PDF

Module 9: Designing the Network Access Infrastructure
Contents Overview Lesson: Gathering Data for Network Access Design Lesson: Designing Network Access Security Lesson: Choosing Remote Access Methods Lesson: Designing a Remote Access Infrastructure Lesson: Designing a Wireless Access Infrastructure Lab A: Designing the Network Access Infrastructure Course Evaluation 1 2 8 22 30 42 53 56
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, BackOffice, Microsoft Press, MSDN, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
iii
Instructor Notes
Presentation: 120 minutes Lab: 60 minutes This module provides students with the knowledge and skills needed to design the network access infrastructure. The module describes how to gather relevant data, and how to use that data to design for network access security, remote access, and wireless access. After completing this module, students will be able to:
! ! ! ! !
Gather data for network access design. Design network access security. Design remote access methods. Design a remote access infrastructure. Design a wireless access infrastructure.
Required materials
To teach this module, you need Microsoft PowerPoint file 2282A_09.ppt. Important It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all features of the slides might not be displayed correctly.
Preparation tasks
To prepare for this module:

! !
Read all of the materials for this module. Complete the practices and review the assessment questions. Whenever possible, anticipate alternative answers that students might suggest and prepare responses to those answers. Complete the lab, practice discussing the answers, and become familiar with the lab environment. Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials compact disc. Document your own suggested additional readings to share with the students. Visit the Web links that are referenced in this module.
Classroom setup
The information in this section provides setup instructions that are required to prepare the instructor computer or classroom configuration for a lab. The computers in the classroom should be set up in the configuration specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. No additional classroom setup is required to perform the lab in this module.
iv
How to Teach This Module

This section contains information that will help you to teach this module.
Lesson: Gathering Data for Network Access Design

This section describes the instructional methods for teaching this lesson. In this lesson, students learn the relevant information they need to gather to create a network access design. Business Requirements Explain that the key point in this topic is to determine who needs access to an organizations network, and the kind of access (for example, VPN, dial-up, and so on) that they need. The answers to these questions will vary depending on the business requirements of the organization. This topic is a continuation of the previous one, but requires the student to gather even more specific information. The key points are determining precisely what tasks users must perform when remotely connected to the network, how long the remote users must be connected, and how many concurrent remote connections must be supported. Point out that before you can design a network access infrastructure you must determine the security requirements of the organization. You must also determine exactly which portion, or portions, of the network will be accessed remotely to design appropriate security for those portions. Emphasize that when creating any kind of network design, you must always consider interoperability. When designing for network access, pay special attention to the network protocols being used on the network as well as the types of servers and clients with which the remote access server must interoperate. Use this topic to stress the basic design guidelines that have been emphasized throughout this course: consider the existing infrastructure, get input from all stakeholders, gather data about future needs, and gather information about the organizations security requirements. There is no practice for this lesson.
User Requirements
Security Requirements
Interoperability Requirements
Guidelines for Gathering Data for a Network Access Design Practice
Lesson: Designing Network Access Security

This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to design for network access security. The lesson compares authentication methods and methods for protecting an organizations resources. This lesson also explores remote access policies, remote access monitoring and auditing, and wireless network access methods. Authentication Methods When discussing guidelines for choosing authentication protocols, emphasize to students that, as a general rule, they should use the most secure authentication protocols that their network access servers and clients can support.
Encryption Methods
Emphasize that data encryption is critical for virtual private network (VPN) connections because there is always a risk of interception whenever private data is sent over the Internet. Emphasize that Microsoft Windows Server 2003 uses Microsoft Point-To-Point Encryption (MPPE) for Point-To-Point Tunneling Protocol (PPTP) connections and Internet Protocol Security (IPSec) for Layer Two Tunneling Protocol (L2TP) connections.
Remote Access Policies
In Windows Server 2003, the default remote access policy is Deny remote access permission, and the default time of day constraints setting is 24/7. Therefore, by default, a user is denied remote access at all times unless it is explicitly granted to that user. The information on remote access profiles might be a review for your students. The key teaching points of this topic are the settings contained in a remote access profile, which specify authentication protocol, level of encryption required, dial-in constraints, IP address and filters, allowable multilink connections, and advanced attributes. Emphasize that, for security reasons and for trend analysis, you should monitor and audit remote access. Two tools that you can use are a Remote Authentication Dial-In User Service (RADIUS) server, and the RAS Server Monitor tool. When discussing 802.1x, if students bring up LEAP and ask how it fits into the wireless access methods, you can explain that LEAP is Ciscos wireless authentication protocol, which is based on EAP and is called EAP-Cisco Wireless or LEAP. LEAP is based on and supports the 802.1x standard. Use this time to review the topics covered in this lesson. Emphasize that you should use the strongest method of wireless authentication that is supported by all of your wireless client computers and your wireless access points. Each organization handles network access security differently. Have students share with the class their own experiences with network access security.
Remote Access Profiles
Remote Access Monitoring and Auditing
Wireless Network Access Methods
Guidelines for Designing Network Access Security Discussion
Lesson: Choosing Remote Access Methods

This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to choose an appropriate remote access method based on business requirements. Remote Access Methods Explain to students that there are two methods for (non-wireless) remote access: dial-up networking and virtual private networking. The needs of the business will drive the choice for a remote access method. Emphasize that the choice of VPN tunneling protocol (either PPTP or L2TP) will depend on a number of factors including the connection type (for example, IP, Frame Relay, X.25, and so on) used for the VPN, whether a public key infrastructure (PKI) is implemented on the network, whether a NAT is used, and other business and security factors. To promote class discussion, consider asking students about the type of remote access server hardware used in their organization. Do they use a server-based software solution? Or do they use a dedicated remote access hardware device?
VPN Tunneling Protocols
Hardware Considerations
vi
Guidelines for Choosing Remote Access Methods Practice
Remind students that when determining the amount of LAN and Internet bandwidth required for a remote access design, they must consider the future growth of the organization. There is no practice for this lesson.
Lesson: Designing a Remote Access Infrastructure

This section describes the instructional methods for teaching this lesson. In this lesson, students learn to design a remote access infrastructure based on business requirements. The lesson compares options for the placement of remote access servers, VPN servers, and authentication servers. It also covers possible scenarios that affect the configuration of remote client computers, and introduces the Connection Manager tool that can be used to configure remote client computers. Finally, the lesson discusses user education and guidelines for designing a remote access infrastructure. Strategies for RAS Server Placement Strategies for VPN Server Placement Point out that many factors will influence the placement of the remote access server, including whether the network is non-routed or fully routed, whether VPNs are used, bandwidth considerations, and security requirements. Explain that the primary factor that influences the placement of VPN servers is the security requirements of the organization. Other factors that influence this design decision include current network infrastructure, authentication, encryption, and tunneling protocols used, and the use of network address translation (NAT) devices. Emphasize that the recommended strategy for the placement of RADIUS clients and servers is to place RADIUS clients close to remote access users, and to place RADIUS servers close to the domain controller that provides authentication for the remote user accounts. Emphasize that designing for the configuration of remote access client computers is a critical element in a remote access infrastructure design, typically because of the large number of client computers that must be configured. Point out that you can use Connection Manager, which is a client dialer and connection software program that is included in Windows Server 2003, to help manage the configuration of remote access client computers. Connection Manager supports both dial-up and VPN connections, and can be used to configure settings on remote access client computers such as routing table updates, automatic proxy configuration, customized branding messages unique for a particular organization, simplified distribution of a self-installing executable, and distribution of custom phone books. Considerations for User Education Explain that just as it is important to train employees to perform other networkrelated tasks, it is important to train them on how to connect to the companys network remotely. They must know how to connect, how to access resources, and how to disconnect. Perhaps even more importantly, users must be trained to take appropriate security measures when traveling with computers and using these computers to connect to the companys network.
Strategies for Authentication Server Placement User Environment Configuration
vii
Guidelines for Designing a Remote Access Infrastructure Practice
Use this section to review and summarize the topics covered in this lesson.
In this practice, students design a remote access infrastructure for Northwind Traders. Students design solutions may vary. This is okay as long as students can justify their own solutions.
Lesson: Designing a Wireless Access Infrastructure

This section describes the instructional methods for teaching this lesson. In this lesson, students learn to design a wireless access infrastructure based on business requirements. Wireless Networking Standards Because wireless networking standards are constantly changing, to read about the latest standards updates, you and your students might want to visit the Institute of Electrical and Electronic Engineers (IEEE) Web site at http://www.ieee.org. Explain that when it comes to wireless networking, security is always a challenge. Review the potential threats to wireless networking and the strategies that can be used to prevent or mitigate these security vulnerabilities. Review the types of hardware that are required for a wireless networking solution including wireless adapters, wireless access points, and, depending on the wireless standard to be used, a RADIUS server. Emphasize that the business requirements of the organization, such as cost, quality, and compatibility with the wireless standard and security method adopted by the organization, will drive the design decisions when it comes to selecting hardware for wireless networking. Best Practices for Designing a Wireless Access Infrastructure Practice Review the best practices for designing wireless security, for choosing wireless access points (APs), for choosing wireless network adapters, and for ensuring wireless network performance. In this practice, students design a wireless access infrastructure for Northwind Traders. Students design solutions may vary. This is okay as long as students can justify their own solutions.
Strategies for Wireless Security Hardware Considerations for Wireless Network
Lab A: Designing the Network Access Infrastructure

In this lab, students design various remote and wireless access infrastructure strategies for Tailspin Toys. After completing this lab, students will be able to:
! ! ! !
Design a VPN solution. Design a solution to configure remote client computers for remote access. Design a security strategy for remote access. Design a wireless networking infrastructure.
viii
Note To prevent confusion, at the start of the lab, remind students that in the practices they have been working with Northwind Traders, but in the labs they are working with Tailspin Toys. To begin the lab, open Microsoft Internet Explorer and then, on the Web page that appears, click the link for this lab. Play the video interviews for students, and then instruct students to begin the lab with their lab teams. Note that:
!
The e-mail messages from Lisa Jacobson and Lori Kane state the specific tasks that must be accomplished in this lab. There are no key Tailspin Toys documents that students need to view for this lab. At this point in the course, students should have a solid grasp on everything they need to know about Tailspin Toys to complete this lab.
Give students approximately 20 to 25 minutes to complete their answers. Then spend approximately 10 to 15 minutes discussing the students answers as a class. Student answers will vary because there are several possible remote and wireless access strategies and no single correct solution. After the teams develop their answers, discuss all of the teams answers as a class. General lab suggestions For general lab suggestions, see the Instructor Notes for the Module 1 lab, Preparing to Design an Active Directory Infrastructure, in Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. Those notes contain detailed suggestions for facilitating the lab environment in this course.
Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is dependent on the classroom configuration specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. Important Although no computer configuration changes occur on student computers during the labs, the information gathered and many of the solutions produced in a lab carry forward to subsequent labs in the course. Therefore, if this course is customized and all of the modules are not used, or they are presented in a different order, when the instructor begins a lab the instructor might need to provide students with a possible answer from the previous lab(s) to use as a starting point for the current lab.
Overview
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This module describes how to design a network access infrastructure by gathering relevant data, and then analyzing and using that data to design for network access security, remote access, and wireless access. The module includes strategies for authentication, administration, access monitoring, interoperability, and user education. After completing this module, you will be able to:
! ! ! ! !
Objectives
Gather data for network access design. Design network access security. Design remote access methods. Design a remote access infrastructure. Design a wireless access infrastructure.
Lesson: Gathering Data for Network Access Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The first step toward creating a network access design involves gathering data about your business requirements, user requirements, security requirements, and interoperability requirements. You also need to consider any existing remote access infrastructure, anticipated growth, and other future needs. After completing this lesson, you will be able to:
!
Lesson objectives
Explain how the business requirements of an organization influence the network access design. Explain how user requirements influence the network access design. Explain how security requirements influence the network access design. Explain how interoperability requirements influence the network access design. Gather relevant data for a network access design.
! ! !
Business Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points The business requirements of your organization will drive your network access design. Some of the business requirements that you must determine and consider include:
!
Virtual private network (VPN) access for employees. Do employees need to access the corporate network from home? Do they have existing Internet connections? VPN access for suppliers, vendors, business partners, or customers. Do your suppliers, vendors, business partners, or customers need VPN access to all or part of your corporate network? Do they have existing or planned Internet connectivity to support VPN access? Will they require individual connections or a router-based VPN tunnel connection? Dial-up access for employees. Do employees need to be able to access the corporate network by using a dial-up connection from home or while traveling? Dial-up access for suppliers, vendors, business partners, or customers. Do your suppliers, vendors, business partners, or customers need dial-up access to all or part of your corporate network? Will they require individual connections, or a router-based dial-up connection? Anonymous public access to corporate data. Do you have a business need to make some corporate data available to anyone with an Internet connection? Should the data be available by using a Web browser or some other method, such as File Transfer Protocol (FTP)?
Additional reading
For more information on remote access methods, see Deploying Dial-up and VPN Remote Access Servers under Additional Reading on the Web page on the Student Materials compact disc.
User Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Before you can decide which remote access solution is most appropriate for your network access infrastructure design, consider user requirements for completing tasks remotely. Ask the following questions:
!
What tasks do employees perform when they connect to your network remotely? Do they transfer large files remotely? Do they need read-only access to documents on the network? This information helps you to determine the required remote access method, bandwidth, and data access permissions for remote employee users. For example, users that transfer large files over the remote access connection will require more bandwidth than users who only need to access their e-mail. What tasks do non-employees perform when they connect to your network remotely? Do they transfer large files remotely? Do they need read-only access to documents on the network? This information helps you to determine the required remote access method, bandwidth, and data access permissions for non-employee remote users. For example, if non-employees only need access to a specific server or to a specific server-based application, they might then be allowed to connect to a separate portion of your network that contains only the data they must access. How long is each type of user connected remotely? Do users log on remotely and remain connected? If remote users are running a network application that requires them to remain connected for a long time, this will influence the choice of remote access method. How many remote users are connected concurrently? What is the maximum number of users that connect remotely at any time? If the number of users connecting remotely is relatively small, then a dial-up method might work well. Costs, such as ongoing costs for telephone service, might also be a factor in determining the maximum number of concurrent remote users to be supported. Remember to use the data gathered to predict what future levels will be so the design is appropriately scaled.
Security Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Before you can decide which remote access infrastructure solution is most appropriate for your organizations network access infrastructure design, you must consider your organizations security requirements for completing tasks remotely. Ask the following questions:
!
What type(s) of client computers must be supported? This will help you determine the type of VPN connection and authentication method that is required for remote access.
Should encryption be used to protect the data being accessed? How important is this data? Should it be protected from compromise when it is transmitted over the dial-up or VPN connection? This information will help you create your design for securing remote connections to your network.
What portion or portions of the network do remote clients need to access? Do remote users need access to the entire network? Do they only need access to e-mail? This will help you determine where to connect the dial-up or VPN server to your network. This will also help you create a design for securing resources that are accessed by remote users.
Additional reading
For more information about gathering requirements for remote access, see Deploying Dial-up and VPN Remote Access Servers under Additional Reading on the Web page on the Student Materials compact disc.
Interoperability Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Before you can decide which remote access solution will be most appropriate for your organizations network access infrastructure design, consider your organizations interoperability requirements. Consider the following:
!
Types of servers with which the remote access server (RAS) must interoperate For example, your organization might be using third-party Remote Authentication Dial-In User Service (RADIUS) servers, certificate services servers, or VPN servers. This information will help you determine the types of protocols that are required on the remote access server, and help you to determine which hardware and software to use for your remote access server.
Types of client computers with which the RAS must interoperate For example, the client computers might be running Microsoft Windows, UNIX, Macintosh, DOS, or another operating system, and they might require support for specific authentication methods, such as plain text or Password Authentication Protocol (PAP).
Protocols other than Transmission Control Protocol/Internet Protocol (TCP/IP) that are being used on the network For example, your organizations network might support other operating systems that use protocols such as Internetwork Packet Exchange (IPX) or AppleTalk.
Guidelines for Gathering Data for a Network Access Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When gathering data for a remote access infrastructure design, consider the following guidelines:
!
Gather data about the existing remote access infrastructure Determine and document any existing remote access infrastructure. Gather data about the number and types of remote access users, the types of remote access connections used, and the length of remote access connections. Gather data about the types of servers and client computers with which the existing RAS interoperates. Also gather data about remote access connection protocols.
Obtain input from all stakeholders This means that you need to interview administrator groups, remote user groups, application groups, security groups, management groups, and any other groups that will be part of the remote access design. Failure to gather information from a key group might cause the design to fail.
Gather data about security issues Paramount in any successful remote access design is the need to restrict access to the network to authorized users and to ensure that data is transmitted securely. You must collect data on the organizations specific security needs. Your remote access design should balance the business needs for accessing data with the security needs of restricting access to data. Failure to gather security information might lead to a design that has security flaws and is susceptible to unauthorized accesses to the organizations data.
Gather data about future remote access needs It is crucial to gather information about the future needs of your organization. For example, failure to gather information about the number of remote users predicted for the future will result in a remote access design that is quickly outgrown. Consequently, most network access designs take into account the anticipated growth for the next three to five years.
Lesson: Designing Network Access Security
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The security of a network is compromised if unauthorized remote users gain access to intranet-based resources. An effective network access security design ensures confirmation of the identity of the clients attempting to access your organizations network resources and protection of specific resources from inappropriate access by users. A network access security design specifies a straightforward, efficient way to set up and maintain security on the network. After completing this lesson, you will be able to:
! ! ! ! ! ! !
Lesson objectives
Evaluate and choose appropriate authentication methods. Evaluate and choose appropriate methods for encryption. Establish appropriate remote access policies. Establish appropriate remote access profiles. Explain considerations for remote access monitoring and auditing. Evaluate wireless network access options. Design network access for an organization.
Authentication Methods
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing for network access security, you must determine the authentication method that best meets your organizations business and security needs. The authentication of remote access clients is an important security concern. Authentication methods typically use an authentication protocol that is negotiated during the connection establishment process. Microsoft Windows Server 2003 supports the following authentication protocols for both dial-up and VPN remote access connections:
!
Remote access authentication protocols
Unauthenticated access. Unauthenticated access does not require user credentials and, therefore, does not provide any security. Password Authentication Protocol (PAP). PAP uses plaintext passwords and is the least secure authentication protocol. PAP is disabled by default. Shiva Password Authentication Protocol (SPAP). SPAP is used by client computers when connecting to a SHIVA LAN Rover remote access device. Challenge Handshake Authentication Protocol (CHAP). CHAP is not recommended unless you have remote clients that only support CHAP. CHAP is disabled by default. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) and MS-CHAP version 2 (MS-CHAP v2). MS-CHAP v2 provides stronger security than MS-CHAP, and should be used instead of MS-CHAP if your client computers support it. MS-CHAP and MS-CHAP v2 are enabled by default.
10

!
Extensible Authentication Protocol (EAP). EAP is an authentication protocol that allows you to use plug-in modules to perform the actual authentication. Windows Server 2003 Routing and Remote Access includes support for EAP-Transport Layer Security (EAP-TLS), and MD5Challenge. It also includes the ability to forward authentication requests to a RADIUS server, such as a Microsoft Internet Authentication Service (IAS) server. Note EAP-TLS requires certificate-based authentication, such as smart cards. It also requires that the remote access server be a member of a domain. EAP-TLS is the most secure authentication method that is supported by Windows Server 2003 Routing and Remote Access.
Protected Extensible Authentication Protocol (PEAP). PEAP is an authentication method that is used to support the authentication of wireless client computers by a RADIUS server. PEAP is not supported for VPN or dial-up clients.
Using a RADIUS server for authentication
You can use a RADIUS server to perform the authentication of remote access users for multiple remote access servers instead of performing the authentication individually on each remote access server. Using a RADIUS server such as an IAS server has the following benefits:
!
Providing centralized authentication and authorization for remote access users. Implementing remote access policies once on the IAS server instead of implementing them individually on each remote access server. Providing centralized accounting and auditing of user connection data.
Guidelines for choosing authentication protocols for dial-up connections
Consider the following guidelines when choosing an authentication protocol for dial-up connections:
!
If you use smart cards or have a certificate infrastructure that issues user and computer certificates, use the EAP-TLS authentication protocol for all dialup connections. EAP-TLS is supported by dial-up clients running Microsoft Windows 2000, Microsoft Windows XP, or Windows Server 2003. If you do not have smart cards or a certificate infrastructure, use MS-CHAP v2 and enforce complex passwords by using Group Policy. If you have client computers that do not support MS-CHAP v2, such as Microsoft Windows 95 clients, enable both MS-CHAP and MS-CHAP v2.
11
Guidelines for choosing authentication protocols for VPN connections
Consider the following guidelines when choosing an authentication protocol for VPN connections:
!
If you use smart cards or have a certificate infrastructure that issues user and computer certificates, use the EAP-TLS authentication protocol for both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) VPN connections. EAP-TLS is supported by VPN clients running Windows Server 2003, Windows 2000, or Windows XP. If you must use a password-based authentication protocol, use MS-CHAP v2 and enforce complex passwords by using Group Policy. MS-CHAP v2 is supported by VPN clients running Windows Server 2003, Windows 2000, Windows XP, Microsoft Windows NT Workstation 4.0 with Service Pack 4 (SP4) and later, Microsoft Windows Millennium Edition, or Microsoft Windows 98. Use the most secure authentication protocols that your network access servers and clients can support. If you need a high level of security, configure the remote access server and the authenticating server to accept only a few very secure authentication protocols.
12
Encryption Methods
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing for network access security, you must determine the encryption method that best meets your organizations business and security needs. On a VPN, you secure your data by encrypting it between the VPN client and the VPN server. Always use data encryption for VPN connections when private data is sent across a public network, which always presents a risk of interception. For VPN connections, Windows Server 2003 uses Microsoft Point-to-Point Encryption (MPPE) for PPTP connections and Internet Protocol security (IPSec) encryption for L2TP connections. MPPE MPPE uses the Rivest-Shamir-Adleman (RSA) public-key cipher for encryption and decryption with an RC4 stream cipher to encrypt data for Pointto-Point Protocol (PPP) or PPTP connections. PPTP connections use MPPE with MS-CHAP, MS-CHAP v2, EAP-MD5 Challenge, or EAP-TLS authentication. The following table shows the validation and encryption options available for MPPE.
Validate identity by using Insecure password Require data encryption No Authentication methods negotiated PAP, CHAP, SPAP, MS-CHAP, MS-CHAP v2, EAP-MD5 Challenge CHAP, MS-CHAP, MS-CHAP v2, EAPMD5 Challenge MS-CHAP, MS-CHAP v2, EAP-MD5 Challenge Encryption enforcement Optional encryption (connect even with no encryption) Optional encryption (connect even with no encryption) Require encryption (disconnect if server declines)
Secure password
No
Secure password
Yes
Module 9: Designing the Network Access Infrastructure (continued) Validate identity by using Smart card Require data encryption No Authentication methods negotiated EAP-TLS Encryption enforcement
13
Optional encryption (connect even with no encryption) Require encryption (disconnect if server declines)
Smart card
Yes
EAP-TLS
IPSec
IPSec encrypts data within an L2TP-based connection. Choose IPSec as the remote access data encryption method if:
! !
You use L2TP tunneling. A public key infrastructure (PKI) is implemented on your network.
The following table describes the validation and encryption options, and the authentication methods that are used within an L2TP-based connection.
Validate identity by using Secure password Require data encryption No Authentication methods negotiated CHAP, MS-CHAP, MS-CHAP v2, EAPMD5 Challenge CHAP, MS-CHAP, MS-CHAP v2, EAPMD5 Challenge EAP/TLS Encryption enforcement Optional encryption (connect even with no encryption) Require encryption (disconnect if server declines) Optional encryption (connect even with no encryption) Require encryption (disconnect if server declines)
Secure password
Yes
Smart card
No
Smart card
Yes
EAP/TLS
14
Remote Access Policies
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing for network access security, consider using remote access policies. A remote access policy is a named rule that consists of one or more conditions, a remote access permission setting, and a set of profile settings that defines how remote access connections are either accepted or rejected. If the settings that are used for a dial-up client do not match at least one of the remote access policies that apply to the connection, the connection attempt fails, regardless of the client dial-up settings. In Windows Server 2003, the default remote access policy is Deny remote access permission, and the default time of day constraints setting is 24/7. Therefore, by default, a user is denied remote access at all times unless it is explicitly granted to that user. There are two primary methods to grant and deny remote access permissions to users:
!
Remote access permissions
By user This method allows you to set implicit and explicit Grant access or Deny access permissions on a user-by-user basis. This is the only method of controlling access in a Windows Server 2003 mixed mode domain.
By policy This method allows you to set implicit and explicit Grant remote access permission or Deny remote access permission on a user or group basis. This method can be used in a Windows Server 2003 native-mode or higher domain.
Remote access policy settings
You can customize remote access policies to restrict or grant access to the remote access server by configuring various conditions, including group membership, time of the day or day of the week, calling station ID, authentication method, and so on.
15
Remote Access Profiles
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You can use a remote access policy to create a dial-in profile to specify access based on Windows 2003 group membership, time of day, day of week, and type of connection. You can also configure settings for options such as maximum session time, authentication requirements, and Bandwidth Allocation Protocol (BAP) policies. Each remote access policy includes a profile of settings that are applied to the connection. The settings that can be configured in a remote access profile include:
! ! !
Remote access profile settings
Authentication protocols that are allowed, such as EAP or MS-CHAP v2. Encryption level, such as No Encryption, Basic, Strong, or Strongest. Dial-in constraints, such as the number of minutes a client can be connected, and time of day and day of week constraints. IP properties, such as whether the access server must supply an IP address, and any IP packet filters that will be applied. Multilink properties that both enable Multilink and determine the maximum number of ports that a Multilink connection can use. Advanced properties, such as the series of RADIUS attributes that are sent back by the IAS server to be evaluated by the RADIUS client.
For security purposes, you should pay special attention to the authentication and encryption settings and select the most secure options that your organization can support. Note When configured, the settings in the profile are applied to the connection immediately and might cause the connection to be denied or terminated Example For example, if the profile settings for a connection specify that the user can only connect for 30 minutes at a time, the user will be disconnected from the remote access server after 30 minutes.
16
Remote Access Monitoring and Auditing
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing your network access infrastructure, include monitoring and auditing in your design. Monitoring and auditing remote access connections and attempted connections enables you to determine:
! !
How secure your remote access infrastructure is. If your remote access solution meets the needs of current remote access users. If the current remote access infrastructure is adequate to meet the future growth for remote access.
You can use two methods to monitor and audit remote access:
! !
Use a RADIUS server to centralize accounting and authentication. Use the RAS Server Monitor tool from the Windows Server 2003 Resource Kit to monitor RAS server usage.
Using a RADIUS server to centralize accounting
RADIUS is a security authentication protocol based on clients and servers. RADIUS provides the ability to authenticate remote user accounts by using methods other than Windowsbased authentication. For example, a remote access server that uses RADIUS can authenticate remote users by accessing a user account database located on another computer on the network. RADIUS centralizes the management of client authentication and accounting for remote access servers. The integration of Routing and Remote Access with RADIUS allows:
!
Centralized remote access policies to be defined for all remote access servers, replacing individual server policies. Centralized logging of client success, failure, and connection status events for multiple servers.
17
The events that are logged include:

! ! !
Authentication requests for the connecting user. Authentication accepts and rejects for the connecting user. Accounting-interim requests, sent periodically by the remote access server during a user session.
Using RAS Server Monitor
Monitoring the success or failure of users dial-up connections has always been a challenge because of the intermittent nature of dial-up connections. The Windows Server 2003 Resource Kit contains the RAS Server Monitor tool, RasSrvMon.exe, which not only simplifies RAS troubleshooting but also enables you to gather useful information about RAS server usage on a per-port or per-user basis. You can use this information to predict future hardware needs. For more information on remote access monitoring, see RAS Server Monitor under Additional Reading on the Web page on the Student Materials compact disc.
Additional reading
18
Wireless Network Access Methods
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Options for wireless network access When designing a wireless network access solution, choose a wireless access method that meets your networks security needs and your administrative requirements. Choose the appropriate access method from the following:
!
Unauthenticated access When you use unauthenticated access as your wireless access method, anyone with a computer or other device that has a wireless network adapter will be able to connect to your network if they are within the range of your wireless access points (APs). This solution is not recommended for a secure environment; however, it is often used for conferences and other public venues where Internet access is available to all attendees. Be aware that when you use unauthenticated access, you are putting client computers at risk.
Access controlled by the media access control (MAC) address of the network adapter To use this method, you must manually configure each of your wireless APs with the MAC address of every wireless network adapter in use in your organization. The security provided by this method is limited, and is easily bypassed by using a wireless network scanner to capture the MAC addresses of authorized adapters. In addition, this method is very time intensive for network administrators to manage. Therefore, this method is not recommended.

!
19
Wired Equivalent Privacy (WEP) WEP uses a shared key to authenticate users and to encrypt all data sent over the wireless connection. Users without the shared key are not able to connect to the wireless AP. The shared key is usually manually configured on both the wireless AP and the client computer. This process is very administrator intensive, especially if the keys are changed on a regular basis. In terms of security, WEP is better than unauthenticated access or access controlled by the MAC address of the network adapter; however, it is vulnerable to attacks and should only be used if stronger authentication and/or encryption methods are not available. WEP does not scale well for a large, infrastructure mode wireless network.
802.1x 802.1x requires wireless users to authenticate to a network authentication service, such as a RADIUS server, before they are allowed to connect to the network. EAP/TLS is used as the authentication protocol for 802.1x. Because of this, you must implement a PKI to use 802.1x authentication for your wireless network. 802.1x is the most secure authentication method for wireless networks, and should be used if you have a PKI and if your wireless APs support 802.1x authentication. Note 802.1x can also be used for authentication on wired local area networks (LANs).
Guidelines for designing wireless network access
To minimize the inherent security risks that are associated with wireless networking, use the following guidelines:
!
Require authorization and authentication of wireless clients before they exchange data with the network that is attached to the wireless APs. Encrypt the data sent between wireless clients and APs.
Additional reading
For more information about wireless authentication methods, see Deploying a Wireless LAN under Additional Reading on the Web page on the Student Materials compact disc.
20
Guidelines for Designing Network Access Security
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When designing network access security for a remote access infrastructure, follow these guidelines:
!
Require remote users to use a secure VPN connection when using terminal service or other remote control technologies. This method minimizes the firewall configuration to support additional protocols. It also standardizes your entry point into the network so that you can defend entry points. Require the use of L2TP with IPSec for VPN tunnels. IPSec provides more options for encryption and allows for certificate-based authentication. Use these protocols when network address translation (NAT) traversal is not an issue. Require multifactor authentication whenever feasible to provide secure VPN or dial-up access. Implement smart cards or tokens to provide more secure VPN or dial-up access. Restrict modem use inside the organizations network. Use Group Policy to disable modems on clients running Windows 2000 or later. Periodically conduct modem sweeps to look for unauthorized modems in your organization so that users do not connect their computer to an insecure network and expose your organizations network to unauthorized users. Require periodic review of audit logs for remote access activity. All dial-up activity is automatically logged in the system event log. Check regularly for unauthorized remote access. Require 802.1x authentication for wireless networking. Specify the strongest method of wireless authentication that is supported by all of your wireless client computers and your wireless APs. If possible, require the use of 802.1x authentication for all wireless access to your network.
21
Discussion: Designing Network Access Security
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Discussion Each organization handles network access security differently. Share with the class your experiences with network access security. Use the following questions to guide your discussion: 1. Which authentication and encryption methods do you use on your organizations network for remote access authentication? For VPN authentication? 2. If your organization has a wireless network, which authentication and encryption mechanisms does it use? 3. Does your organization use RADIUS servers for authentication? If so, do you use IAS or another implementation? 4. Does your organization use any multifactor authentication methods, such as smart cards? If so, when is their use required? Answers may vary based on the work experience of the students who are participating in the class.
22
Lesson: Choosing Remote Access Methods
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction This lesson compares the two primary remote access methods: dial-up networking and VPN. It also compares the PPTP and L2TP VPN tunneling protocols. Finally, this lesson explains key hardware considerations for remote access solutions. Each of these topics provides important information that will help you design the remote network access infrastructure for your organization. After completing this lesson, you will be able to:
! ! ! !
Lesson objectives
Compare methods for remote access. Explain the design considerations for VPN. Explain how hardware affects the choice of remote access methods. Choose appropriate remote access methods for an organization.
23
Remote Access Methods
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Two remote access methods that you can use are dial-up networking and VPN. When designing for remote access, choose the method that best meets your organizations business and security needs. In dial-up networking, a remote access client makes a non-permanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider and a connection type such as an analog phone line and modem, Integrated Services Digital Network (ISDN), or X.25. The best example of dial-up networking is that of a dial-up networking client who dials the phone number of one of the ports of a remote access server. Advantages of using dial-up networking include:
! !
Dial-up networking
Convenient direct dial-up connectivity to your network for mobile users. Potential secure data path over a circuit-switched connection. This is true only when encryption is used. Dial-up lines are inherently more private than a solution that uses a public network such as the Internet.
Disadvantages of using dial-up networking include:

!
Large initial investment for modems or other communication hardware, server hardware, and phone line installation, and continuing expenses throughout the life cycle of the solution. Connections subject to the maximum speed limit that is supported by the connection medium, which is usually 56 kilobits per second (Kbps).
24
VPN
In virtual private networking, you create a secured, point-to-point connection across a private network or a public network such as the Internet. A VPN client uses special TCP/IPbased protocols called tunneling protocols to make a call to a virtual connection port on a VPN server. The best example of VPN is that of a VPN client who makes a virtual private network connection to a remote access server that is connected to the Internet. The remote access server answers the call, authenticates the caller, and transfers encrypted data between the virtual private networking client and the corporate network. In contrast to dial-up networking, VPN is always a logical, indirect connection between the VPN client and the VPN server over a public network, such as the Internet. To ensure privacy, you must encrypt data sent over a VPN connection. The primary benefits of using VPNs are:
!
Reduced costs. Using the Internet as a connection medium saves longdistance phone expenses and requires less hardware than does a dial-up networking solution. Sufficient security. Authentication prevents unauthorized users from connecting. Strong encryption methods make it extremely difficult for a hacker to interpret the data sent across a VPN connection. Flexibility. By using the public Internet as the transport network, reconfiguring remote client support is simpler than moving dedicated phone lines.
The limitation of using VPNs is that they are less private because they use the Internet. Additional reading For more information about VPNs, see Deploying Dial-up and VPN Remote Access Servers under Additional Reading on the Web page on the Student Materials compact disc.
25
VPN Tunneling Protocols
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction VPN security is determined by tunneling and authentication protocols as well as the encryption levels applied to VPN connections. Windows Server 2003 supports two VPN tunneling protocols: PPTP and L2TP/IPSec. When designing your VPN solution, choose the tunneling protocol that best meets your organizations business and security needs. Microsofts proprietary solution to tunneling over the Internet is PPTP. This protocol combines encryption and tunneling by using MPPE, which uses the RSA Securitys RC4 stream cipher. MPPE can use 40-bit, 56-bit, or 128-bit encryption keys. MPPE for VPN connections changes the encryption key for each packet. The decryption of each packet is independent of the previous packet. MPPE provides encryption only for data carried over the VPN link, not end-to-end encryption. Because L2TP provides only tunneling, not encryption, IPSec is used in conjunction with L2TP to provide encryption. L2TP/IPSec uses PPP user authentication methods and IPSec encryption to encrypt IP traffic. L2TP/IPSec provides data integrity, data origin authentication, data confidentiality, and replay protection for each packet. Compared with PPTP, L2TP/IPSec is more secure as a VPN protocol. Some of the key differences between PPTP and L2TP are:
!
PPTP
L2TP
Comparison of PPTP and L2TP
L2TP supports header compression, whereas PPTP does not. When header compression is enabled, L2TP operates with four bytes of overhead, as compared with six bytes for PPTP. PPTP requires an IP-based transit internetwork. L2TP requires only that the tunnel media provide packet-oriented, point-to-point connectivity. L2TP can use IP, Frame Relay permanent virtual circuits (PVCs), X.25 VCs, or asynchronous transfer mode (ATM) VCs to operate over an IP network.
26

!
L2TP requires IPSec for encryption, whereas PPTP uses PPP encryption. Although PPTP can also use IPSec for encryption simultaneously, performance will decrease dramatically because all data would be encrypted twice. L2TP supports tunnel authentication, whereas PPTP does not. However, when either PPTP or L2TP is used in conjunction with IPSec, IPSec provides tunnel authentication so that layer two tunnel authentication is not necessary. Because it does not require a PKI, PPTP is simpler to deploy and less costly to manage than L2TP plus IPSec. PPTP also provides backward compatibility with client computers running Windows 95. Because it is an encrypted IP packet that is placed inside of an unencrypted IP packet, PPTP can pass through a network address translator (NAT). However, because of IPSec packet authenticity, L2TP with IPSec cannot pass through a NAT. The good news is that there is an update to IPSec called IPSec NAT-Traversal (IPSec NAT-T), which enables IPSec packets to pass through NAT devices. Note IPSec NAT-T client software is available as a Web download for Windows 98, Windows Millennium Edition, Windows NT 4.0, Windows 2000, and Windows XP.
Additional reading
For more information about IPSec NAT-T, see IPSec NAT Traversal under Additional Reading on the Web page on the Student Materials compact disc.
27
Hardware Considerations
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Your organizations hardware will affect your choice of remote access methods. Additionally, your location might limit your choices in hardware options for remote access methods. Some hardware considerations for choosing a remote access method are:
!
Capacity planning. How many users do you have to support? How much load do they put on the system? Your capacity requirement is determined by many factors including the number of users, what tasks your users perform, where they are connecting from, and what level of security you require. If you estimate a capacity that is inadequate, your remote access infrastructure might slow down user productivity. If you estimate a capacity that is too large, you might end up paying for capacity that is not used. Communications links. Sometimes, the hardest part of the whole process is choosing and provisioning the communications links for your remote access solutions. This is true for two reasons: you have to allow lead time for getting your communications links installed and tested; you have to have a reasonable estimate of how many lines you need right from the start as it takes longer and costs more money if you have to have the installers come back at a different time to complete the installation. You can make a more accurate estimate of the lines needed based on your capacity requirements. Service provider. In many areas, the choice of where to buy your service is made by default because the only provider of analog or digital lines is your local telephone company. Assuming that you have a choice, how do you choose a provider? You can choose the lowest-cost provider. However, a recommended way is to choose a provider based on the kind of service-level agreement (SLA) that they are willing to offer.
28

!
Client hardware. Remote access is initiated from the remote clients. As a result, your choice for a remote access method will rely heavily on what hardware your remote clients are using. If the remote access method requires updating the remote clients hardware, you must consider the type of hardware, the training required to use the new hardware, and the support your organization will provide to its remote clients. Remote access server solution. There are two types of solutions for providing remote access. The first type is a server-based software solution, such as Windows Server 2003 Routing and Remote Access. The second type is a dedicated remote access hardware device. As a general rule, the server-based software solution is more flexible than the dedicated remote access device, because the server on which the remote access software is installed can be used for additional functions besides providing remote access. Your organization might use a combination of these solutions to provide remote access.
29
Guidelines for Choosing Remote Access Methods
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When choosing a remote access method for your organizations network access design, consider the following guidelines:
!
Select a remote access method that provides flexibility. Based on the business requirements that you have gathered, choose methods that support your current and future remote clients. Determine the number of users that will be supported. The answer might be everyone. Or your organization might decide to limit access to people who are away from the home office, people with specific job responsibilities, or some other particular group. Make sure that you obtain a firm commitment from the decision makers in your organization regarding the number of remote access users that you must support. Determine the bandwidth that is required. It is difficult to determine the bandwidth that you will need to provide for remote access, because it is never easy to predict how much your users will need. In general, you can separate your bandwidth planning into the following two categories: LAN bandwidth. Even if you know that your remote users will only have access to LAN resources, consider what will happen if you put another group of users onto any segment in your network. You must consider each remote access user to be the equivalent of a LAN user, even though a user connecting at 56 Kbps obviously cannot generate as much network traffic as someone connecting at 10 megabits per second (Mbps) by using an Ethernet connection. Internet bandwidth. If you are using an Internet-based VPN solution, every inbound connection will consume part of the bandwidth available on your Internet connection. Even if you are not using an Internet-based VPN solution, remote access users might still consume your Internet bandwidth if you allow them to use their remote connections to access the Internet. By deploying proxy and caching services, you can handle some client requests without actually using any of your outbound bandwidth.
30
Lesson: Designing a Remote Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To design an effective remote access solution, it is important to consider the infrastructure requirements of the available solutions. This lesson describes strategies for RAS server, VPN server, and authentication server placement. It explains considerations for configuring remote client computers. It also addresses the need to train remote access users to perform remote access procedures and to practice good security protocol. After completing this lesson, you will be able to:
! ! ! ! ! !
Lesson objectives
Compare choices for the placement of RAS servers. Compare choices for the placement of VPN servers. Compare choices for the placement of authentication servers. Explain considerations for the configuration of the user environment. Describe the elements and importance of successful user education. Design a remote access infrastructure.
31
Strategies for RAS Server Placement
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing a remote access solution, you must consider the physical placement of the remote access server. The placement of a RAS server in a network can affect the delivery of data to remote access clients. It can also affect the data traffic flowing to other users on the network. You should place the RAS server in a subnet or on the segment with the most client-accessible resources if:
!
When to place the RAS server in a subnet
There is a switched, non-routed LAN with multiple physical segments. This minimizes unicast traffic flowing across segments, as the switch does not reflect traffic onto all segments. There is a routed network with multiple routers. This minimizes crosssubnet traffic and effect of client data on the bandwidth available to other network users.
Aggregate bandwidth considerations
The data for all dial-up clients passes through the RAS server interface to the private network. Even when the client data speeds are moderate, the aggregate throughput required can be significant. Wherever possible, you must minimize the routed path to resources that are used by the dial-up clients. Minimizing the routed path reduces both the client traffic delays and the interaction between dial-up client traffic and normal network user traffic. For example, consider a RAS server with 128 56-Kbps V.90 modems. If you assume the following conditions:
! !
All lines will be used at peak times. A multimedia training application is running on the remote access clients, requiring sustained throughput of 38 Kbps from server to client.
32
The aggregate bandwidth required will be: 38 Kbps X 128 = 4.864 Mbps The simplified throughput calculation shows that the RAS server would use 49 percent of the available bandwidth on a 10-Mbps Ethernet segment. The LAN traffic of other network users would increase this usage further and might make it impossible to service the dial-up clients multimedia needs. Some possible solutions in this example are:
!
Move the multimedia files onto the RAS server so that network access is not required. Connect the RAS server to a network segment with higher throughput, such as a 100-Mbps or a gigabit network connection. Connect the RAS server directly to your core tier network using a high speed network adapter.
When to place the RAS server in a screened subnet
The RAS server should be placed in a screened subnet if:

!
Corporate policies exist with a mandate that client access be processed by a firewall or filter. Clients use a VPN tunnel to connect to the private network. The RAS server contains other data made available to the public networks. The majority of client resources exist in the screened subnet.
! ! !
When to place the RAS server in a single segment LAN
The RAS server can be placed solely based on physical network requirements if:
! !
There is a single segment, non-switched LAN. Clients are allowed to access only the RAS server resources.
33
Strategies for VPN Server Placement
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction The placement of a VPN server can significantly affect network security for a network that contains a firewall or a NAT device. Proper placement of the VPN server relative to the firewall will achieve the functionality, availability, and performance goals of your remote access infrastructure design without compromising network security. Consider using the firewall as your VPN server if:
! !
When to use the firewall as your VPN server
Your firewall has the capability to function as your VPN server. Your firewall has the capacity to handle your VPN connections.
When to place the VPN server outside the firewall
Place the VPN server outside the firewall if:

!
Exposing the Routing and Remote Accessbased VPN server directly to the Internet does not compromise the security aspects of the design. The security risks associated with allowing access to the entire VPN IP address range through the firewall are unacceptable. All sensitive data is placed behind the firewall, and all remote access through the firewall is limited to the VPN server.
34
Considerations when the VPN server resides outside the firewall
If the VPN server resides outside the firewall, consider:

!
Providing an IPSec tunnel between the unprotected VPN server and the Routing and Remote Accessbased router that is placed inside the firewall to reduce the number and complexity of the firewall filters. Configuring the firewall to allow communication between the unprotected VPN server and the Routing and Remote Accessbased router inside the firewall. Encrypting all data between the unprotected VPN server and the internal Routing and Remote Accessbased router by using the strongest encryption possible. Configuring the unprotected VPN server as a stand-alone server that is not a member of your Active Directory domain to reduce the exposure of the Active Directory database.
When to place the VPN server inside the firewall
Place the VPN server inside the firewall if:

!
The added security risk of exposing the Routing and Remote Accessbased VPN server directly to the Internet compromises the security aspects of the design. The potential security problems associated with allowing access to the entire VPN IP address range through the firewall are acceptable.
Note If the VPN server resides inside the firewall, you must configure the firewall filters to allow all PPTP-based and L2TP-based traffic across the entire VPN IP address range. Integrating VPN servers and NAT devices NAT devices, such as a proxy server, translate private IP addresses into public IP addresses and vice-versa. Some application servers directly record the IP address and port number of the remote access client. These applications require a translation table on the NAT device to operate correctly. The NAT device modifies the header of the IP packet in both directions to allow the application to perform normally. When configuring NAT devices for PPTP tunnels, remember that:
! !
Using PPTP tunnels with a NAT device
PPTP does not encrypt IP header and operates with any NAT device. The NAT device requires the appropriate application translation tables.
Using L2TP tunnels with a NAT device
When configuring NAT devices for L2TP tunnels, remember that:

!
L2TP and IPSec with ESP encryption does not work with applications that require NAT translation tables. IPSec NAT-T must be used instead of the original IPSec implementation if you use L2TP tunnels with a NAT. This enables encrypted IPSec traffic to pass through the NAT.
35
Strategies for Authentication Server Placement
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing a remote access solution, consider the physical placement of the authentication server. A RADIUS design requires a minimum of one RADIUS client (usually a RAS server) and one RADIUS server. You must place RADIUS clients and servers within the network to minimize network traffic and to ensure network security. You must place RADIUS clients close to remote access users in order to:
!
Place RADIUS clients close to remote access users
Localize the traffic between the remote access client and the RADIUS client. Reduce or eliminate dial-up charges by providing a local point of presence (POP). Delegate the RADIUS clients administration to the administrators of the remote access users in the same geographic region. Reduce the risk of exposing confidential data. You achieve this by controlling the security between the RADIUS client and the private network.
Place RADIUS servers close to user accounts
You must place RADIUS servers close to the server or domain controller that provides remote user account authentication to ensure that:
!
Traffic between the authentication server and the RADIUS server is localized. Authentication server and the RADIUS server are within the private network, which prevents unauthorized access to the user account database.
36
User Environment Configuration
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing a remote access solution, consider the need to efficiently configure the remote access client computers. The most configuration intensive aspect of any remote access infrastructure is configuring the client computers. You must first determine how remote access client computers connect to the RAS server. You must then determine how to configure the clients to connect to the RAS server. When determining how you will configure remote access client computers, consider:
!
User environment configuration considerations
Travel. Do the remote access users require access configurations that cover multiple locations? For example, if you have users who travel frequently or need to access your private network from home or other locations, you will need to create multiple connection environments on the client. Security. As the remote access client is the starting point of the remote access request, it is imperative that only authorized users can initiate a request. For example, a salespersons laptop should be configured in such a way that only the salesperson can initiate a remote access request. Number of remote users. If you have hundreds of users that need remote access configurations, you must consider the amount of administrative overhead that will be involved in setting up each users desktop for remote access. Distribution. How will you design a distribution process to get each remote access user the configuration settings that they need? For example, if the users computer is at home, is there a Web site where the user can access the connection configuration? Or will the user require a compact disc to configure the settings?
37
In any remote access solution design, the number of remote users will be significantly more than that of the remote access servers. Therefore, configuring remote client computers will make up the majority of the configuration tasks. Your remote access infrastructure design must include a client configuration component that not only configures the remote client computers but also updates them when necessary. You can use the Connection Manager Administration Kit to create an installable configuration that remote users can use to configure their computers. Using Connection Manager In a multiple-server remote access solution, the clients must be distributed evenly across the servers. Connection Manager allows the distribution of a phone book with multiple access numbers to clients. Clients connect to the dialup numbers in the order specified in their phone book. The order of the phone book entries can be set for individual users or groups, allowing the client load to be evenly distributed among servers. To provide remote access availability in the event of a single point connection failure, consider:
!
Assigning each remote access client a primary phone number that is connected to a designated RAS server. Assigning each remote access client a backup phone number that is connected to a redundant RAS server. Using Connection Manager to call the primary phone number first, and in the event of a failure, call the backup phone number. Using Connection Manager to distribute and update changes to the access numbers for the intranet.
Additional reading
For more information on client environment configuration, see Deploying Remote Access Clients Using Connection Manager under Additional Reading on the Web page on the Student Materials compact disc.
38
Considerations for User Education
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Even the most efficient remote access infrastructure design is dependent on users that can properly use it. Part of your design should include a plan to educate users on how to properly use and secure the remote access connection. An effective user education plan includes:
!
User education considerations
Remote access training. Educate users to disconnect their remote access connection as soon as they have obtained the network resources they need. This way, users are not utilizing bandwidth that other users might need. You can also provide a Web site that provides detailed information to employees on how to connect to the network remotely and how to troubleshoot remote access connection difficulties. Security training. In addition to training users on how to use the remote access connection, educate users on a variety of computer security-related issues. Educate users that they must: Install anti-virus software and any other security applications that are required by the organization on any computer that they use. Lock their computers when they are not in use. Take measures to secure computers while traveling including not saving passwords for any connection. Consider including recommended computer security practices in your organizations travel policies.
39
Guidelines for Designing a Remote Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When designing a remote access infrastructure, consider the following guidelines:
!
Place RAS servers based on client accessibility, bandwidth requirements, and network traffic. Place VPN servers according to your security and remote access needs. In general, a good practice is to place the VPN server outside the firewall, an IPSec tunnel between the VPN server, and a router on the inside of the firewall. Place RADIUS clients close to remote access users. Place RADIUS servers close to the server that provides remote user account authentication. Use Connection Manager to distribute a phone book with multiple access numbers to clients. Clients connect to the dial-up numbers in the order specified in their phone book. The order of the phone book entries can be set for individual users or groups, allowing the client load to be evenly distributed between servers.
! !
40
Practice: Designing a Remote Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Scenario In this practice, you will design a remote access infrastructure for Northwind Traders. Northwind Traders wants to enable its employees to access the corporate network over the Internet. Northwind Traders current network infrastructure is illustrated in the diagram on the slide. To protect its product data, Northwind Traders wants to ensure that all connections to the corporate network use the most secure encryption method that is available. In addition, the company wants to optimize its network traffic to ensure that this additional traffic will have minimal impact on the WAN link connections. Based on the scenario, design a remote access infrastructure for Northwind Traders by answering the following questions. Be prepared to discuss your solutions as a class. 1. Will you include any additional Internet connections in your design? If so, at which locations? Why? Create a new Internet connection for the Sydney office. Also consider upgrading the Internet connections for the Atlanta and Los Angeles offices to handle the additional traffic. ____________________________________________________________ ____________________________________________________________ 2. Where will you place the VPN servers? Why? Place a VPN server in each location so that VPN traffic does not traverse the companys WAN links. Configure the firewall that is used to protect the companys network from the Internet in each location as the VPN server for that location. ____________________________________________________________ ____________________________________________________________
Practice
41
3. Which authentication and encryption methods will you specify in your design? Use L2TP/IPsec for all connections. This is because there is now a way for L2TP/IPsec traffic to traverse a NAT server. Issue smart cards to all employees who will require VPN access to the network. Require smart card authentication for VPN access. Use 3DES IPSec encryption for all VPN access. ____________________________________________________________ ____________________________________________________________ 4. What hardware and software will be required in addition to the VPN servers? Because IPSec encryption and smart card authentication will be used, a Public Key Infrastructure (PKI) will have to be implemented to support the VPN solution. ____________________________________________________________ ____________________________________________________________
42
Lesson: Designing a Wireless Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Lesson objectives Wireless connectivity offers a high degree of mobility. It also provides an alternative networking option when traditional wired networks are impractical. After completing this lesson, you will be able to:
! !
Explain wireless network standards. Evaluate and choose appropriate authentication methods for wireless network access. Explain how hardware affects the choice of wireless networks. Design a wireless access infrastructure.
! !
43
Wireless Networking Standards
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Before you can design a wireless access infrastructure, you must be familiar with wireless networking standards. Wireless standards are specified by the Institute of Electrical and Electronics Engineers (IEEE). 802.11, also known as Wi-Fi, is a family of specifications for wireless local area networks (WLANs). 802.11 defines the physical and MAC portion of the data link layer. The MAC layer is the same for all 802.11 standards; however, the physical implementation varies. 802.11b supports higher bit rates than 802.11, but is still compatible with 802.11. 802.11b supports two additional speeds: 5.5 Mbps and 11 Mbps. It has good range but is susceptible to radio signal interference. Many vendors are making reasonably priced 802.11b devices for the home and small-business market. 802.11a provides faster communication speeds, up to 54 Mbps, but usually at shorter ranges. Its 12 non-overlapping channels make it suitable for densely populated areas. It uses a different part of the radio spectrum than 802.11, 802.11b, and 802.11g; thus, it is not interoperable with these three standards. 802.11g, is an enhancement to 802.11b and is, therefore, compatible with 802.11b. Upgrading from b to g might require only a firmware update instead of all new hardware. 802.11g supports speeds up to 54 Mbps. However, it has shorter ranges than 802.11b. Like 802.11b, it is susceptible to interference.
802.11 through 802.11g
44
802.1x
The 802.1x extension to 802.11 defines a way of authenticating access to the port before allowing access to the network. It was designed to address some of the shortcomings of the 802.11 wireless standard. However, it can also be used for wired LANs. It requires a greater investment in infrastructure because it requires PKI and RADIUS. The hardware might be more expensive than 802.11. For more information about wireless standards, see Deploying a Wireless LAN under Additional Reading on the Web page on the Student Materials compact disc.
Additional reading
45
Strategies for Wireless Security
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When designing for wireless networking, consider strategies to provide and enhance wireless security. Wireless networking has a variety of vulnerabilities. Many leading network vendors, standards bodies, and analysts have proposed a variety of solutions to resolve these issues. To mitigate these security vulnerabilities, you must use an authentication and encryption solution in your wireless access infrastructure design. The primary threats to wireless networking are:
! ! ! ! ! ! !
Threats
Eavesdropping on data. Interception and modification of data. Spoofing. Freeloading. Denial of service (DoS) network-level data-flooding attacks. Rogue WLANs. Prevention strategies.
The principle options for mitigating the security vulnerabilities of WLAN can be summarized as follows:
!
Require data encryption for all wireless communications. Data encryption will help prevent eavesdropping, interception, and data modification. There are several encryption methods that you can use on wireless LANs: WEP encryption. WEP provides a modest amount of encryption for wireless networks. However, because of the small size of the key and the difficulty in changing keys, WEP is vulnerable to attacks.
46
802.1x authentication and WEP encryption. WEP encryption used with 802.1x is able to use dynamic keys and is much less vulnerable to attacks than WEP alone. However, 802.1x requires a PKI, a RADIUS server, and wireless access points that support 802.1x. Until recently, this was the best method of securing data on a wireless network. 802.1x authentication and WiFi Protected Access (WPA). WPA is a new wireless security standard that provides much more reliable encryption methods than WEP. It allows the use of a shared key for small-office implementations as well as using a PKI for larger installations. It also supports the use of Advanced Encryption Standard (AES) encryption. To use WPA, the software in the wireless access points must be upgraded. Additionally, the drivers for the wireless network adapters must also be upgraded. Windows XP clients that have been upgraded with Service Pack 1 or later and Windows Server 2003 clients both support WPA.
!
Require 802.1x authentication to help prevent spoofing, freeloading, and accidental threats to your network by unintentional guest connections. Authentication will also help prevent network-level denial of service attacks; however, it will not help prevent low-level denial of service attacks. Allow unauthenticated access to your wireless network, but require a VPN connection to access the corporate network. You can configure your wireless network to allow anyone to connect to it and use it to access the Internet. This allows visitors to your offices to check their e-mail and browse the Internet by using a wireless network connection. However, all employees that need to access the corporate network must use a VPN connection to access resources on the corporate network. Specify the use of software scanning tools to locate and shut down Rogue WLANs on your corporate network. Also specify a security policy that specifically prohibits the use of wireless access points that are not approved by your corporate information technology (IT) department.
Additional reading
For more information about WPA, see WPA Overview under Additional Reading on the Web page on the Student Materials compact disc.
47
Hardware Considerations for Wireless Networks
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Key points Regardless of the wireless access method, there are certain required and recommended hardware that you need to accommodate your wireless access infrastructure design:
!
Wireless adapters. Each wireless device will require one. They come in a variety of types for a variety of hardware platforms. For example, wireless PC cards for laptops and handheld devices. Many current laptops and handheld devices have the wireless adapter built in. Most wireless designs contain a mixture of wireless adapters. When specifying a wireless card for your design, consider the following: Support for the appropriate access standard Support for the security method that you choose Cost Quality Wireless APs. Wireless access points are the connection points to the wired network. It can be as simple as a multi-homed computer with a wireless adapter and a wired adapter, or a dedicated hardware hub or switch with wireless capabilities. The wireless AP that you choose for your design will depend on the capacity that is required by your organization. Consider the following when specifying a wireless AP: Strength of signal Coverage area Antenna options Number of clients it can support Support for 802.1x authentication Support for WPA
48
Support for the authentication and encryption method that you choose Support for access point roaming and fast reconnect
!
RADIUS Server. If you use 802.1x authentication as a part of your wireless design, you will need to include a RADIUS server in your design to perform the authentication of wireless users.
You must select the hardware that best fits your design specifications. For example, if your remote access infrastructure design calls for wireless APs that can handle multiple versions of 802, you must then select a wireless AP vendor that can supply wireless APs that can support different versions of 802.
49
Best Practices for Designing a Wireless Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Best practices for designing secure wireless connectivity When designing for secure wireless connectivity, use the following best practices:
!
Use WPA to secure your wireless network if all of your hardware supports WPA. WPA provides enhanced security because 802.1x authentication is required in WPA. In the 802.11 standard, 802.1x authentication was optional. For environments without a RADIUS infrastructure, WPA supports the use of a preshared key. For environments with a RADIUS infrastructure, EAP and RADIUS are supported. In addition, WPA supports AES encryption, which is the highest level of encryption that is supported by Windows XP and Windows Server 2003. Use 802.1x with EAP-TLS for authentication, use a PKI to issue both computer and user certificates to all wireless clients, and require the use of WEP. This combination of technologies provides strong authentication that is not subject to offline dictionary attacks and per-authentication unicast session WEP keys. Shared key authentication is not recommended. Achieve the strongest authentication configuration by setting HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\ General\Global\AuthMode to 1 on all wireless clients running Windows XP. This setting enforces the use of a user certificate and user authentication after the user has successfully logged on to the computer running Windows XP. Prevent rogue wireless APs from being attached to your wired network, regardless of the Service Set Identifier (SSID), by using switches that support 802.1x authentication for network ports that are accessible to users.
50
Best practices for choosing wireless APs
When choosing and deploying wireless APs, use the following best practices:
!
Use wireless APs that support 802.1x, 128-bit WEP, and the use of both multicast/global and unicast session encryption keys. Change the administration configuration of the wireless AP, such as administrator-level user names and passwords, from its default configuration. Obtain plenum-rated wireless APs to comply with fire safety codes when installing wireless APs in the plenum area, the space between the ceiling tiles and the ceiling. Make sure that the overlapping coverage areas have a five-channel separation in order to minimize cross talk on the 802.11b wireless frequencies. For example, in the United States, use the channels 1, 6, and 11. Change the default Simple Network Management Protocol (SNMP) community name if you are using SNMP to manage or configure wireless APs. If possible, use wireless APs that support SNMPv2 or higher.
Best practices for choosing wireless network adapters
When choosing and deploying wireless network adapters, use the following best practices:
!
Use wireless network adapters whose drivers support the Windows XP Zero Configuration service. Use wireless network adapters that support 128-bit WEP encryption keys and both multicast/global and unicast session keys. For easier deployment, use wireless network adapters that have Plug and Play drivers already included with Windows XP or is available through Windows Update at http://www.windowsupdate.com.
Best practices for ensuring performance
When designing for performance, use the following best practices:

!
Do not overload your wireless APs with too many connected wireless clients. Although most wireless APs can support hundreds of wireless connections, the practical limit is 20-25 connected clients. Use an average of 2-4 users per wireless AP to maximize performance and to keep your wireless LAN fully utilized. Lower the signal strength of the wireless APs to reduce the coverage area in higher density situations. By doing so, you can allow more wireless APs to fit in a specific space and more wireless bandwidth to be distributed to your wireless clients.
51
Practice: Designing a Wireless Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Scenario In this practice, you will design a wireless access infrastructure for Northwind Traders. Discuss your results as a class. Northwind Traders currently uses Wired Equivalent Protocol (WEP) and MAC address restrictions to protect wireless access to the corporate network in Paris. In addition to increasing the security of the wireless network in Paris, Management wants to implement wireless connectivity in Glasgow, Sydney, Atlanta, and Los Angeles. The new wireless design must meet the following criteria:
!
Only employees should be able to connect to the companys wireless infrastructure. Visitors and anyone near any of the company locations should not be able to connect to the wireless network. The wireless network must be protected by the most secure method of encryption that is currently available.
52
Practice
Based on the scenario, design a wireless access infrastructure for Northwind Traders by answering the following questions: 1. Which method of authentication will you recommend for Northwind Traders wireless implementation in each location? Use 802.1x authentication for all locations because this is the most secure method of authentication available. ____________________________________________________________ ____________________________________________________________ 2. Which encryption method will you specify for Northwind Traders wireless infrastructure? Use WiFi Protected Access (WPA) encryption for all locations because this is the most secure method of encryption available. ____________________________________________________________ ____________________________________________________________ 3. What additional types of servers or network services will be required to support the wireless design? Because of the size of company, a public key infrastructure will be required to support WPA encryption. Also, a RADIUS server will be required in each location to perform the 802.1x authentication. ____________________________________________________________ ____________________________________________________________
53
Lab A: Designing the Network Access Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to:
! ! ! !
Design a VPN solution. Design a solution to configure remote client computers for remote access. Design a security strategy for remote access. Design a wireless networking infrastructure.
Scenario
You are a consultant who has been hired to create a remote and wireless network access infrastructure for Tailspin Toys. The lab uses an interactive application to convey scenario-based information. To begin this lab, open Internet Explorer, and then, on the Web page that appears, click the link for this lab. View the videos, read the e-mail messages, and then, using the exercise below as a guide, complete the tasks that are assigned in the e-mail messages.
Estimated time to complete this lab: 60 minutes
Your instructor will break the class into groups to do the lab. Each group should be prepared to present their design to the class at the end of the lab.
54
Exercise 1 Designing a Remote Access Infrastructure

In this exercise, you will use information in the lab browser to design a remote access infrastructure for Tailspin Toys. Consider the organizations current network configuration, and their business requirements for remote access, and then answer the following questions: 1. Tailspin Toys recently outsourced dial-up connectivity for remote users to an international ISP. To ensure secure communications between remote users and the internal corporate network, specify a complete VPN solution for Tailspin Toys. Answers may vary; one possible answer is: To implement a VPN solution for Tailspin Toys, VPN servers will be deployed in each location to allow remote users to access data on that location's internal corporate network. The VPN servers will be deployed as part of the firewall solution for each location. The internal firewall will be configured as the VPN server. The firewall that is connected to the Internet will be configured to pass the VPN traffic through to the firewall that is directly connected to the internal network. Because many client computers do not yet support L2TP/IPSec, PPTP will be used for all VPN connections. This answer will provide Tailspin Toys with the secure VPN solution that they require. ____________________________________________________________ ____________________________________________________________ 2. Specify a solution to efficiently reconfigure employees portable computers to access the new dial-up ISP and to connect to the VPN servers. Answers may vary; one possible answer is: To reconfigure employees portable computers with the appropriate phone numbers for the ISP and the DNS names for the VPN servers, Tailspin Toys IT personnel will use Connection Manager to create a custom connection configuration that can be easily distributed to all traveling users. This solution will simplify the reconfiguration of remote access client computers. ____________________________________________________________ ____________________________________________________________
55
3. What other security recommendations would you make to improve security of remote access? Answers may vary; one possible answer is: To provide the highest level of security for all VPN connections, remote users will be required to use a smart card and PIN to authenticate to the VPN server when establishing a VPN connection. By requiring a smart card and PIN for authentication, unauthorized users with access to a client computer, such as a misplaced or stolen laptop computer, will not be able to connect to the VPN server because they will not have the user's smart card and PIN. In addition, 128-bit MPPE encryption will be used for all VPN connections to protect the organizations data as it traverses the Internet. ____________________________________________________________ ____________________________________________________________ 4. Create a wireless access design that avoids the security problems of previous implementations at Tailspin Toys. The design must ensure that clients who visit the offices of Tailspin Toys can access the Internet by using the wireless network, but must prevent these clients, along with other unauthorized wireless users, from accessing the internal network. Answers may vary; one possible answer is: To allow visitors to our company's locations wireless access to the Internet, and to prevent these visitors and other unauthorized wireless users from accessing the company's internal network, wireless access points in all locations will be connected to a perimeter network that is established just for wireless communications. All users who connect to this perimeter network will be able to access the Internet, but will not be able to access any company resources. To access resources on our internal network, wireless users will need to establish a VPN connection to the VPN server in the location in which they need to access data. In this manner, employees will be able to use wireless connections to securely connect to the company's internal network, and visitors will have wireless access to the Internet, but will not be able to access the companys internal network. Note: Some advanced students might recommend using wireless APs that have the ability to connect users to different virtual LANs (VLANs) based on whether they were able to authenticate to the AP using 802.1x. Be prepared to discuss this option with them. ____________________________________________________________ ____________________________________________________________
56
Course Evaluation
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Your evaluation of this course will help Microsoft understand the quality of your learning experience. To complete a course evaluation, go to http://www.CourseSurvey.com. Microsoft will keep your evaluation strictly confidential and will use your responses to improve your future learning experience.

PDF

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

PDF

Caricato da

Copyright:

Formati disponibili

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

To prepare for this module:

Module 9: Designing the Network Access Infrastructure

How to Teach This Module

Lesson: Gathering Data for Network Access Design

Guidelines for Gathering Data for a Network Access Design Practice

Lesson: Designing Network Access Security

Module 9: Designing the Network Access Infrastructure

Remote Access Policies

Remote Access Profiles

Remote Access Monitoring and Auditing

Wireless Network Access Methods

Guidelines for Designing Network Access Security Discussion

Lesson: Choosing Remote Access Methods

VPN Tunneling Protocols

Module 9: Designing the Network Access Infrastructure

Guidelines for Choosing Remote Access Methods Practice

Lesson: Designing a Remote Access Infrastructure

Strategies for Authentication Server Placement User Environment Configuration

Module 9: Designing the Network Access Infrastructure

Guidelines for Designing a Remote Access Infrastructure Practice

Lesson: Designing a Wireless Access Infrastructure

Strategies for Wireless Security Hardware Considerations for Wireless Network

Lab A: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Lesson: Gathering Data for Network Access Design

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Guidelines for Gathering Data for a Network Access Design

Module 9: Designing the Network Access Infrastructure

Lesson: Designing Network Access Security

Module 9: Designing the Network Access Infrastructure

Remote access authentication protocols

Module 9: Designing the Network Access Infrastructure

Using a RADIUS server for authentication

Guidelines for choosing authentication protocols for dial-up connections

Module 9: Designing the Network Access Infrastructure

Guidelines for choosing authentication protocols for VPN connections

Module 9: Designing the Network Access Infrastructure

Module 9: Designing the Network Access Infrastructure

Remote Access Policies

Remote access permissions

Remote access policy settings

Module 9: Designing the Network Access Infrastructure

Remote Access Profiles

Remote access profile settings

Module 9: Designing the Network Access Infrastructure

Remote Access Monitoring and Auditing

Using a RADIUS server to centralize accounting

Module 9: Designing the Network Access Infrastructure

The events that are logged include:

Using RAS Server Monitor

Module 9: Designing the Network Access Infrastructure

Wireless Network Access Methods

Module 9: Designing the Network Access Infrastructure

Guidelines for designing wireless network access