Thesis supervisor:
Josef Málek
Ing. Martin Pokorný Ph.D.
Znojmo 2009
I would like to hereby thank my thesis supervisor Ing. Martin Pokorný Ph.D.
for all the assistance, guidance, valuable advice and comments during writing of
bachelor thesis.
I declare that I have written this thesis independently, using materials that present
in the bibliography
Abstrakt
Málek, J.,Návrh počítačové sítě hotelu Savannah s vyuzitím protokolu IPsec,
Bakalářská práce. Znojmo, 2009
Tato bakalářská práce popisuje návrh sítě hotelu Savannah, její zabezpečení a
vytvoření zabezpečeného VPN spojení s pomocí IPsec protokolu a technologie NAP
firmy Microsoft.
Klíčová slova
IPsec, NAP, Doménová izolace, VPN, Windows Server2008
Abstrakt
Málek, J.,Design of the hotel Savannah computer network using IPsec protocol,
Bachelor thesis. Znojmo, 2009
This bachelor thesis describes a computer network design of hotel Savannah,
its security and the creation of a secure VPN connection using the IPsec protocol,
and Microsoft NAP technology.
Keywords
IPsec, NAP, Domain isolation, VPN, Windows Server2008
OBSAH 5
Obsah
1 Introduction, thesis objectives 7
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 Thesis objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Utilized technology 15
3.1 Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Group policy object (GPO) . . . . . . . . . . . . . . . . . . . . . . . 16
3.3 Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . . 17
Aspects of NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Scenarios for NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Components of NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
How IPsec Enforcement Works . . . . . . . . . . . . . . . . . . . . . . 21
3.5 Domain isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Components of Domain Isolation . . . . . . . . . . . . . . . . . . . . 23
Communication Processes . . . . . . . . . . . . . . . . . . . . . . . . 23
Communication with an isolated host initiated by another isolated host 24
Communication with a non-isolated host initiated by an isolated host 25
Communication with an isolated host initiated by a non-isolated host 25
3.6 IPsec protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
IPsec Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
AH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.7 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4 Implementation 33
4.1 Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.2 Removable media access control . . . . . . . . . . . . . . . . . . . . . 33
4.3 Network Access protection . . . . . . . . . . . . . . . . . . . . . . . . 34
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Creating Active directory groups . . . . . . . . . . . . . . . . . . . . 35
OBSAH 6
6 Reference 63
attachments 64
2.2 Technology
The hotel has 6 floor levels – basement with building’s technical background and
garage, ground floor with main entrance which leads to lobby with reception, restau-
rant, bar, five conference rooms and the background with offices, kitchen, laundry.
One floor up is mezzanine with 2 offices and 3 conference rooms, then follows 3 floors
of guest rooms. On each floor there are 24 guest rooms, divided according to size
and furnishing into 3 groups - comfort, business and apartments.
The main server room is in the basement, on each floor there is air-conditioned
small server room with rack for IT equipment and electricity distribution board,
which is central location for all data wall sockets on the floor, using CAT5E cabling.
Each server room on the floor has an eight CAT5e and four optical links 50/125
multimode connections to the central server room in the basement.
The hotel was built next to existing casino building, built ten years ago. Because
the hotel and the casino are operated by same company, it is sharing common
background including connections to data and telephone providers. Both buildings
are connected by eight pairs optical cable 50/125 connecting casino’s server room
and server room in hotel’s basement , which ensures enough capacity for current
and future needs.
2.2 Technology 9
Virtual LANs
From the beginning it was decided to segment networks at hotel and casino into
independent LAN’s which allows that networks are available through both buildings
as required. This solution has many advantages:
• higher security. Networks are independent and separated according to purpose.
• higher performance. With smaller network there are less broadcast requests.
• less costs. VLAN enables to transfer multiple networks over single line.
There are 9 computer’s networks at the hotel and casino, which are divided into
two groups independently routed to the internet.
Tabulka 1: Overview of casino and hotel networks
group VLAN ID Name IP range
company 1 Admin 10.0.10.0/24
company 100 Casino 192.168.3.0/24
company 200 Hotel 10.0.2.0/24
company 300 Fidelio 10.0.3.0/24
company 400 Infopanels 10.0.4.0/24
public 500 Internet public IP
public 501 public 1024 10.0.6.0/24
public 502 public 512 10.0.5.0/24
public 503 public 256 10.1.0.0/21
Company networks
In the first group are the networks belonging to the company, i.e. hotel and
casino network. These networks are routed by Kerio firewall software running on
Windows2008 server (HT–FWL), which is located in the casino. All users in the
network are authenticated on the firewall before the connection to the internet is
established, then traffic statistics and visited pages are logged.
This router is also used for interVLAN routing on L3 layer, following rules are
applied between the VLAN’s :
Tabulka 2: Overview of L3 interVLAN routing
Source Destination Open ports
Casino Hotel TCP:53,88,135,445,636,3268,3269,1024–65535 UDP:53,88,389
Hotel Casino TCP:53,88,135,445,636,3268,3269,1024–65535 UDP:53,88,389
Hotel Fidelio TCP 1521,1522 (Oracle)
Hotel Infopanels RDP and VNC
VLAN 100 is casino internal network, contains all casino servers, computers
and network devices and should be accessed by casino employees only.
VLAN 200 is hotel internal network, contains all network connected IT equip-
ment at hotel, to be accessed by hotel employees.
VLAN 300 is for Micros Fidelio system which provides restaurants with an
enterprise information system comprised of point of sale systems and operational
applications, and also provides information technologies for the hotel including sales
and catering systems, central reservation systems, customer information systems and
revenue management systems. System includes the Micros Fidelio server – Oracle
based database running on MS Windows 2003 server and four point of sale systems,
two are at the casino, two are at the hotel.
VLAN 400 is for Infopanels, information and navigation system inside the hotel.
System uses 8 small wall-mounted screens, every conference room has its own display
plus one big 42 inch panel next to reception desk. As the service provider works MS
Windows 2003 based server with SQL express broadcasting presentations about
current events to the screens.
Public networks
In the second group are the networks used for hotel’s guest internet access.
These network are completely separate from company networks to enhance the se-
curity. They are using same network infrastructure, but are routed to the internet
by FreeBSD-based server, located in hotel’s basement server room. FreeBSD server
(SVN–INET) works for connected networks as the router, DHCP and DNS server.
There is no interVLAN routing enabled. Networks summary:
VLAN 500 transfers internet connection from provider’s endpoint at casino to
the server in hotel’s server room.
VLAN 501 with IP network 10.0.6.0/24 has a speed limit 1024 kb/s and is
available at business class rooms, business centres and apartments
VLAN 502 with IP network 10.0.5.0/24 has a speed limit 512 kb/s and is
available at comfort class rooms.
VLAN 503 with IP network 10.1.0.0/21 has a speed limit 256 kb/s and is avail-
able by Wi–Fi signal in public areas and at two public PC kiosks at the reception.
Wi–Fi
There are five Wi–Fi access points installed at hotel, four in ground floor covering
all public areas and conference rooms, one AP is installed in mezzanine covering
conference rooms, all hidden under the ceiling. The access points are D-Link Air-
Premier DWL-3200, 802.11 b/g business class AP with metal body, 802.3af PoE
and excellent security support. VLAN and multi SSID support is utilized, the AP
are connected to the switch ports in trunk mode with hotel and public internet net-
work VLAN, thus broadcasting both network independently under separated SSID
names. The hotel network (VLAN 200) is protected by WPA2 preshared password,
the public network (VLAN 503) is protected by WEP password, which hotel guest
2.2 Technology 11
receive upon request. The rooms are not covered by Wi–Fi signal, the internet access
is available only with cable connection.
Servers
In my writing I will focus on hotel’s internal network. It interconnect all hotel’s IT
equipment, as servers, computers and printers on the ground floor and mezzanine.
There is just one physical server, all the hotel’s servers are virtualized under MS
Server 2008 hypervisor, this solution enables to make the best use of the server
hardware investments by consolidating multiple server roles as separate virtual ma-
chines running on a single physical machine.
Microsoft Server2008 x64 Enterprise version license, which covers host server instal-
lation plus four more virtual systems and includes 25 windows client license (CAL)
which covers all current needs.
Currently three virtual server are hosted:
• DNS name: CK-DC1
– IP address: 10.0.2.10
– OS: MS Windows 2008 x64 server
– Provides following service:
– Domain controller for Hotel.local domain
– Domain certification authority
– DNS server
– File server
– Print server
– WINS server
• DNS name: CK-EX1
– IP address: 10.0.2.15
– OS: MS Windows 2008 x64 server
– Provides email service: Exchange 2007 server installed
• DNS name: Infopanels
– IP address: 10.0.4.10
– OS: MS Windows 2003 server
– Provides following service:
– Domain controller for Infopanels.local domain
– Domain certification authority
– DNS server
Does not belong to hotel.local domain and is connected through separate
connection.
Network
The network core are switches and router. In casino, hotel basement, hotel ground
floor and hotel mezzanine is used Dell PowerConnect 5448, for first, second and third
floor where are guest rooms is used Dell switch PowerConnect 2748. Both types are
48 ports switches with 4 SPF combo ports, working on layer 2 of OSI model.
Type 2748 is a low entry switch with with switching capacity 144 Gbps and
forwarding rate 71 Mbps. It supports up to 64 VLAN’s and its only web manageable.
Type 5448 has only 95 Gbps switching capacity, on the other hand, it has built-
in iSCSI optimization and robust security and management features. It supports
up to 4096 VLAN’s, various spanning tree protocols, multiple configuration files,
enhanced port aggregation and is L3 aware.
All interVLAN routing for company networks is provided by HT-FWL. Due
to performance reasons has the server separate network card for each VLAN, the
interVLAN traffic can be easily configured from Kerio admin console.
2.2 Technology 13
Workstations
All work stations were bought in same configuration:
Dell Optiplex 760
• Processor Intel Core2Duo E7200 (2.5GHz,3MB,1066 FSB)
• 2 GB RAM
• 160 GB HDD
2.2 Technology 14
• DVD-RW
• 22” Wide LCD
• MS Vista Business
• MS Office 2007 Basic
notebook Dell Latitude D830
• Processor Intel Core2Duo T8300 (2.4GHz,3MB,800 FSB)
• 2 GB RAM
• 160 GB HDD
• DVD-RW
• 15,4” WSVGA TFT display
• MS Vista Business
• MS Office 2007 Small Business
On the ground floor there are three computers are at the reception and six
computers + one notebook PC in the offices. In the mezzanine there are 2 notebook
users, connected via cable with access to hotel Wi–Fi network if needed.
Analysis summary
The network is designed well, segmenting the network according to it’s purpose helps
to control the traffic between the networks and increases the security. The problem
could be, that there is no control of users’ behaviour at the stations. Limited users
have user rights only, but notebook users – company management has the admin-
istrator level access. Generally, there is no antivirus installed, no control of firewall
status, removable media access and flash discs, which is currently together with en-
abled autorun function the most popular way for spreading computer viruses. Also
as the windows systems are installed, the regular updating is vital preventing pos-
sible network attacks. Although it is very difficult to get access to hotel internal
network for unauthorized persons - the network connection point are at controlled
places only, the network is not secured against unauthorized connections from em-
ployees’ private computers. Some of these problems can be addressed by forcing
security settings by active domain politics, others by implementing Network access
protection technology (NAP) together with domain isolation protecting the network
communication by IPSec encryption – computers compliant with company security
policy receives a health certificate, which is used for IPSec communication with
other computers, computers without IPSec encryption are not allowed to establish
the communication within network.
3 UTILIZED TECHNOLOGY 15
3 Utilized technology
3.1 Active Directory
Microsoft Windows networks support two directory service models: the workgroup
and the domain. The domain model is characterized by a single directory of enter-
prise resources called Active Directory, that is trusted by all secure systems that
belong to the domain. Those systems can therefore use the security principals (user,
group, and computer accounts) in the directory to secure their resources. Active
Directory then acts as an identity store, providing a single trusted list of objects in
the domain. (Mackin,2003)
Active Directory itself is more than just a database. It is a collection of sup-
porting files including transaction logs and the system volume, called Sysvol, that
contains logon scripts and group policy information. It is the services that support
and use the database, including Lightweight Directory Access Protocol (LDAP),
Kerberos security protocol, replication processes, and the File Replication Service
(FRS).(Mackin,2003) The database and its services are installed on one or more
domain controllers. A domain controller is a server that has been promoted – once
a server has become a domain controller, it hosts a copy of Active Directory and
changes to the database on any domain controller are replicated to all domain con-
trollers within the domain. Active Directory cannot exist without at least one do-
main, and vice versa. A domain is the core administrative unit of the Windows
Server directory service. An enterprise may have more than one domain in its Ac-
tive Directory, in this case multiple domain models create logical structures called
trees when they share contiguous DNS names.
If domains in an Active Directory do not share a common root domain, they
create multiple trees. This structure is called forest, it is the largest structure in
an Active Directory. An Active Directory forest includes all domains within that
Active Directory. A forest may contain multiple domains in multiple trees, or just
one domain. When more than one domain exists, a component of Active Directory
called the Global Catalog becomes important because it provides information about
objects that are located in other domains in the forest.
Enterprise resources are represented in Active Directory as objects, or records
in the database. Each object has own attributes that define it. For example, a user
object includes the user name and password; a group object includes the group name
and a list of its members.
Structure is the function of a specific object type called an organizational unit,
or OU. OUs are containers within a domain that allows to group objects that share
common administration or configuration and also provide important administrative
capabilities, as they provide a point to which group policies can be linked.
3.2 Group policy object (GPO) 16
Aspects of NAP
NAP has three important and distinct aspects:
• Health state validation.
When a computer attempts to connect to the network, the computers health
state is validated against the health requirement policies as defined by the
administrator. Administrators can also define what to do if a computer is not
compliant. Computers that do not comply with health requirement policies can
have their access limited to a restricted network.
• Health policy compliance.
Administrators can help ensure compliance with health requirement policies by
choosing to automatically update noncompliant computers with missing soft-
ware updates or configuration changes through management software. In a mon-
itoring only environment, computers will have access to the network before they
are updated with required updates or configuration changes. In a limited access
environment, noncompliant computers have limited access until the updates
and configuration changes are completed.
• Limited access.
3.4 Network Access Protection 18
Components of NAP
NAP is an extensible platform that provides infrastructure components and an API
for adding components that verify and amend a computers health and enforce various
types of network access or communication. (Microsoft, 2008)
• Components of the NAP infrastructure known as system health agents (SHAs)
and system health validators (SHVs) provide health state tracking and vali-
dation. Windows Vista and Windows XP Service Pack 3 include a Windows
Security Health Validator SHA that monitors the settings of the Windows Se-
curity Center. Windows Server 2008 includes a corresponding Windows Security
Health Validator SHV. NAP is designed to be extensible, it can interoperate
with any vendors software that use the NAP API.
3.4 Network Access Protection 19
– NPS can be a combination of AAA server and a NAP health policy server
for 802.1X-authenticated connections on an Intranet that has deployed
NAP and 802.1X enforcement.
– NPS can be a NAP health policy server for DHCP configuration on an
Intranet that has deployed NAP and DHCP enforcement.
• Remediation Servers Remediation servers consist of servers, services, or other
resources that a noncompliant computer that has been placed on the restricted
network can access. These resources might perform name resolution or store
the most recent software updates or components needed to make a noncompli-
ant computer meet system health requirements. For example, a Domain Name
System (DNS) server, an antivirus signature file server, and a software update
server could all be remediation servers. An SHA can communicate with a re-
mediation server directly or use the facilities of installed client software.
9. Assuming that all the required updates were made, the NAP health policy
server determines that the NAP client is compliant and sends that result to the
HRA.
10. The HRA obtains a health certificate for the NAP client. The NAP client can
now initiate IPsec protected communication with other compliant computers.
Communication Processes
When domain isolation is implemented, communication between hosts in the net-
work differs depending on which type of host (isolated or non-isolated) initiates
communication and which type of host the initiating host attempts to communicate
with. Possible scenarios are:
• When an isolated host initiates communication with another isolated host.
• When a non-isolated host initiates communication with an isolated host.
• When an isolated host initiates communication with a non-isolated host.
The figure 3.1 shows the types of communication that occur after deployment
of domain isolation.
3.5 Domain isolation 24
IPsec Modes
AH and ESP can operate in either transport mode or tunnel mode, the two modes
differ in how they encapsulate and protect the data. (Snader, 2005) They also differ
in whether they are protecting communications between two hosts or protecting
communications between two networks or between a host and a network.
Transport Mode
host and a network, for example, when two distant company units needs to securely
interconnect their networks.
In that case, the networks are connected through the tunnel mode VPN by
between two network gateways. These gateways handle the encryption, decryption,
antireplay, and authentication functions, which are completely transparent to the
hosts on the two networks.
Its name comes from the fact that ESP or AH is applied to a tunnel. The outer
IP header’s source and destination addresses are those of the security gateways,
when VPN traffic is delivered to one of the endpoints, where the decryption and/or
authentication is applied, the outer IP header, IPsec header and the IPsec trailer
are removed. This leaves the inner IP datagram, whose IP header has the address
of the final destination and the packet is forwarded its final destination inside the
network.
The tunnel mode can be used instead of transport mode between two fixed
hosts. In this case, the source and destination addresses of the inner and outer IP
headers would be the same, but there are no advantages of the solution, moreover,
the extra bandwidth required.
AH
An unprotected IP datagram is subject to arbitrary manipulation by an attacker.
(Snader, 2005) The header is covered by the checksum, but this provides protection
only against corruption, an attacker can modify any of the header fields and be
undetected by merely recalculating the checksum. The same principle applies to
the data portion. Datagrams carrying TCP segments or UDP datagrams have their
data protected by another checksum, but again, the data is easily manipulated by
an attacker, who needs only modify the data and recalculate the checksum.
Some situations require that hosts or networks be able to verify that IP data-
grams are from whom they purport to be and that their payloads have not been
tampered with in transit. ESP can provide these services along with the confiden-
tiality using encryption, in some instances, however, confidentiality is not required,
and in those cases, it is better to omit the encryption step and use AH protocol,
which provides the endpoint authentication and data integrity without the overhead
of encryption.
The AH protocol is specified in RFC 2402 and provides its protection by cal-
culating a keyed MAC, called an integrity check value (ICV), over parts of the IP
header and the entire payload data. The results of the ICV are placed in the AH
header, and the header is added to the IP datagram. The exact placement of the AH
header in the datagram depends on whether it is being used in transport or tunnel
mode. The AH cannot authenticate the entire IP header, because some of its fields
are changed by intermediate routers. The picture shows the fields of the IP header
that AH does and does not authenticate.
3.6 IPsec protocol 28
ESP
The Encapsulating Security Payload (ESP) protocol provides the same authentica-
tion, data integrity, and antireplay protection that AH provides but adds the IPsec
confidentiality function, RFC 2406 specification.
The ESP Header
As with AH, the SPI, the destination address, and the IPsec protocol are used to
uniquely identify the SA that applies to this packet. Also as with AH, the sequence
number is used to provide the antireplay function. When the SA is established, the
sequence number is initialized to 0. Before each packet is sent, the sequence number
is incremented by 1 and placed in the ESP header. To ensure that no packet will be
accepted more than once, the sequence number is not allowed to wrap to 0. Once
the sequence number 232 - 1 is used, a new SA and a new authentication key are
established.
3.6 IPsec protocol 30
IKE
The Internet Key Exchange (IKE) protocol is the integral part of IPsec. It handles
the difficult problem of key management by negotiating security associations be-
tween a set of peers. The IKE protocol specification is RFC 2409. (Snader, 2005)
3.7 Kerberos 31
ISAKMP and IKE are the mechanism by which IPsec negotiates security associ-
ations and exchanges keying material. Although these SAs can be configured by
hand, manual keying does not scale well and is subject to the security shortcomings
that long-lived keys always suffer from. IKE is a hybrid of three other protocols:
ISAKMP, OAKLEY, and SKEME. ISAKMP provides the infrastructure on which
we can build a variety of key exchange protocols. OAKLEY and SKEME contribute
exchange modes and authentication methods to IKE.
ISAKMP works in two phases. In the first phase, an ISAKMP SA is nego-
tiated. The SA provides an encrypted and authenticated channel over which the
second phase negotiates the IPsec SAs that are used by AH and ESP. In addition to
negotiating the SAs and handling the key exchange, IKE authenticates each peer to
the other. This ensures that each node can be sure of the identity of its peer. There
are four ways to do this authentication:
• shared secrets
• digital signatures
• public key encryption of nonces
• revised public key encryption of nonces
In the event that the peers are acting as proxies and negotiating SAs for client
hosts, they can, in Main mode, hide the identity of those hosts. The fundamental
method that ISAKMP and IKE use to establish a secure channel is to exchange
Diffie-Hellman private keys from which they derive a shared secret. This shared
secret, in turn, is combined with a nonce from each peer, and other parameters from
the exchange, and run through an HMAC calculation to generate keying material
for the cryptographic algorithms. Each of the algorithms uses this material in an
algorithm-specific manner to generate its keys. After phase 1 is completed, either
peer can initiate a New Group exchange to negotiate a different Diffie-Hellman group
for future SAs. The new group can be specified either by its identifierin the case of
the predefined groupsor by the group attributes for new groups.
Quick mode, the phase 2 exchange mode, can generate keys very quickly by
combining the Diffie-Hellman shared secret from phase 1 with nonces exchanged
in phase 2. This method has the advantage of not requiring expensive big-number
exponentiations, but it cannot provide perfect forward secrecy. If Key Exchange pay-
loads are included in the Quick mode exchange, perfect forward secrecy is provided
at the cost of the Diffie-Hellman exponentiations.
3.7 Kerberos
The Kerberos version 5 is an authentication protocol which provides a mechanism
for authentication – and mutual authentication – between a client and a server, or
between one server and another server. (Microsoft, 2003)
The Kerberos Key Distribution Center (KDC) uses the domains Active Direc-
tory directory service database as its security account database. Active Directory is
required for default NTLM and Kerberos implementations.
3.7 Kerberos 32
The Kerberos V5 protocol assumes that initial transactions between clients and
servers take place on an open network in which packets transmitted along the net-
work can be monitored and modified, and where an attacker can easily pose as either
a client or a server, and can readily eavesdrop on or tamper with communications
between legitimate clients and servers.
The Kerberos protocol is widely used, open standard. Microsofts implementa-
tion of the Kerberos V5 protocol adheres to the defined RFC standards, and thus
provides interoperability with other implementations.
Kerberos architecture allows additional or alternate security methods to be
specified, i.e. the default shared secret key process can be supplemented with pri-
vate/public key pairs by using smart cards. The mutual authentication is supported
using the Kerberos protocol, a party at either end of a network connection can verify
that the party on the other end is the entity it claims to be. This is one of advantages
against previous NTLM protocol, which was designed for a network environment in
which servers were assumed to be genuine.
4 IMPLEMENTATION 33
4 Implementation
4.1 Antivirus
The viruses and the trojan horses represents the biggest threat for the security of
the network. Windows Vista is shipped with weak anti-spyware protection called
MS Defender, which does not provide enough protection.
The only option is to install a professional anti-virus solution from the other
software producer. At hotel Savannah was decided to install the Kaspersky antivirus,
which provides following functions (Kaspersky, 2009)
• Integrated protection from viruses, spyware, hacker attacks and spam
• Proactive protection from even the newest malicious programs
• Personal firewall
• Roll back of any malicious changes made to the system
• Protection from phishing and spam attacks
• Intelligent redistribution of resources during full system scans
and what is the most important, it could be managed centrally from the adminis-
tration console.
The administrative console enables also remote installation of the antivirus
package and monitors the antivirus protection. In case of the virus outbreak in the
network the network administrator is informed by email.
The product contains its own firewall, but it has to be disabled to not collide
with windows built-in firewall which is important part of the NAP solution.
The updates are downloaded every second hour, critical areas of the computer
are scanned daily, together with start-up objects, all local discs are scanned every
14 days. In case the virus is found it is disinfected automatically and the report is
sent to the network administrator.
Methodology
For successful implementation is needed an Active directory domain, Domain con-
troller running Windows Server2003 or higher and another Windows Server2008
based system.
The NAP will be implemented in hotel’s network 10.0.2.0/24.
The NAP and Domain isolation divides computers into three zones – inside,
boundary, outside. In Savannah’s scenario all company’s client computers compliant
with health policy are inside the IPSec network.
In the boundary zone are the computers which needs to communicate both with
computers outside and inside the IPSec network, mostly infrastructure servers i.e.
DNS, DHCP, in our scenario:
• SVN-DC1 – Domain controller, DNS and DHCP server
• SVN–EX1 – Email server
• SVN–SEC – NPS server
Computers which does not comply with policy are in outside zone.
4.3 Network Access protection 35
Configuration steps:
On the next page where the certificate for SSL connection is chosen » Server
Authentication Certificate – Choose an existing certificate for SSL encryption » a
previously installed certificate SVN-SEC must be chosen
Request certificate from a parent CA – domain Root CA, in our case hotel–
SVN–DC1–CA » Install
After final settings confirmation of all settings the roles are installed. Network
policy and access services installation end up successfully, but with installation error
that attempt to configure HRA failed. This is not a serious problem and will be
solved in next steps.
The subordinate CA must be configured same way as the root authority to issue
the certificates automatically without manual administrator confirmation: On the
NPS server (SVN-SEC)» Server management » Properties of Certification authority
» Policy Module tab » Properties must be chosen Automatically issue the certificate.
Restart of the service is required upon completion.
required services and that firewall is configured to accept incoming connection only
if is IPSec encrypted and signed by health certificate.
The group policy settings on the stations must be updated either by restart or
by command: gpudpate /force /logoff
With command: gpresult /r could be verified that NAP client policy was ap-
plied.
After successful check of compliance with NAP policy the computer receives a
health certificate, which can be verified in Certificate console under personal folder.
credentials are verified against domain controller confirming an Active domain mem-
bership.
After successful authorisation comes a next step, an authorisation against the
health certificate. If both finishes successfully, the incoming IPsec communication is
allowed.
Configuration steps:
The only configuration change needed is in domain policy applied to the IPsec
boundary and IPsec Vista OU’s created during NAP configuration. By editing such
policies
in Computer Configuration » Policies » Windows Settings » Security settings
» Windows Firewall » Windows Firewall » Connection Security rules » Vista secure
rule » Properties » Authentication tab » Advanced authentication
4.5 VPN
Introduction
The company headquarters is in United States, using its own computer network
and infrastructure. The only requirement was to interconnect both networks by
encrypted tunnel to ensure a secured email delivery in both directions. One of the
major advantages of IPSec protocol is broad compatibility with various network
devices, so it was the preferred choice – on Hotel Savannah side there is Kerio
Firewall running on Windows server2008 based system, on the headquarters side
there is the hardware firewall Sonnicwall TZ180 running on proprietary Sonicwall
operating system.
4.5 VPN 55
Implementation
The IPSec tunnel is established between the hotel’s and headquarters’ email servers.
The only required step in advance was to confirm a tunnel parameters over the
phone. This is as follows:
• Phase 1
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800
• Phase 2
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800
Shared Secret: password
To ease the tunnel setup was decided to use a shared password as the authenti-
cation method, if it is long enough and changed regularly it provides the satisfying
security.
The configuration of Sonicwall is done through web interface:
The configuration on the Hotel Savannah’s side is done by domain policy applied
on the firewall computer.
As the first step it is needed to open required ports on Kerio Firewall, which is
software L3 router and firewall, for IPSec communication from outside to Windows
operating system.
The tunnel is successfully established between the firewalls, the exchange servers
are considered as the endpoints. The connection could be confirmed either by pinging
the remote server or from IPSec monitor console.
6 Reference
Mackin, J., Mclean, A. MCSA/MCSE Self-Paced Training Kit (Exam 70-291):
Windows Server 2003 network infrastructure. Microsoft Press. 2006.
Snader, J. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison Wesley Profes-
sional. 2005.
Microsoft Windows Firewall with Advanced Security and IPsec [online]. HTML
document, January 20, 2009. [retrieved 2009-04-09] Available at
http://technet.microsoft.com/en-us/library/cc732283(WS.10).aspx.
Microsoft Introduction to Network Access Protection [online]. HTML document,
February 4, 2008. [retrieved 2009-04-09] Available at
http://technet.microsoft.com/en-us/network/cc984252.aspx.
Microsoft Kerberos Authentication Technical Reference [online]. HTML docu-
ment, March 28, 2003. [retrieved 2009-04-09] Available at
http://technet.microsoft.com/en-us/library/cc739058(WS.10).aspx.
Kaspersky Kaspersky Lab web [online]. HTML document, 2009. [retrieved 2009-
04-09] Available at
http://www.kaspersky.com.
attachments
A HOTEL SAVANNAH’S NETWORKS TOPOLOGICAL DIAGRAM 65