticated computer sent the
packet and that the packet was not modified in transit. Optionally, the traf-
fic between managed computers can be encrypted, providing protection from

malicious network users who attempt to capture and interpret network traffic.
To deploy domain isolation, Group Policy settings are configured to require that all
incoming connection requests and subsequent data be authenticated and protected
with Internet Protocol security (IPsec). IPsec protects traffic from data tamper-
ing, such as address spoofing, data injection, session hijacking, and replay attacks.
Optionally, it can be specified that packets be encrypted. There could be some
exceptions so that specific computers that are not domain members can initiate
communications with managed computers.
Components of Domain Isolation

• An Active Directory domain. The domain includes domain controllers and the
appropriate trust relationships to establish trust with other domains or the
directory trees of an organization network.
• Member computers. These are computers that have joined the Active Directory
domain and received domain credentials.
• Group Policy settings. These computer and user settings are automatically
downloaded to member computers.
• Active IPsec policy settings. These Group Policy settings determine the domain
isolation behaviour of managed computers.
After the managed computers have downloaded and applied the Group Policy
settings, they have both the correct IPsec policy for domain isolation and the domain
credentials that will allow them to communicate with security with each other and to
communicate without security with unmanaged computers. Unmanaged computers,
which do not have the correct IPsec policy settings for domain isolation or domain
credentials, cannot initiate communication with managed computers.
Communication Processes
When domain isolation is implemented, communication between hosts in the net-
work differs depending on which type of host (isolated or non-isolated) initiates
communication and which type of host the initiating host attempts to communicate
with. Possible scenarios are:
• When an isolated host initiates communication with another isolated host.
• When a non-isolated host initiates communication with an isolated host.
• When an isolated host initiates communication with a non-isolated host.
The figure 3.1 shows the types of communication that occur after deployment
of domain isolation.
Figure 3.1. Types of communication of domain isolation
Communication with an isolated host initiated by another isolated host

When an isolated host with both Active Directory credentials and domain isola-
tion Windows Firewall with Advanced Security policy settings (for example, COM-
PUTER1 (C1) in the figure 3.1) initiates communication with another isolated host
(for example, COMPUTER2 (C2)), the following occurs:
1. The initial communication packet sent by C1, for example, a Transmission Con-
trol Protocol (TCP) Synchronize (SYN) segment matches the IPsec or connec-
tion security rule that specifies that the initiating host must attempt to secure
the traffic with IPsec.
2. C1 uses IPsec to perform mutual authentication with C2 and to negotiate the
use of IPsec protection.
3. Because C2 has domain credentials, the Windows Firewall with Advanced Se-
curity authentication process succeeds. Because C2 has IPsec policy settings
that match those on C1, negotiation of IPsec protection also succeeds.
4. C1 sends the initial communication packet to C2 with IPsec protection.
5. C2 sends the response to the initial communication packet, for example, a TCP
SYN-Acknowledgement (SYN-ACK) segment to C1 with IPsec protection.
6. Subsequent packets sent between C1 and C2 are also protected by IPsec.
Because they are domain members and have Windows Firewall with Advanced Se-
curity policy settings, isolated hosts authenticate and protect with IPsec communi-
cations initiated with other isolated hosts.
3.6 IPsec protocol 25
Communication with a non-isolated host initiated by an isolated host

When an isolated host with both Active Directory credentials and domain isolation
Windows Firewall with Advanced Security policy settings (for example, C1 in the
figure 3.1) initiates communication with a non-isolated host (for example, C3), the
following occurs:
1. The initial communication packet being sent by C1, for example, a TCP SYN
segment matches the IPsec or connection security rule of the policy that specifies
that the initiating host must attempt to secure the traffic with IPsec.
2. C1 attempts to use IPsec to authenticate C3 and to negotiate the use of IPsec
protection.
3. Because C3 does not have domain credentials, the IPsec authentication attempt
fails.
4. Because the rule matched in Step 1 allows unsecured communication with com-
puters that fail the IPsec authentication, C1 sends the initial communication
packet without IPsec protection.
5. C3 sends the response to the initial communication packet sent by C1 without
IPsec protection.
6. C1 and C3 send subsequent packets without IPsec protection.
An isolated host tries to authenticate non-isolated hosts. If it cannot authenti-
cate a host, an isolated host sends packets without IPsec protection, allowing isolated
hosts to initiate communications with non-isolated hosts.
Communication with an isolated host initiated by a non-isolated host

When a non-isolated host (for example, C3 in the figure 3.1.) initiates communication
with an isolated host (for example, C2), the following occurs:
1. Because C3 does not have IPsec policy settings, it sends its initial communi-
cation packet, for example, a TCP SYN segment without IPsec protection to
C2.
2. On C2, the initial communications packet sent by C3 matches the IPsec or
connection security rule that requires incoming communication attempts to be
protected by IPsec.
3. Because the rule does not allow C2 to accept incoming communication attempts
that are not protected by IPsec, C2 discards the initial communications packet
sent by C3.
4. C2 also discards subsequent incoming communication attempts from C3.
5. C3 fails in its attempt to communicate with C2.
3.6 IPsec protocol

IPsec consists of three major protocols (Snader,2005):
• AH A protocol that provides data origin authentication, data integrity, and

replay protection.
• ESP A protocol that provides the same services as AH but also offers data
privacy through the use of encryption.
• IKE A protocol that provides the all-important key-management function. The
alternative to IKE is manual keying, which IPsec also supports.
AH and ESP can operate in one of two modes. From an implementation point of
view, these modes determine what the encapsulation will look like. The two modes
are
• Transport mode A method of providing security to the upper-layer protocol of
an IP datagram
• Tunnel mode A method of providing security to an entire IP datagram
IPsec Modes
AH and ESP can operate in either transport mode or tunnel mode, the two modes
differ in how they encapsulate and protect the data. (Snader, 2005) They also differ
in whether they are protecting communications between two hosts or protecting
communications between two networks or between a host and a network.
Transport Mode
Figure 3.2. IPsec transport mode datagram

Transport mode is used between two fixed hosts – when the VPN endpoints are
the final destinations of the traffic in the VPN and cannot be used to connect two
networks or a network and a host. In the transport mode IPsec protects the transport
layer data in the datagram, the part that comes after the IP header, which means
that the AH or ESP header is placed after the IP header in the datagram. It provides
end-to-end security, if the local network cannot be trusted for secure communication.
Tunnel Mode
Figure 3.3. IPsec tunnel mode datagram

The other mode that AH and ESP can operate in is called tunnel mode. It
is more flexible than transport mode, on the other hand, it has higher bandwidth
requirements. The typical use of tunnel mode is to connect either two networks or a
host and a network, for example, when two distant company units needs to securely
interconnect their networks.
In that case, the networks are connected through the tunnel mode VPN by
between two network gateways. These gateways handle the encryption, decryption,
antireplay, and authentication functions, which are completely transparent to the
hosts on the two networks.
Its name comes from the fact that ESP or AH is applied to a tunnel. The outer
IP header’s source and destination addresses are those of the security gateways,
when VPN traffic is delivered to one of the endpoints, where the decryption and/or
authentication is applied, the outer IP header, IPsec header and the IPsec trailer
are removed. This leaves the inner IP datagram, whose IP header has the address
of the final destination and the packet is forwarded its final destination inside the
network.
The tunnel mode can be used instead of transport mode between two fixed
hosts. In this case, the source and destination addresses of the inner and outer IP
headers would be the same, but there are no advantages of the solution, moreover,
the extra bandwidth required.
AH
An unprotected IP datagram is subject to arbitrary manipulation by an attacker.
(Snader, 2005) The header is covered by the checksum, but this provides protection
only against corruption, an attacker can modify any of the header fields and be
undetected by merely recalculating the checksum. The same principle applies to
the data portion. Datagrams carrying TCP segments or UDP datagrams have their
data protected by another checksum, but again, the data is easily manipulated by
an attacker, who needs only modify the data and recalculate the checksum.
Some situations require that hosts or networks be able to verify that IP data-
grams are from whom they purport to be and that their payloads have not been
tampered with in transit. ESP can provide these services along with the confiden-
tiality using encryption, in some instances, however, confidentiality is not required,
and in those cases, it is better to omit the encryption step and use AH protocol,
which provides the endpoint authentication and data integrity without the overhead
of encryption.
The AH protocol is specified in RFC 2402 and provides its protection by cal-
culating a keyed MAC, called an integrity check value (ICV), over parts of the IP
header and the entire payload data. The results of the ICV are placed in the AH
header, and the header is added to the IP datagram. The exact placement of the AH
header in the datagram depends on whether it is being used in transport or tunnel
mode. The AH cannot authenticate the entire IP header, because some of its fields
are changed by intermediate routers. The picture shows the fields of the IP header
that AH does and does not authenticate.
Figure 3.4. AH protocol

The shaded fields are mutable, are not covered by the authentication, and are
zeroed before calculating the ICV. In addition, the destination address is specified
as being mutable but predictable, meaning that it can be changed by intermediate
routers but that the final value is known. The destination address is mutable but
predictable when source routing is used. In this case, the predictable value is the
final destination address, which is what the end host will see, so that value is filled
in before the ICV is calculated. AH is an IP protocol and as such has its own IP
protocol number: 51. As we can see, the AH header always immediately follows an
IP header, and the protocol field of that header will contain a 51, indicating that
the datagram is carrying AH protocol data.
The AH Header
As mentioned earlier, its exact placement in an IP datagram depends on whether
we are using transport or tunnel mode. The next header field is the protocol number
of the AH payload. For example, if AH is protecting a TCP segment, the next header
field would contain a 6, the protocol number assigned to TCP. AH could be also
followed by an ESP packet or even another AH header. The payload length field
could be contusing for two reasons. First, despite its name, it is the length of the
AH header, not the length of the payload that AH is protecting. Second, the length
is expressed as 2 less than the number of 32-bit words in the header. For example,
if the length of the entire header would be eight 32-bits words, the header length
field would contain a 6. The ”minus 2” is an artefact of AH being an IPv6 protocol.
In IPv6, extension header lengths are always expressed as the total length minus
64 bits. The IPv6 extension header length convention is specified in RFC 2460. The
security parameter index, along with the destination address and protocol (AH)
identifies the SA to which this AH datagram applies. Values 1255 are reserved for
future use and are not currently assigned. The value 0 is reserved for local use and is
never transmitted to a peer. Thus, the legal values for the SPI are 256 through 232 -
1. The SPI is always assigned by the destination host, which is why the destination
address is needed to uniquely identify the proper SA.
Figure 3.5. AH header

The sequence number field is a counter that increases by 1 for each AH datagram
that a host sends for a particular SA. The initial value of the counter is 1 and is
never allowed to wrap to 0. A sending host is required to check that the sequence
number hasn’t wrapped and to negotiate a new SA if it has. The receiving host uses
the sequence number to detect replayed datagrams. The checking on the receiving
host’s part is optional, and the receiver can inform the sender that it will not be
checking sequence numbers, but the sender is always required to increment and
send the sequence number. If its peer has informed it that it will not do sequence
number checking, the sender can omit checking for sequence number wrapping. The
authentication data field contains the result of the ICV calculation. The field is
always a multiple of 32-bit words and must be padded in an arbitrary way if the
length of the ICV in bytes is not divisible by 4.
ESP
The Encapsulating Security Payload (ESP) protocol provides the same authentica-
tion, data integrity, and antireplay protection that AH provides but adds the IPsec
confidentiality function, RFC 2406 specification.
The ESP Header
As with AH, the SPI, the destination address, and the IPsec protocol are used to
uniquely identify the SA that applies to this packet. Also as with AH, the sequence
number is used to provide the antireplay function. When the SA is established, the
sequence number is initialized to 0. Before each packet is sent, the sequence number
is incremented by 1 and placed in the ESP header. To ensure that no packet will be
accepted more than once, the sequence number is not allowed to wrap to 0. Once
the sequence number 232 - 1 is used, a new SA and a new authentication key are
established.
Figure 3.6. ESP header

Block ciphers require that plain text be padded to a multiple of the block size.
Such padding, if needed, is placed immediately after the payload data in the padding
field. In any event, 0 to 255 bytes of padding are added to the payload data. Unless
the encryption algorithm specifies otherwise, the first padding byte must be 0x01,
the second 0x02, and so on. RFC 2406 says that the receiver should inspect the
padding bytes to verify that they meet the prescribed values, this check serves to
verify that the decryption was successful. The length of the padding is in the pad
length field. It can take on any value between 0 and 255 inclusive. The pad length
field is always present, even if there is no padding. The next header field indicates
what type of data is in the payload data field. The authentication data field contains
an integrity check value for the ESP packet. The ICV is calculated over the entire
ESP packet except for the authentication data field itself. The ICV must start on a
4-byte boundary and must be a multiple of 32-bit words.
The two most common authentication methods are MD5 and SHA1. Each
method takes the first 96 bits from the MD5 or SHA-1 algorithm as the ICV. Then
we can divide ESP packet into four parts:
1. The ESP header, which contains the SPI and sequence number fields
2. The payload, which contains the IV and payload data fields
3. The ESP trailer, which contains the padding, pad length, and next header fields
4. The ESP authentication data, which contains the ICV.
IKE
The Internet Key Exchange (IKE) protocol is the integral part of IPsec. It handles
the difficult problem of key management by negotiating security associations be-
tween a set of peers. The IKE protocol specification is RFC 2409. (Snader, 2005)
3.7 Kerberos 31
ISAKMP and IKE are the mechanism by which IPsec negotiates security associ-
ations and exchanges keying material. Although these SAs can be configured by
hand, manual keying does not scale well and is subject to the security shortcomings
that long-lived keys always suffer from. IKE is a hybrid of three other protocols:
ISAKMP, OAKLEY, and SKEME. ISAKMP provides the infrastructure on which
we can build a variety of key exchange protocols. OAKLEY and SKEME contribute
exchange modes and authentication methods to IKE.
ISAKMP works in two phases. In the first phase, an ISAKMP SA is nego-
tiated. The SA provides an encrypted and authenticated channel over which the
second phase negotiates the IPsec SAs that are used by AH and ESP. In addition to
negotiating the SAs and handling the key exchange, IKE authenticates each peer to
the other. This ensures that each node can be sure of the identity of its peer. There
are four ways to do this authentication:
• shared secrets
• digital signatures
• public key encryption of nonces
• revised public key encryption of nonces
In the event that the peers are acting as proxies and negotiating SAs for client
hosts, they can, in Main mode, hide the identity of those hosts. The fundamental
method that ISAKMP and IKE use to establish a secure channel is to exchange
Diffie-Hellman private keys from which they derive a shared secret. This shared
secret, in turn, is combined with a nonce from each peer, and other parameters from
the exchange, and run through an HMAC calculation to generate keying material
for the cryptographic algorithms. Each of the algorithms uses this material in an
algorithm-specific manner to generate its keys. After phase 1 is completed, either
peer can initiate a New Group exchange to negotiate a different Diffie-Hellman group
for future SAs. The new group can be specified either by its identifierin the case of
the predefined groupsor by the group attributes for new groups.
Quick mode, the phase 2 exchange mode, can generate keys very quickly by
combining the Diffie-Hellman shared secret from phase 1 with nonces exchanged
in phase 2. This method has the advantage of not requiring expensive big-number
exponentiations, but it cannot provide perfect forward secrecy. If Key Exchange pay-
loads are included in the Quick mode exchange, perfect forward secrecy is provided
at the cost of the Diffie-Hellman exponentiations.
3.7 Kerberos
The Kerberos version 5 is an authentication protocol which provides a mechanism
for authentication – and mutual authentication – between a client and a server, or
between one server and another server. (Microsoft, 2003)
The Kerberos Key Distribution Center (KDC) uses the domains Active Direc-
tory directory service database as its security account database. Active Directory is
required for default NTLM and Kerberos implementations.
3.7 Kerberos 32
The Kerberos V5 protocol assumes that initial transactions between clients and
servers take place on an open network in which packets transmitted along the net-
work can be monitored and modified, and where an attacker can easily pose as either
a client or a server, and can readily eavesdrop on or tamper with communications
between legitimate clients and servers.
The Kerberos protocol is widely used, open standard. Microsofts implementa-
tion of the Kerberos V5 protocol adheres to the defined RFC standards, and thus
provides interoperability with other implementations.
Kerberos architecture allows additional or alternate security methods to be
specified, i.e. the default shared secret key process can be supplemented with pri-
vate/public key pairs by using smart cards. The mutual authentication is supported
using the Kerberos protocol, a party at either end of a network connection can verify
that the party on the other end is the entity it claims to be. This is one of advantages
against previous NTLM protocol, which was designed for a network environment in
which servers were assumed to be genuine.
4 IMPLEMENTATION 33
4 Implementation
4.1 Antivirus
The viruses and the trojan horses represents the biggest threat for the security of
the network. Windows Vista is shipped with weak anti-spyware protection called
MS Defender, which does not provide enough protection.
The only option is to install a professional anti-virus solution from the other
software producer. At hotel Savannah was decided to install the Kaspersky antivirus,
which provides following functions (Kaspersky, 2009)
• Integrated protection from viruses, spyware, hacker attacks and spam
• Proactive protection from even the newest malicious programs
• Personal firewall
• Roll back of any malicious changes made to the system
• Protection from phishing and spam attacks
• Intelligent redistribution of resources during full system scans
and what is the most important, it could be managed centrally from the adminis-
tration console.
The administrative console enables also remote installation of the antivirus
package and monitors the antivirus protection. In case of the virus outbreak in the
network the network administrator is informed by email.
The product contains its own firewall, but it has to be disabled to not collide
with windows built-in firewall which is important part of the NAP solution.
The updates are downloaded every second hour, critical areas of the computer
are scanned daily, together with start-up objects, all local discs are scanned every
14 days. In case the virus is found it is disinfected automatically and the report is
sent to the network administrator.
4.2 Removable media access control

Removable media are nowadays the most popular way for spreading viruses, since the
email clients block automatically any possibly dangerous attachment. The autorun
of removable media is enabled in windows systems by default and if USB discs is
inserted into infected computer, the virus copy itself onto disc and make change
to autorun.inf file to enable the virus spreading by inserting the disc into another
computer.
If the virus is recent enough, the antivirus might not recognise it, so it is always
better to disable the autorun. This solution is very easy, but might be surprisingly
effective.
The autorun should be disabled in default domain policy, so all domain com-
puters are affected by the policy.
Configuration steps:
4.3 Network Access protection 34
On Domain controller (SVN–DC1) » Features » Group policy management

» Forest name (hotel.local) » Domains » (hotel.local) » Default domain policy »
right mouse click » Edit, then in Computer Configuration » Policies » Windows
components » Autoplay policies
Figure 4.1. Autoplay settings
4.3 Network Access protection

Implementation of Network Access protection will ensure that all company comput-
ers comply with company policy, which is:
• Firewall enabled
• Anti virus enabled and updated
• Automatic updates enabled and all critical updates installed
There are many ways how to enforce a NAP policy. The simplest method is
NAP with DHCP enforcement, on the other hand, this is less secure method, since
the users can manually configure IP address on a machine and bypass the policy
enforcement. The method I choose to implement is the most secured – IPSec policy.
If the computer settings comply with policy, it receives a certificate which is used by
IP sec protocol to establish communication with other computers in the network. If
does not comply, it can communicate only with computers which provide required
updates and cannot establish any communication with computers inside the secured
network.
Methodology
For successful implementation is needed an Active directory domain, Domain con-
troller running Windows Server2003 or higher and another Windows Server2008
based system.
The NAP will be implemented in hotel’s network 10.0.2.0/24.
The NAP and Domain isolation divides computers into three zones – inside,
boundary, outside. In Savannah’s scenario all company’s client computers compliant
with health policy are inside the IPSec network.
In the boundary zone are the computers which needs to communicate both with
computers outside and inside the IPSec network, mostly infrastructure servers i.e.
DNS, DHCP, in our scenario:
• SVN-DC1 – Domain controller, DNS and DHCP server
• SVN–EX1 – Email server
• SVN–SEC – NPS server
Computers which does not comply with policy are in outside zone.
Creating Active directory groups

Two groups for distributing NAP rules have to be created.
• NAP clients
• NAP exemptions (boundary computers)
Members of the NAP clients group will be all computers which the health policy
should be applied to – all domain computers. Members of the NAP exceptions will
be computers that does not have to comply with the health policy, but they will
receive a health certificate to be able communicate with NAP enabled computers.
For example, NPS server has to be a member of NAP exceptions group, we do not
require an antivirus software installed on this server, but it must have the certificate
to establish communication and issue the certificates for other computers.
Both groups should have a global group scope and be a security group type.
On SVN–DC1 » Roles » Active directory users and computers » right mouse
click on Users » New » Group
Configuration of Enterprise Root CA on SVN-DC1

Every Active directory domain must have its own certification authority, the cer-
tificates signed by the domain authority are automatically trusted by all domain
computers.
Before installing NAP technology the Enterprise Root CA must be configured to
automatically issue the certificate upon the request without administrator’s manual
approval. This allows that the certificates are issued to the NAP exemption group
clients, if any of the computers requests it (autoenrolment). If the administrator
would have to confirm each issuing manually the autoenrolment would not work.
Figure 4.2. Certification authority configuration

On SVN–DC1 » Roles » Active directory certificate service » right click on CA
name » Policy Module tab » Properties » Automatically issue the certificate.
Creating a certificate for NAP exceptions group

t Now, when the group for NAP exemptions computers exist, the group has to be
linked with rule that that computers inside the group will receive the certificate for
IPSec communication automatically, without any check against the health policy.
The certificate is exactly same type as NAP health certificate, with same pur-
pose and its created by duplicating the workstation certificate template already
stored in AD and by adding a new extension policy to it – System health authenti-
cation.
The certificate must created in advance, then distributed to all NAP exemptions
group computers by the certificate autoenrolment. The autoenrolment means, that
when policy is applied on computer, the selected certificate is requested, created and
installed to the computer automatically.
On SVN–DC1 » Roles » Active directory certificate service » Certificate Tem-
plates » right mouse click on Workstation authentication template » Duplicate »
Windows 2003 server certificate » rename to System health certificate » enable to
publish certificate in Active Directory.
Figure 4.3. Health certificate extensions

In the Extension tab » Application Policies » Add » System Health Authenti-
cation » Security tabs the group Authenticated Users must be removed, instead the
NAP Exemptions must be added, with Read, Enroll and Autoenroll permission.
Publishing and Distributing the Certificate

The certificate must become available through autoenrolment, and published
through domain policy. A new domain policy does not have to be created as the
autoenrolment is already limited to the NAP Exemption group, so the change could
be done in the Default domain policy, which covers all computers and users in do-
main.
Figure 4.4. Autoenrolment settings

On SVN–DC1 » Server Manager » Roles » Active directory certificate services »

Hotel-Savannah-CA » Certificate Templates » right mouse click » New » Certificate
template to issue » template name from previous step (System health certificate) »
OK.
On SVN–DC1 » Features » Group policy management » Forest:hotel.local »
Domains » hotel.local » Default domain policy » right mouse click » Edit, then
in Computer Configuration » Windows Settings » Security Settings » Public Key
Policies » Certificate Services Client – Auto-Enrolment » Properties must be set
Configuration Model as Enabled, and features enabled: Renew expired certificates,
Update certificates.
After this step, the computers are divided into two groups, added and linked
with appropriate group in Active directory. Computers in NAP exemptions group
automatically receives the certificate to be able to communicate with IPSec enabled
computers.
Installation of the NPS server – certificate

The NPS server is the core of the NAP solution. A new server with MS Windows
Server2008 must be installed (SVN-SEC), added to the domain and then also added
to NAP exception group through administration console on the domain controller.
The computer names are not searched by default, it must be activated by enabling
the computers item in Object types.
Just by adding the server to AD and appropriate group, the autoenrolled health
certificate was installed and is already present in the certificate store.
Now, it is needed to install second certificate, the computer certificate, which is
used for client/server authentication. The certificate is issued by SVN-DC1, domain
root authority, it is trusted by all domain computers and enables that the NAP
clients can connect to the Health Registration Authority Web server on the NPS
server machine (SVN-SEC) with SSL protocol.
Figure 4.5. Computer certificate request

On SVN–SEC » Management console by mmc command from command line
» File – add » Certificates » Computer account. There can be checked that the
autoenrollment works correctly, in that case the health certificate is displayed in
Personal certificates store.
Figure 4.6. Computer certificates installed

By right click on the Certificates » All tasks » Request new certificate – avail-
able certificates are displayed. For computers are available only two certificates, an
already installed health certificate and the computer certificate which needs to be
chosen and installed.
Installation of the NPS server – roles

In the next step the required roles must be installed:
• Active Directory Certificate Services
• Network Policy and Access Services
Network Policy And Access services (NPS) role contains various technologies
for securing the network under Server2008, including NAP.
On SVN–SEC » Server manager » Roles » Add roles
Figure 4.7. Server roles to install
Figure 4.8. NPS role details

In the next step the Network Policy and Access services must be chosen:
• Network Policy server
• Health Registration Authority
By choosing HRA installation the setup adds also web server components (IIS),
NAP uses https connection, hence a computer certificate had to be installed in
previous step.
» Certification authority – Install a local CA to issue health certificates for this
HRA server » Authentication requirements – Allow anonymous request for health
certificate.
By this step the certificate can be issued to any computer which comply with
the health policy, if it takes SVN-SEC as trusted certification authority.
On the next page where the certificate for SSL connection is chosen » Server
Authentication Certificate – Choose an existing certificate for SSL encryption » a
previously installed certificate SVN-SEC must be chosen
Installation of subordinate certification authority

Installed certification authority will be Standalone, it is not bind with Active direc-
tory unlike Enterprise type so the certificate can be issued to non-domain members
and does not use any data stored in AD. By choosing Subordinate CA a hierarchical
public key infrastructure is created – the subordinate CA is responsible for issuing
certificates to the clients, while the root CA issues certificates for subordinate CA. It
also helps to lower network traffic when both roles are installed on the same server,
CA must issue the new certificate every four hours for every client in the network.
There are many options for cryptography of the private key, default is SHA1
key with length 2048, which is secure enough.
Role services » Certification Authority check box must be selected » Standalone
» Subordinate CA » Create a new private key
Figure 4.9. Certificate name

» default RSA cryptography » CA Name – must be in following format: domain-
name-CA, in our case it is hotel–SVN–SEC–CA »
Figure 4.10. Parent certification authority

Request certificate from a parent CA – domain Root CA, in our case hotel–
SVN–DC1–CA » Install
After final settings confirmation of all settings the roles are installed. Network
policy and access services installation end up successfully, but with installation error
that attempt to configure HRA failed. This is not a serious problem and will be
solved in next steps.
The subordinate CA must be configured same way as the root authority to issue
the certificates automatically without manual administrator confirmation: On the
NPS server (SVN-SEC)» Server management » Properties of Certification authority
» Policy Module tab » Properties must be chosen Automatically issue the certificate.
Restart of the service is required upon completion.
Changing permission for Health Registration Authority (HRA)

The HRA must be able to issue the certificates on its own for any client which
comply with the health policy. By default, HRA role has no permission to access
locally installed certification authority, this has to be changed. In the case that both
HRA and subordinate CA are on the same computer, the permission must be given
to Network service, if not, the permission must be given to HRA server name.
Figure 4.11. NAP server security settings

On SVN–SEC » Roles » Active Directory Certificate service » right mouse click

on hotel–SVN–SEC–CA » Properties » Security tab » Add » user Network Service
must be added with permission to
• Issue and Manage Certificates,
• Manage CA, and
• Request Certificates
Configuration of the HRA issue Health Certificates
Figure 4.12. Selecting CA Authority

At this point it must be configured which Certification authority will issue the
certificates to HRA server. In previous steps we set-up a new subordinate CA at
SVN–SEC, set the appropriate access rights, next step is to associate it with HRA.
On SVN–SEC » Server manager » Roles » Network Policy and Access Services

» Health Registration Authority » Certification Authority » right mouse click on
Certification authority » Add certification authority » new window will pop up –
Browse » Subordinate CA (SVN–SEC CA) must be chosen.
NAP IPSec Enforcement Policy configuration

After previous steps the CA is set and prepared to issue the certificates upon HRA
request, now the NAP needs to be configured to confirm which clients comply with
policy and also what are the policy requirements. The configuration wizard provides
all required settings and automatically creates customized NAP policies. One of the
NAP functions is an auto-remediation. If enabled, the client’s computer try to fix

the uncompliant settings on its own, without user response. This is limited only to
Microsoft technologies, i.e. built-in firewall, Microsoft Defender.
In the final step the wizard produces 3 types of required policies:
• Health Policies
• Connection Request Policies
• Network Policies
–both for NAP IPSec with HRA Compliant and NAP IPSec with HRA Non-
compliant.
On SVN–SEC » Server manager » Roles » Network Policy and Access Services »
NPS (local) » Network Access protection wizard.
During the wizard » IPSec with Health Registration Authority (HRA) » Specify
NAP Enforcement Servers running HRA could be omitted as the HRA server is
installed locally » NAP health policy definition, where Windows security health
validator and Enable auto-remedation should be enabled.
Windows Security Health Validator configuration

Health validator is the main configuration point where it is defined which require-
ments must client’s computer have to receive a health certificate.
Figure 4.13. Windows Vista compliance settings

Possible option for Windows Vista are:
• Enabled Firewall
• Installed and running Antivirus Application
• Installed and running Spyware Application
• Enabled automatic updates
• Installed security updates with predefined importance
On SVN–SEC » Server manager » Roles » Network Policy and Access Services

» NPS (local) » Network access protection » System health validator » Configure
There is also specified behaviour of computers’ NAP agents if they are not able
to connect with NAP server, by default the client are taken as noncompliant with
health policy.
NAP client configuration in Group policy

NAP technology is configured on the server and working, now the clients need to be
configured. This is done through defined domain group policy which is automatically
distributed to all NAP clients, computers in the NAP clients group.
The policy ensures that required services by NAP are started automatically
with windows without user’s response.
Security center monitors status of the computer security settings and it is a
crucial part of NAP solution. If the service is disabled the computer is recognised
as noncompliant with policy.
The policy must be created and applied for all client’s computers in domain,
then limited by policy filtering to NAP clients group only.
Figure 4.14. NAP service automatic start

On SVN–DC1 » Server manager » Features » Group policy management »
domain name (hotel.local) » right mouse click » Create a GPO and link it here »
NAP GPO
Inside the policy:
• Automatic start of NAP Agent service Computer Configuration » Policies »

Windows Settings » Security Settings » System Services » Network Access
Protection Agent » Enable
• Enabled IPSec enforcement
Computer Configuration » Windows Settings » Security Settings » Network
Access Protection » NAP Client Configuration » Enforcement Clients » IPSec
Relying Party » Enable
• URL for HRA server added
Computer Configuration » Windows Settings » Security Settings » Network
Access Protection » NAP Client Configuration » Health Registration Settings
» Trusted Server Groups.
Figure 4.15. HRA server settings

A new trusted server group must be created with URL in strictly specified
format: https://HRAservername.domain/domainhra/hcsrvext.dll, in our case
https://SVN-SEC.hotel.local/domainhra/hcsrvext.dll Then the settings must
be activated by choosing Apply on NAP Client configuration item.
• Enabled automatic start of Security Center service
Computer Configuration » Policies » Administrative Templates » Windows

Components » Security Center.
After this step is required to refresh IP relying party set in previous step and
enable it again.
After the policy is created and saved, in its Security filtering properties the
Authenticated users group must be removed and instead NAP Clients group
added.
Windows Firewall policies configuration

The server and client computers are configured, the health certificates are properly
issued, but clients does not yet use them for IPSec communication, authorization
and encryption.
The computers must be divided into 2 groups according to in which zone the
computer will be located and appropriate domain policies created.
• Internal – the computers inside the network request IPSec communication for
outcoming traffic and require for incoming traffic.
• Boundary – the boundary computers must be able to communicate both inside
the network and outside the network so the firewall is configured to request
IPSec communication, both for incoming and outcoming communication.
These limitations are set to built-in Windows firewall by domain policy.
Figure 4.16. Active domain groups with assigned policies

Two organisation units are created: On SVN–DC1 » Roles » Active directory

users and computers » right mouse click on Computers » New » Organization unit
» IPSec Vista
On SVN–DC1 » Roles » Active directory users and computers » right mouse
click on Computers » New » Organization unit » IPSec Boundary
A new policy for IPSec Vista OU is created: On SVN–DC1 » Features » Group
policy management » Forest:hotel.local » Domains » hotel.local » IPSec Vista OU
» right mouse click » Create a GPO and link it here
in Computer Configuration » Policies » Windows Settings » Security settings »
Windows Firewall » Windows Firewall » Connection Security rules » New » Vista
secure rule » Properties » Authentication tab » Require inbound and request out-
bound with method: Use computer certificate from the certification authority, accept
only health certificates.
A new policy for IPSec Boundary OU is created: On SVN–DC1 » Features

» Group policy management » Forest:hotel.local » Domains » hotel.local » IPSec
Boundary OU » right mouse click » Create a GPO and link it here
in Computer Configuration » Policies » Windows Settings » Security settings »
Windows Firewall » Windows Firewall » Connection Security rules » New » Vista
secure rule » Properties » on Authentication tab » Require inbound and outbound
with method: Use computer certificate from the certification authority, accept only
health certificates.
Figure 4.17. Firewall settings for boundary zone
Figure 4.18. Firewall settings for boundary zone details
NAP settings verification

NAP configuration is complete, the client station needs to be moved to appropriate
group and OU, then domain policy needs to refreshed.
Typical NAP client running Windows Vista belongs to NAP client group and
it is located under IPSec Vista OU, group policy takes care, that it is running all
required services and that firewall is configured to accept incoming connection only
if is IPSec encrypted and signed by health certificate.
The group policy settings on the stations must be updated either by restart or
by command: gpudpate /force /logoff
With command: gpresult /r could be verified that NAP client policy was ap-
plied.
Figure 4.19. NAP settings

The NAP setting can be verified by command: netsh nap client show
grouppolicy and status of the NAP by command: netsh nap client show state
After successful check of compliance with NAP policy the computer receives a
health certificate, which can be verified in Certificate console under personal folder.
Figure 4.20. Health certificate autoenrolled to computer

A short status of the NAP could be displayed by command: napstat
Figure 4.21. Client is compliant with NAP policy

The communication with other computers using IPSec certificate is established,
the statistics are available in IP security monitor under local management console.
Figure 4.22. IPSec communication statistics

4.4 Domain Isolation 52
Figure 4.23. IPSec open connections

If the client fail to comply with policy, the NAP client try to autoremedy the
problem, for example restart the firewall or install the required updates.
Figure 4.24. Client comply with NAP policy after autoremedy

In case that the NAP agent is unable to autoremedy the problem, the health
certificate is deleted and computer is not able to communicate with other computers
in the internal network.
Figure 4.25. Computer is not compliant with NAP policy
4.4 Domain Isolation

Introduction
Implementation of the Domain Isolation is a logical step after NAP technology im-
plementation. Network access protection is rather prevention than protection, if the
attackers’ computer comply with NAP settings, it can receive a health certificate in
order to get access to the network. When the NAP infrastructure exists, implement-
ing DI is even more easier, both technologies uses same infrastructure and only by
changing the firewall settings the network become considerably secured.
Both technologies uses same protection – Windows firewall configured the way
that IPsec communication is required in order to establish communication with pro-
tected computer. NAP uses the health certificate for IPsec communication, domain
isolation enhances this by two steps authorisation. First, the computer is authorised
by Kerberos, the default windows authentication protocol. The computer account
4.4 Domain Isolation 53
credentials are verified against domain controller confirming an Active domain mem-
bership.
After successful authorisation comes a next step, an authorisation against the
health certificate. If both finishes successfully, the incoming IPsec communication is
allowed.
The only configuration change needed is in domain policy applied to the IPsec
boundary and IPsec Vista OU’s created during NAP configuration. By editing such
policies
in Computer Configuration » Policies » Windows Settings » Security settings
» Windows Firewall » Windows Firewall » Connection Security rules » Vista secure
rule » Properties » Authentication tab » Advanced authentication
Figure 4.26. First authentication method

In the second step, the presence of the health certificate is checked.
4.5 VPN 54
Figure 4.27. Second authentication method

During the communication, the existing secured connections can be displayed
in IPsec management console.
Figure 4.28. Authentication review
4.5 VPN
Introduction
The company headquarters is in United States, using its own computer network
and infrastructure. The only requirement was to interconnect both networks by
encrypted tunnel to ensure a secured email delivery in both directions. One of the
major advantages of IPSec protocol is broad compatibility with various network
devices, so it was the preferred choice – on Hotel Savannah side there is Kerio
Firewall running on Windows server2008 based system, on the headquarters side
there is the hardware firewall Sonnicwall TZ180 running on proprietary Sonicwall
operating system.
4.5 VPN 55
Implementation
The IPSec tunnel is established between the hotel’s and headquarters’ email servers.
The only required step in advance was to confirm a tunnel parameters over the
phone. This is as follows:
• Phase 1
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800
• Phase 2
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800
Shared Secret: password
To ease the tunnel setup was decided to use a shared password as the authenti-
cation method, if it is long enough and changed regularly it provides the satisfying
security.
The configuration of Sonicwall is done through web interface:
Figure 4.29. VPN general settings

4.5 VPN 56
Figure 4.30. VPN proposal
Figure 4.31. VPN advanced settings

4.5 VPN 57
The configuration on the Hotel Savannah’s side is done by domain policy applied
on the firewall computer.
As the first step it is needed to open required ports on Kerio Firewall, which is
software L3 router and firewall, for IPSec communication from outside to Windows
operating system.
Figure 4.32. Kerio settings

Next step is to configure the domain policy for IPSec. On domain controlled a
new Organisation unit (OU) must be created and firewall’s computer object moved
inside.
On domain controller (SVN–DC1) » Features » Group policy management »
Forest:hotel.local » Domains » hotel.local » Firewall OU » right mouse click » Create
a GPO and link it here
in Computer Configuration » Policies » Windows Settings » Security settings
» IP Security policies on Active Directory » New policy » new policy named IPSec
tunnel has to be created.
Figure 4.33. VPN policy

In its Properties, under Rules tab, both directions must be specified and config-
ured. For each direction, there is on separate tab specified Authentication method,
tunnel endpoint IP address, security methods and on IP Filter List tab the local IP
address of the exchange server inside the network.
After confirmation of all settings and association with Organisation unit con-
taining the firewall server, it is needed to update policy settings on the firewall by
command: gpupdate /force /logoff
4.5 VPN 58
Figure 4.34. IPSec tunnel – Rules tab

4.5 VPN 59
Figure 4.35. IPSec tunnel – IP addresses
Figure 4.36. IPSec tunnel – Authentication settings

4.5 VPN 60
Figure 4.37. IPSec tunnel – Security tab
Figure 4.38. IPSec tunnel – IP addresses settings

4.5 VPN 61
The tunnel is successfully established between the firewalls, the exchange servers
are considered as the endpoints. The connection could be confirmed either by pinging
the remote server or from IPSec monitor console.
Figure 4.39. Security association on the firewall server

5 CONCLUSIONS AND ECONOMICAL EVALUATION 62
5 Conclusions and economical evaluation

Corporate data security is taken as a priority and IPSec protocol is ideal for its
compatibility and acceptable difficulty of implementation.
In accordance with work objective, I analysed weak points of hotel Savannah’s
network security, suggested possible solutions and implemented them. With the
minimal costs and by using available technologies, the network security was increased
significantly.
With implementation of IPSec version of Network Access protection (NAP) the
network administrator can be sure, that all connected computers have enabled both
firewall and antivirus software, which reduces the attack surface of a computer.
Further logical step was to apply Domain isolation, it uses same IPSec policies
as NAP and assures that no attacker outside the network can get access to protected
computers.
One of the objectives of my work was to secure an email communication between
units, this was solved by the IPSec tunnel with Windows based server on one side
and hardware router on the other side.
The only investment needed was the purchase of Kaspersky Antivirus package
including 2 years subscription for 1489 CZK per station. The company had one
licence of Windows Server2008 available, if not, a new licence would cost around 20
000 CZK. Due to use of Hyper-V technology of Windows Server2008, when multiple
virtual computers runs on one physical hardware (server), no additional purchase of
hardware was required. Further description of Hyper-V is beyond the scope of the
thesis.
The successful implementation including testing takes no more than 14 days.
There are no limitations for end-users during implementation.l implementation in-
cluding testing takes no more than 14 days. There are no limitations for end-users
during implementation.
In future, it is important to observe the licence expiration of the antivirus
software, if update would fail and virus database get obsolete, the client would lost
the connection to the network.
6 REFERENCE 63
6 Reference
Mackin, J., Mclean, A. MCSA/MCSE Self-Paced Training Kit (Exam 70-291):
Windows Server 2003 network infrastructure. Microsoft Press. 2006.
Snader, J. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison Wesley Profes-
sional. 2005.
Microsoft Windows Firewall with Advanced Security and IPsec [online]. HTML
document, January 20, 2009. [retrieved 2009-04-09] Available at
http://technet.microsoft.com/en-us/library/cc732283(WS.10).aspx.
Microsoft Introduction to Network Access Protection [online]. HTML document,
February 4, 2008. [retrieved 2009-04-09] Available at
http://technet.microsoft.com/en-us/network/cc984252.aspx.
Microsoft Kerberos Authentication Technical Reference [online]. HTML docu-
ment, March 28, 2003. [retrieved 2009-04-09] Available at
http://technet.microsoft.com/en-us/library/cc739058(WS.10).aspx.
Kaspersky Kaspersky Lab web [online]. HTML document, 2009. [retrieved 2009-
04-09] Available at
http://www.kaspersky.com.
attachments
A HOTEL SAVANNAH’S NETWORKS TOPOLOGICAL DIAGRAM 65
A Hotel Savannah’s networks topological diagram

Zaverecna Prace

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Zaverecna Prace

Diunggah oleh

Hak Cipta:

Format Tersedia

Mendel University of Agriculture and Forestry in Brno

Faculty of Business and Economics

Design of the hotel Savannah

Znojmo, 20 May 2009 ....................................................

2 Present state analysis 8

Configuration of Enterprise Root CA on SVN-DC1 . . . . . . . . . . 35

5 Conclusions and economical evaluation 62

A Hotel Savannah’s networks topological diagram 65

1 Introduction, thesis objectives

1.2 Thesis objectives

2 Present state analysis

VLAN 1 is for switches administration purpose. Any access to web console of

Figure 2.1. Hotel Savannah’s network (VLAN200)

The network provides following services for users:

Tabulka 3: Overview of hotel printers

3.2 Group policy object (GPO)

3.3 Windows Firewall

Windows Firewall with Advanced Security is an important part of a layered security

3.4 Network Access Protection

Administrators can protect their networks by limiting the access of noncompli-

Scenarios for NAP

• Components of the NAP infrastructure known as enforcement clients (ECs) and

enforces health policy requirements every time a computer attempts to

How IPsec Enforcement Works

3.5 Domain isolation

fic between managed computers can be encrypted, providing protection from

Components of Domain Isolation

Figure 3.1. Types of communication of domain isolation

Communication with an isolated host initiated by another isolated host

Communication with a non-isolated host initiated by an isolated host

Communication with an isolated host initiated by a non-isolated host

3.6 IPsec protocol

• AH A protocol that provides data origin authentication, data integrity, and

Figure 3.2. IPsec transport mode datagram

Figure 3.3. IPsec tunnel mode datagram

Figure 3.4. AH protocol

Figure 3.5. AH header

Figure 3.6. ESP header

4.2 Removable media access control

On Domain controller (SVN–DC1) » Features » Group policy management

Figure 4.1. Autoplay settings

4.3 Network Access protection

Creating Active directory groups

Configuration of Enterprise Root CA on SVN-DC1

Figure 4.2. Certification authority configuration

Creating a certificate for NAP exceptions group

Figure 4.3. Health certificate extensions

Publishing and Distributing the Certificate

Figure 4.4. Autoenrolment settings

On SVN–DC1 » Server Manager » Roles » Active directory certificate services »

Installation of the NPS server – certificate

Figure 4.5. Computer certificate request

Figure 4.6. Computer certificates installed

Installation of the NPS server – roles

On SVN–SEC » Server manager » Roles » Add roles

Figure 4.7. Server roles to install

Figure 4.8. NPS role details

Installation of subordinate certification authority

Figure 4.9. Certificate name

Figure 4.10. Parent certification authority

Changing permission for Health Registration Authority (HRA)

Figure 4.11. NAP server security settings

On SVN–SEC » Roles » Active Directory Certificate service » right mouse click