Client/Server Networks
User accounts are stored in a central location.
A user logs on to the network from a computer
that transmits the user name and password to a
server, which either grants or denies access to
the network.
Account information can be stored in a
centralized directory service or on individual
servers.
A directory service, such as the Microsoft
Windows 2000 Active Directory service or Novell
Directory Services (NDS), provides authentication
services for an entire network.
28 trang |
Chia sẻ: thanhle95 | Lượt xem: 573 | Lượt tải: 1
Bạn đang xem trước 20 trang tài liệu Bài giảng Network Certification Microsoft Press - Chapter 13, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
1Chapter Overview
Password Protection
Security Models
Firewalls
Security Protocols
2Using Passwords
Passwords are the most common method of securing
network resources.
Passwords can be an effective security mechanism, or
they can be useless, depending on how they are used.
The strength of any password protection is based on the
password policies that administrators set.
Most operating systems include tools that allow
administrators to impose password policies on users, such
as
Password length restrictions
Password change intervals
Password policies are typically available in network
operating systems that use a directory service to
authenticate users and grant them access to network
resources.
3Controlling User Account Password
Settings
4Using the Windows 2000 Group
Policy Interface
5Setting a Minimum Password Length
6Setting a Password Change Interval
7Enforcing Password Complexity
8Setting Account Lockout Policies
9Client/Server Networks
User accounts are stored in a central location.
A user logs on to the network from a computer
that transmits the user name and password to a
server, which either grants or denies access to
the network.
Account information can be stored in a
centralized directory service or on individual
servers.
A directory service, such as the Microsoft
Windows 2000 Active Directory service or Novell
Directory Services (NDS), provides authentication
services for an entire network.
10
Peer-to-Peer Networks
Each computer maintains its own security
information and performs its own
authentications.
Computers on this type of network can
function as both clients and servers.
When a computer functioning as a client
attempts to use resources (called shares) on
another computer that is functioning as a
server, the server itself authenticates the
client before granting it access.
11
Granting User Permissions
12
Peer-to-Peer User-Level Security
When users log on to their computers, they are
authenticated against an account on that system.
If several people use the same computer, each must
have a separate user account.
When users elsewhere on the network attempt to
access server resources on that computer, they are
also authenticated against the accounts on the
computer that hosts the resources.
The user-level, peer-to-peer security model is
suitable only for relatively small networks.
If users want to change their account passwords,
they must change them on every computer on which
they have an account.
13
Client/Server User-Level Security
Administrators create user accounts in a directory
service, such as Active Directory in Windows 2000 or
a Microsoft Windows NT domain.
When users log on to their computers, the directory
service authenticates them.
When you want to allow other network users to gain
access to resources on your computer, you select
their user accounts from a list provided by the
domain controller.
With all accounts stored in a centralized directory
service, administrators and users can make changes
more easily.
14
Peer-to-Peer Share Level Security
Microsoft Windows Me, Microsoft Windows 98, and
Microsoft Windows 95 cannot maintain their own user
accounts.
In peer-to-peer mode, Windows Me, Windows 98, and
Windows 95 operate by using share-level security.
In share-level security, users assign passwords to the individual
shares they create on their computers.
When network users want to access a share on another computer,
they must supply the appropriate password.
The share passwords are stored on the individual computers.
When sharing drives, users can specify two different passwords to
provide both read-only access and full control of the share.
Share-level security is not as flexible as user-level security and
does not provide as much protection.
15
Setting Share-Level Passwords
16
What Is a Firewall?
A firewall is a hardware or software product designed
to protect a network from unauthorized access.
A network connected to the Internet must have a
firewall to protect it from Internet intruders.
A firewall is a barrier between two networks that
evaluates all incoming or outgoing traffic to
determine whether it should be permitted to pass to
the other network.
Some firewalls are dedicated routers with additional
software that monitors incoming and outgoing traffic.
Some firewalls are software products that run on a standard
computer.
17
Packet Filtering
The most basic type of firewall
Functions
Examines arriving packets
Decides whether to allow the packets to gain
access to the network, based on the information
found in the protocol headers used to construct
the packets
18
Packet Filter Types
Hardware addresses. Filter packets based on
hardware addresses, enabling only certain
computers to transmit data to the network
IP addresses. Permit only traffic destined to or
originating from specific addresses to pass
through to the network
Protocol identifiers. Filter packets based on the
protocol that generated the information carried
within an Internet Protocol (IP) datagram
Port numbers. Filter packets based on the source
or destination port number specified in a packet’s
transport layer protocol header
19
NAT
NAT stands for network address translation.
NAT is a network layer technique that protects the
computers on your network from Internet intruders
by masking their IP addresses.
NAT allows you to assign unregistered IP addresses
to your computers.
The router that provides Internet access can use
NAT.
The NAT router functions as an intermediary between
the private network and the Internet.
NAT is implemented in numerous firewall products,
ranging from high-end routers used on large
corporate networks to inexpensive Internet
connection-sharing solutions.
20
Proxy Servers
Proxy servers are similar to NAT routers, except that they
function at the application layer of the Open Systems
Interconnection (OSI) reference model.
A proxy server acts as an intermediary between the clients on a
private network and the Internet resources they want to access.
Clients send their requests to the proxy server, which sends a
duplicate request to the desired Internet server.
The Internet server replies to the proxy server, which relays the
response to the client.
Proxy servers can cache the information they receive from the
Internet.
Administrators can configure proxy servers to filter the traffic
they receive, blocking users on the private network from
accessing certain services.
The main problem with proxy servers is that you sometimes
must configure applications to use them.
21
Configuring a Proxy Server Client
22
IPSec
IPSec stands for Internet Protocol Security.
IPSec is a series of draft standards published by the
Internet Engineering Task Force (IETF).
IPSec defines a methodology that uses authentication
and encryption to secure the data transmitted over a
local area network (LAN).
IPSec consists of two separate protocols that provide
different levels of security protection: IP
Authentication Header (AH) and IP Encapsulating
Security Payload (ESP).
Using the two protocols together provides the best
possible security IPSec can offer.
23
IP AH Protocol
AH provides authentication and guaranteed integrity
of IP datagrams.
AH adds an extra header, right after the IP header,
to the datagrams generated by the transmitting
computer.
When you use AH, the Protocol field in the IP header
identifies the AH protocol, instead of the transport
layer protocol contained in the datagram.
The AH header contains
A sequence number that prevents unauthorized computers
from replying to a message
An integrity check value (ICV) that the receiving computer
uses to verify that incoming packets have not been altered
24
IP ESP Protocol
Provides datagram encryption
Encapsulates the transport layer data in each
datagram by using its own header and trailer
Encrypts all of the data following the ESP
header
Also contains a sequence number and an ICV
25
L2TP
L2TP stands for Layer 2 Tunneling Protocol.
L2TP is derived from the Cisco Systems Layer
2 Forwarding protocol and the Microsoft
Point-to-Point Tunneling Protocol (PPTP).
IPSec can operate in tunnel mode
independently or with L2TP.
L2TP creates a tunnel by encapsulating Point-
to-Point Protocol (PPP) frames inside User
Datagram Protocol (UDP) packets.
26
SSL
SSL stands for Secure Sockets Layer.
SSL is a special-purpose security protocol that is
designed to protect the data transmitted between
Web servers and their client browsers.
Virtually all of the Web servers and browsers
available today support SSL.
For example, when you access a secured site on the
Internet to purchase a product with a credit card, your
browser is probably using SSL to communicate with the
server.
Like IPSec, SSL provides authentication and
encryption services.
27
Kerberos
Kerberos is an authentication protocol typically used
by directory services, such as Active Directory, to
provide users with a single network logon capability.
Kerberos was developed at the Massachusetts
Institute of Technology and is now standardized by
the IETF.
When a server running Kerberos (called an
authentication server) authenticates a client, the
server grants that client the credentials needed to
access resources anywhere on the network.
Windows 2000 and other operating systems rely
heavily on Kerberos to secure their client/server
network exchanges.
28
Chapter Summary
Password policies ensure that users choose effective
passwords.
User-level security requires a separate account for
each user.
In share-level security, all users access shares by
using the same passwords.
A firewall is a hardware or software product that
protects a network from unauthorized access, using
techniques such as packet filtering, NAT, or proxy
servers.
Applications and operating systems use security
protocols, such as IPSec, L2TP, SSL, and Kerberos, to
protect their data as it is transmitted over the
network.