Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
NETWORK ACCESS SOLUTIONS
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |[email protected] | www.sevecek.com |
NETWORK ACCESS SOLUTIONSTroubleshooting Remote Access
Network Access Technologies
VPN SMB/SQL/LDAP/DCOM sensitive to RTT
Remote Desktop no clipboard, no file proliferation limited malware surface
802.1x WiFi or Ethernet no encryption, authorization only
DirectAccess GPO managed IPSec tunnel over IPv6
Web Application Proxy HTTPS reverse proxy for web applications
RDP
VPN ScenarioVPN
Client
VPN Gateway
DCFS
SQL
RADIUS
SharePoint
RDP
DA ScenarioDA
Client
DA Server
DCFS
SQL
RADIUS
SharePoint
WksWks
RDP
RDP ScenarioRDP
Client
RDP Gateway
DCFS
SQL
RADIUS
SharePoint
Wks
RDP
802.1x WiFi Scenario
WiFiClient
DCFS
SQL
RADIUS
WiF
iAP
SharePoint
RDP
802.1x Ethernet Scenario
Wks
DCFS
SQL
RADIUS
Switch
SharePoint Wks
Printer
Exchange
WAP ScenarioWeb
Browser or GUI client
Web Application
Proxy
DC
Web
Lync
AD FS
SharePoint
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
PPTPTCP 1723IP GRE
MS-DOS and newerNT 4.0 and newer -
-
L2TPUDP 500, 4500IP ESP
NT 4.0, 98and newer
2000 and newerIPSec certificatepublic namePublic IPIPSec machine
certificate
SSTPTCP 443TLS
Vista/2008 and newer2008 and newer
TLS certificatepublic name
-
IKEv2UDP 500, 4500IP ESP
7/2008 R2 and newer2008 R2 and newer
IPSec certificatepublic namePublic IP
IPSec machinecertificate
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
RD GatewayTCP 443TLS
RDP Client 6.0and newer 2008 and newer
TLS certificatepublic name
-
DirectAccess
IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4
7/2008 R2 EntepriseIPv6 enabled, GPO
2012 and newerIPSec certificateTLS certificatepublic nameIPSec machine
certificate
Web Application Proxy
HTTPSweb browserGUI web client (office)
2012 R2 and newer WAP and AD FS server
TLS certificatepublic nameTLS certificate for AD FS
Network Access Protection (NAP)
Client health validation before connecting
Firewall on?
Windows up-to-date?
Antimalware up-to-date?
SCCM compliance items in order?
Client validates itself
no security, only an added layer of obstruction
Microsoft RADIUS Server
Standard authentication server
IAS - Internet Authentication Service (2003-)
NPS - Network Policy Service (2008+)
Authentication options
login/password
certificate
Active Directory authentication only
Clear-text transport with signatures
message authenticator (MD5)
RADIUS General
Access Client
RADIUS
Active Directory
VPN
WiFi
Ethernet
RDP GWRADIUS
Access Server
AD PassthroughAuthentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
RADIUS Terminology
Access Client
RADIUS
Active Directory
VPN
WiFi
Ethernet
RDP GWRADIUS
RADIUS Client
AD PassthroughAuthentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
Authentication Methods
PAP, SPAP clear, hash resp.
CHAP MD5 challenge response, Store passwords using reversible encryption
MS-CHAP NTLM equivalent, DES(MD4)
MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints), HMAC-MD5 (MD4)
EAP+MS-CHAPv2 MS-CHAPv2 equivalent, different packeting
EAP+PEAP+MS-CHAPv2 MS-CHAPv2 wrapped in TLS
EAP+PEAP+TLS client authentication certificate, in user profile or in smart/card
No authentication sometimes the authentication occurs on the Access Server itself (RD Gateway)
REMOTE ACCESS AUTHENTICATION
Troubleshooting Remote Access
PPTP issues
MPPE encryption
proprietary, RC4
Encrypted by authentication products
"by" password or "by" certificate
PAP/SPAP/EAP travels in clear
EAP-TLS vs. PEAP
EAP-TLS is designed for protected transport
does not protect itself
Protected EAP
EAP wrapped in standard TLS
EAP/PEAP Generic
Access Client
RADIUS
Active Directory
EAP/PEAP Server
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
VPN Tunnel Client
Certificate
MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Directory
Access Server
VPN Tunnel Server
Certificate
EAP + MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Directory
Access Server
VPN Tunnel Server
Certificate
EAP + TLS with SSTP
Access Client
RADIUS
Active Directory
EAP TLSServer
Certificate
Access Server
EAP TLS Client
Certificate
VPN Tunnel Server
Certificate
EAP + PEAP + MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Directory
PEAP TLS Server Certificate
Access Server
VPN Tunnel Server
Certificate
EAP + PEAP + TLS with SSTP
Access Client
RADIUS
Active Directory
PEAP TLS Server Certificate
Access Server
EAP TLS Client
Certificate
VPN Tunnel Server
Certificate
EAPTLS Server Certificate
RADIUS Clients configuration
IP address of the device
can translate from DNS, but must match IP address of the device (no reverse DNS)
Shared secrets
MD5(random message authenticator + shared secret)
NETSH NPS DUMP ExportPSK=YES
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
Implementing NPS Policy
NPS AuditingAudit Network Policy Server
802.1x Auditing on ClientsAudit Other Logon/Logoff Events
PEAP on NPS
PEAP on NPS
VPN Client Notes
Validates CRL
SSTP does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1
IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2
PEAP Client Settings
VPN Client Configuration
Group Policy Preferences
limited options
Connection Manager Administration Kit (CMAK)
create VPN installation packages
SSTP VPN troubleshooting
https://vpn.gopas.cz/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
802.1x Notes
Required services
WLAN Autoconfig (WlanSvc)
Wired Autoconfig (Doc3Svc)
Group Policy Settings
Windows XP SP3 and newer
full configuration options
802.1x Authentication
User authentication
login/password
client certificate in user profile or in smart card
Computer authentication
MACHINE$ login/password
client certificate in the local computer store
Computer authentication with user re-authentication
since Windows 7 works like charm
MS-CHAPv2 with 802.1x
Access Client
RADIUS
Active Directory
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP/TLS with 802.1x
Access Client
RADIUS
Active Directory
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP Client
Certificate
User MachineEAP-TLS
Server Certificate
EAP/PEAP Server
Certificate
RD Proxy Troubleshooting
RPCPING-t ncacn_http-e 3388-s localhost (local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm (nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"
-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"
-U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o
RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
RPC Proxy Troubleshooting
https://rpcserver/Rpc/RpcProxy.dll
https://rpcserver/RpcWithCert/RpcProxy.dll