Bài giảng Network Certification Microsoft Press - Chapter 13

1Chapter Overview  Password Protection  Security Models  Firewalls  Security Protocols 2Using Passwords  Passwords are the most common method of securing network resources.  Passwords can be an effective security mechanism, or they can be useless, depending on how they are used.  The strength of any password protection is based on the password policies that administrators set.  Most operating systems include tools that allow administrators to impose password policies on users, such as  Password length restrictions  Password change intervals  Password policies are typically available in network operating systems that use a directory service to authenticate users and grant them access to network resources. 3Controlling User Account Password Settings 4Using the Windows 2000 Group Policy Interface 5Setting a Minimum Password Length 6Setting a Password Change Interval 7Enforcing Password Complexity 8Setting Account Lockout Policies 9Client/Server Networks  User accounts are stored in a central location.  A user logs on to the network from a computer that transmits the user name and password to a server, which either grants or denies access to the network.  Account information can be stored in a centralized directory service or on individual servers.  A directory service, such as the Microsoft Windows 2000 Active Directory service or Novell Directory Services (NDS), provides authentication services for an entire network. 10 Peer-to-Peer Networks  Each computer maintains its own security information and performs its own authentications.  Computers on this type of network can function as both clients and servers.  When a computer functioning as a client attempts to use resources (called shares) on another computer that is functioning as a server, the server itself authenticates the client before granting it access. 11 Granting User Permissions 12 Peer-to-Peer User-Level Security  When users log on to their computers, they are authenticated against an account on that system.  If several people use the same computer, each must have a separate user account.  When users elsewhere on the network attempt to access server resources on that computer, they are also authenticated against the accounts on the computer that hosts the resources.  The user-level, peer-to-peer security model is suitable only for relatively small networks.  If users want to change their account passwords, they must change them on every computer on which they have an account. 13 Client/Server User-Level Security  Administrators create user accounts in a directory service, such as Active Directory in Windows 2000 or a Microsoft Windows NT domain.  When users log on to their computers, the directory service authenticates them.  When you want to allow other network users to gain access to resources on your computer, you select their user accounts from a list provided by the domain controller.  With all accounts stored in a centralized directory service, administrators and users can make changes more easily. 14 Peer-to-Peer Share Level Security  Microsoft Windows Me, Microsoft Windows 98, and Microsoft Windows 95 cannot maintain their own user accounts.  In peer-to-peer mode, Windows Me, Windows 98, and Windows 95 operate by using share-level security.  In share-level security, users assign passwords to the individual shares they create on their computers.  When network users want to access a share on another computer, they must supply the appropriate password.  The share passwords are stored on the individual computers.  When sharing drives, users can specify two different passwords to provide both read-only access and full control of the share.  Share-level security is not as flexible as user-level security and does not provide as much protection. 15 Setting Share-Level Passwords 16 What Is a Firewall?  A firewall is a hardware or software product designed to protect a network from unauthorized access.  A network connected to the Internet must have a firewall to protect it from Internet intruders.  A firewall is a barrier between two networks that evaluates all incoming or outgoing traffic to determine whether it should be permitted to pass to the other network.  Some firewalls are dedicated routers with additional software that monitors incoming and outgoing traffic.  Some firewalls are software products that run on a standard computer. 17 Packet Filtering  The most basic type of firewall  Functions  Examines arriving packets  Decides whether to allow the packets to gain access to the network, based on the information found in the protocol headers used to construct the packets 18 Packet Filter Types  Hardware addresses. Filter packets based on hardware addresses, enabling only certain computers to transmit data to the network  IP addresses. Permit only traffic destined to or originating from specific addresses to pass through to the network  Protocol identifiers. Filter packets based on the protocol that generated the information carried within an Internet Protocol (IP) datagram  Port numbers. Filter packets based on the source or destination port number specified in a packet’s transport layer protocol header 19 NAT  NAT stands for network address translation.  NAT is a network layer technique that protects the computers on your network from Internet intruders by masking their IP addresses.  NAT allows you to assign unregistered IP addresses to your computers.  The router that provides Internet access can use NAT.  The NAT router functions as an intermediary between the private network and the Internet.  NAT is implemented in numerous firewall products, ranging from high-end routers used on large corporate networks to inexpensive Internet connection-sharing solutions. 20 Proxy Servers  Proxy servers are similar to NAT routers, except that they function at the application layer of the Open Systems Interconnection (OSI) reference model.  A proxy server acts as an intermediary between the clients on a private network and the Internet resources they want to access.  Clients send their requests to the proxy server, which sends a duplicate request to the desired Internet server.  The Internet server replies to the proxy server, which relays the response to the client.  Proxy servers can cache the information they receive from the Internet.  Administrators can configure proxy servers to filter the traffic they receive, blocking users on the private network from accessing certain services.  The main problem with proxy servers is that you sometimes must configure applications to use them. 21 Configuring a Proxy Server Client 22 IPSec  IPSec stands for Internet Protocol Security.  IPSec is a series of draft standards published by the Internet Engineering Task Force (IETF).  IPSec defines a methodology that uses authentication and encryption to secure the data transmitted over a local area network (LAN).  IPSec consists of two separate protocols that provide different levels of security protection: IP Authentication Header (AH) and IP Encapsulating Security Payload (ESP).  Using the two protocols together provides the best possible security IPSec can offer. 23 IP AH Protocol  AH provides authentication and guaranteed integrity of IP datagrams.  AH adds an extra header, right after the IP header, to the datagrams generated by the transmitting computer.  When you use AH, the Protocol field in the IP header identifies the AH protocol, instead of the transport layer protocol contained in the datagram.  The AH header contains  A sequence number that prevents unauthorized computers from replying to a message  An integrity check value (ICV) that the receiving computer uses to verify that incoming packets have not been altered 24 IP ESP Protocol  Provides datagram encryption  Encapsulates the transport layer data in each datagram by using its own header and trailer  Encrypts all of the data following the ESP header  Also contains a sequence number and an ICV 25 L2TP  L2TP stands for Layer 2 Tunneling Protocol.  L2TP is derived from the Cisco Systems Layer 2 Forwarding protocol and the Microsoft Point-to-Point Tunneling Protocol (PPTP).  IPSec can operate in tunnel mode independently or with L2TP.  L2TP creates a tunnel by encapsulating Point- to-Point Protocol (PPP) frames inside User Datagram Protocol (UDP) packets. 26 SSL  SSL stands for Secure Sockets Layer.  SSL is a special-purpose security protocol that is designed to protect the data transmitted between Web servers and their client browsers.  Virtually all of the Web servers and browsers available today support SSL.  For example, when you access a secured site on the Internet to purchase a product with a credit card, your browser is probably using SSL to communicate with the server.  Like IPSec, SSL provides authentication and encryption services. 27 Kerberos  Kerberos is an authentication protocol typically used by directory services, such as Active Directory, to provide users with a single network logon capability.  Kerberos was developed at the Massachusetts Institute of Technology and is now standardized by the IETF.  When a server running Kerberos (called an authentication server) authenticates a client, the server grants that client the credentials needed to access resources anywhere on the network.  Windows 2000 and other operating systems rely heavily on Kerberos to secure their client/server network exchanges. 28 Chapter Summary  Password policies ensure that users choose effective passwords.  User-level security requires a separate account for each user.  In share-level security, all users access shares by using the same passwords.  A firewall is a hardware or software product that protects a network from unauthorized access, using techniques such as packet filtering, NAT, or proxy servers.  Applications and operating systems use security protocols, such as IPSec, L2TP, SSL, and Kerberos, to protect their data as it is transmitted over the network.