Enabling VPN connectivity requires a complex interplay between several server components such as the ISA Server configuration and the RRAS configuration. In addition, you have several configuration options such as authentication methods and tunneling protocols. All these components and options must be configured correctly to allow users to connect to the ISA Server computer using a VPN.
Use the following guidelines when troubleshooting VPN client connections:
1- The most common problems with VPN connections are user authentication problems.Start by checking the user configuration. Does the user have permission to dial in? Is the user part of a group that has permission to use VPN on the ISA Server computer? Is the user account locked out? Is the user using the correct password?
2- If the user account is not the problem, then check the authentication method configuration.If the user is connecting to a PPTP connection, ensure that the client and server share an authentication method. By default, ISA Server only enables MS-CHAP v2 authentication, so if users are using an older Windows client such as Windows 98 or Windows NT, they may not be able to support the authentication method. The best solution in this case is to install the appropriate security patches
on the clients so they support MS-CHAP v2 authentication.
3- If the users are connecting to an L2TP/IPSec connection, ensure that the client has the correct certificate installed or is configured to use the appropriate pre-shared key.
4- L2TP/IPSec clients may also not be able to authenticate if ISA Server is configured to block IP fragments. In this scenario, users will get an error message that indicates that the security negotiation timed out. IPSec uses the Internet Key Exchange (IKE) protocol for mutual computer authentication and for the exchange of session keys in an L2TP VPN connection. The IKE negotiation information cannot fit inside an MTU. Because of this, the IKE negotiation packet is fragmented into
smaller packets. When you filter fragmented packets in ISA Server, the IKE negotiation packets are dropped by ISA Server. Therefore, the VPN connection cannot be completed successfully. To enable client connections, you must configure ISA Server not to block IP fragments.
5- If the users can connect to the VPN remote-access server and authenticate, but cannot get access to any network resources, check the name resolution for the VPN clients. The VPN clients must be configured with a DNS server (and possibly a WINS server) address to resolve server names on the internal network.
6- If the DNS configuration is accurate, check the configuration of the access rules defined on the ISA Server computer. Remember that the VPN Clients network is used by ISA Server like any other network, so you must configure access rules in order to enable network traffic to flow between networks.
Guidelines for Troubleshooting VPN Client Connections
Configuring Virtual Private Networking for Remote Clients
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).
Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).
2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.
3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.
4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.
5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.
6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.
Configuring Virtual Private Networks for Remote Clients and Networks
Before you deploy a virtual private network solution using ISA Server 2004, you must plan the deployment so that you can take full advantage of the ISA Server VPN features. This lesson discusses the protocols and authentication methods available when using ISA Server 2004 to implement virtual private networking. Moreover, the chapter describes how VPN quarantine control works. The chapter then describes how you can use ISA Server 2004 to implement a VPN solution and provides guidelines for planning the deployment.
What Is Virtual Private Networking?
Virtual private networking allows secure remote access to resources on an organization’s internal network for users outside the network. These resources would otherwise be available only if the user were directly connected to the corporate network. A VPN is a virtual network that enables communication between a remote access client and computers on the internal network or between two remote sites separated by a public network such as the Internet.
How VPNs Work
When you configure a VPN, you create a secured, point-to-point connection across a public network such as the Internet. A VPN client uses special tunneling protocols, which are based on Transmission Control Protocol/Internet Protocol (TCP/IP), to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network. The two VPN protocols supported by ISA Server are Microsoft Point-to-Point Tunneling Protocol (PPTP) or the Layer Two Tunneling Protocol with Internet Protocol Security(L2TP/IPSec).
PPTP and L2TP create "virtual" direct connections between a VPN client and VPN remote-access server, or between two VPN gateways. This connection allows a computer connected over the virtual network to send and receive TCP/IP messages in the same way as it does on other directly connected networks, such as computers located on the same Ethernet local area network (LAN). The actual network connection is transparent to the applications running on the client computer.
PPTP and L2TP use encryption protocols to ensure that the connection is private or secure by encrypting all traffic sent across a public network. PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol to protect data moving through the PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses Internet Protocol Security (IPSec) to encrypt data moving through the L2TP virtual network.
VPN scenarios
VPNS are used in two primary scenarios, as shown in Figure 10-1:
1- Network access for remote clients In this scenario, a remote user establishes a connection to the Internet and then creates a tunneling protocol connection to the VPN remote-access server. The remote user can use any available technology to connect to the Internet, including dial-up connection to an Internet service provider (ISP) or a direct connection such as a cable or digital subscriber line (DSL) connection. Once connected to the Internet, the VPN client makes a virtual private network connection to the VPN remote-access server that is also connected to the Internet. The remote-access server authenticates the user and possibly the remote computer, establishes a secure connection and transfers encrypted data between the virtual private networking client and the organization’s network.
2- Site-to-site VPNs A site-to-site VPN connection connects two or more networks in different locations using a VPN connection over the Internet. In this scenario, each site requires a VPN gateway and an Internet connection. When the gateways establish a VPN connection with one another, the site-to-site VPN link is established. Users can then communicate with other networks over the VPN site-to-site link. The VPN gateways act as VPN routers that route the packets to the appropriate network. In most cases, a site-to-site VPN connection is made between branchoffice
and main-office networks.
Maintaining ISA Server 2004
Importing the ISA Server Configuration :
When you import a previously exported file, all properties and settings defined in the file are imported, overwriting the current configuration on the ISA Server computer. However, if you export only a specific component, such as a specific firewall rule, the file import overwrites only that particular rule.
To import the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management.
2. Select the object whose settings you want to import. You must select the correct type of object for the configuration file that you are using.
3. On the Tasks tab, click the import task. The exact name for the task will vary,depending on the type of object that you selected.
4. Select the exported .xml file and click Import.
5. Click Apply to apply the changes and click OK when the changes have been applied.
How to Back Up and Restore the ISA Server Configuration :
ISA Server 2004 also includes backup and restore features that enable you to save and restore the ISA Server configuration information. The backup procedure also stores the configuration information in an .xml file.
The primary use of the backup and restore option in ISA Server is for disaster recovery. You should regularly back up the configuration on the ISA Server computer so that you can restore the computer with the same settings in case of a computer failure. The backup functionality saves the appropriate information to ensure that an identical configuration can be restored.
Backing up an ISA Server configuration backs up all configuration options on the server. This includes firewall policy rules, rule elements, alert configuration, cache configuration, system policy and VPN configuration. One of the differences between backing up the server configuration and exporting the configuration is that you can only back up the entire ISA Server configuration, not individual components or groups of components.
The restore process reconstructs the configuration information that was backed up. By restoring a backup, you can rebuild the ISA Server configuration or restore it after a configuration error.
To back up and restore the ISA Server configuration, complete the following procedure:
1. Open ISA Server Management and click the server name. The option to back up and restore the ISA Server configuration is available only when you select the server name.
2. On the Tasks tab, click Backup This ISA Server Configuration.
3. Enter a file name for the backup file and click Backup.
4. You must provide a password for the ISA Server backup
5. To restore the backup, click the server name in ISA Server Management. Then click Restore this ISA Server Configuration and select the appropriate ISA Server backup file.
6. Click Apply to apply the changes and click OK when the changes have been applied.
MCP 70-350 : Installing ISA Server 2004
Lesson 1: Planning an ISA Server Deployment
The ISA Server Deployment Planning Process :
Most organizations install ISA Server to address security requirements. ISA Server is a firewall that is likely to be among the critical components to ensuring that your organization’s network is secure. In addition, the ISA Server computer is likely to be the primary connection point for all internal network traffic to access the Internet. This means that when you design your ISA Server deployment, you must consider a wide variety of security and functional requirements. The following is an overview of the process of planning an ISA Server deployment.
1. Understand the current network infrastructure. The first step in planning an ISA Server deployment is to understand the current networking environment. When you start planning, collect network diagrams that provide details on the network infrastructure. These diagrams should include the Internet Protocol (IP) networks, router configurations, and client and server networking configuration.
Collect information on the current configuration of network services. For example, all internal clients must be able to resolve Domain Name System (DNS) names on the Internet to connect to Internet resources. You need to understand how clients do this now. Also collect information about other network services such as Dynamic Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS) if you have Microsoft Windows NT or Microsoft Windows 2000 clients.
Collect information about the current domain structure. ISA Server can be integrated with Active Directory directory service to enable authentication.
2. Review company security policies. Every organization should have security policies. These policies usually include general security requirements such as Internet or e-mail usage policies. The policies can also be very specific and define what protocols are not allowed through the firewall, what Web sites users can access, and what types of information can be sent from the internal network to the Internet. For example, most organizations have policies defining what types of customer information can be sent in an e-mail.
3. Plan the required network infrastructure. For your ISA Server installation to meet the company requirements, you must plan for some specific network infrastructure components. For example, if the ISA Server computer is an Internet-edge firewall and is the only access point to the Internet, you must ensure that all client computers can connect to the ISA Server computer. If you have a single network, this solution can be as simple as configuring the default gateway on each client computer to use the internal network interface on the server running ISA Server. If you have multiple locations within your organization, or if you deploy multiple ISA Servers, this solution can be more complex.
Your ISA Server implementation may also depend on additional network infrastructure components such as DNS, DHCP, and Certificate Services. These components must be taken into account when planning an ISA Server installation.
4. Plan for branch office installations. If your organization has more than one location, you must also plan for how the branch office networks will be integrated with the main office. In some cases, you may have existing wide area network (WAN) connections between the offices with routing already in place. In other cases, you may plan to replace the WAN link with a site-to-site virtual private network (VPN) or plan to deploy an ISA Server in each branch office.
6. Plan for access to the Internet. Most companies that deploy ISA Server use it as a proxy server for users to access the Internet. Some organizations enable full access to the Internet so that all users can use all protocols to access any Internet resource. Other organizations limit access based on protocols or applications, and users or groups, and they also limit users’ access to Web sites.
Once you have gathered your organization’s requirements for granting Internet access, you can plan the ISA Server access rule configuration to meet the organization’s Internet access and caching requirements.
7. Plan the ISA Server client implementation and deployment. An essential part of deploying an ISA Server infrastructure is to plan for ISA Server client configuration and deployment. ISA Server supports three clients: SecureNAT clients, Web Proxy clients, and Firewall clients. The use of each client has advantages and disadvantages. As part of your ISA Server deployment, you must know why you use each client and how to configure each client.
8. Plan for server publishing. Most organizations also publish some internal resources to the Internet. Because this allows network traffic from the Internet to your internal network, it is essential that the connection between the internal servers is as secure as possible.
9. Plan for VPN deployment. ISA Server can operate as a VPN remote access server for external clients and as a VPN gateway for site-to-site VPNs. If you plan to deploy ISA Server in either configuration, include this in your planning. An extra level of planning is required if you choose to implement VPN network quarantine. With VPN network quarantine, you can restrict access to the internal network until the VPN clients pass a security configuration check. To perform the security configuration check, you must run a script or application on the client computer. The script can check for virtually any setting on the computer. In your planning, therefore, you must decide which security settings you will check on the client computer. This can be complicated. For example, you may decide that all clients that connect to your network must have an antivirus application installed, and that the virus detection files must be up to date. However, if you allow users to use any antivirus software, the script must check for all acceptable antivirus applications.The script that checks the security configuration on the client computer can become very complicated, so you must plan to have very competent scripting help available.
MCP 70-350 : Introduction to ISA Server 2004
How ISA Server Works as a Branch Office Firewall :
A third deployment scenario for ISA Server is as a branch office firewall. In this scenario, ISA Server can be used to secure the branch office network from external threats as well as connect the branch office networks to the main office using site-to-site VPN connections.
For organizations with multiple locations, ISA Server can function as a branch office firewall in conjunction with additional ISA Servers at other locations. If a branch office has a direct connection to the Internet, ISA Server may operate as an Internet-edge firewall for the branch, securing the branch office network and also publishing server resources to the Internet. If the branch office has only a dedicated WAN connection to the other offices, ISA Server can be used to publish servers in the branch office such as Microsoft SharePoint Portal Server or a local Exchange Server.
One of the benefits of using ISA Server as a branch office firewall is that it can operate as a VPN gateway that connects the branch office network to the main office network using a site-to-site VPN connection. Site-to-site VPN provides a cost-effective and secure method of connecting offices. In this scenario, the following occurs:
1- ISA Server can be used to create a VPN from a branch office to other office locations. The VPN gateway at other sites can be either additional computers running ISA Server or third-party VPN gateways. ISA Server supports the use of three tunneling protocols for creating the VPN: IPSec tunnel mode, Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPSec.
2- ISA Server can perform stateful inspection and application-layer filtering of the VPN traffic between the organization’s locations. This can be used to limit the remote networks that can access the local network and to ensure that only approved network traffic can access it.
How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server :
In a small or medium organization, a single ISA Server computer may provide all Internet access functionality. The ISA Server computer is used to create a secure boundary around the internal network, and to provide Web proxy and caching services for internal users.
Small or medium-size organizations often have significantly different Internet access requirements than larger organizations. Small organizations may have dial-up or other slow connections to the Internet. Almost all organizations provide at least some level of Internet access to employees, but these offices may need to limit access because of the slow connections. Small organizations frequently do not require any services published to the Internet because their ISP may be hosting both their organization’s Web site and their e-mail servers. Other organizations may have much more complex requirements, including requirements for SMTP, FTP, and HTTP server publishing as well as VPN access. Another unique situation faced by many small or medium-size organizations is that a single network administrator performs all network administration tasks. This means that the administrator is usually not a firewall or Internet security expert. ISA Server is flexible enough to meet almost any small or medium organization's requirements:
1- Configuring caching on ISA Server computers means that Web pages are cached on the ISA Server hard disk. This can reduce the use of slow Internet connections or reduce the cost of a connection where cost is based on bandwidth usage.
2- ISA Server supports the option of using dial-up connections to access the Internet or other networks. You can configure ISA Server to dial the connection automatically when a request is made for access to Internet resources.
3- Installation of ISA Server is secure out of the box. By default, ISA Server 2004 will not accept any connections from the Internet after installation. This means that if the organization does not require any resources to be accessible from the Internet, the administrator does not need to configure ISA Server to block all incoming traffic. All the administrator has to do in this scenario is configure the server to enable Internet access for internal users and the configuration is complete.
4- ISA Server provides network templates and server publishing wizards that can be used to configure most required settings. Configuring ISA Server to provide access to Internet resources can be as simple as applying a network template and using the wizard to configure the security settings. ISA Server provides several server publishing wizards that make it easy to securely publish internal servers to the Internet.
How ISA Server Works as a Proxy- and Caching-Only Server :
A final deployment scenario for ISA Server 2004 is as a proxy server and caching server only. In this scenario, ISA Server is not used to provide a secure boundary between the Internet and the internal network, but only to provide Web proxy and caching services.
In most cases, computers running ISA Server are deployed with multiple network adapters to take advantage of ISA Server’s ability to connect and filter traffic between multiple networks. However, if ISA Server is deployed as a Web proxy- and cachingonly server, it can be deployed with a single network adapter. When ISA Server is installed on a computer with a single adapter, it recognizes only one network—the internal network.
If an organization already has a firewall solution in place, it can still take advantage of the proxy and caching functionality of ISA Server. To deploy ISA Server as a proxy and caching server, you only need to configure it to allow users to access resources on the Internet. You would then configure the Web browsers on all client computers to use the computer running ISA Server as a Web proxy server.
When you install ISA Server on a computer with a single adapter, the following ISA Server features cannot be used:
1- Firewall and SecureNAT clients
2- Virtual private networking
3- IP packet filtering
4- Multi-network firewall policy
5- Server publishing
6- Application-level filtering
These restrictions mean that ISA Server provides very few security benefits for the network.
MCP 70-350 : Introduction to ISA Server 2004
How ISA Server Works as an Internet-Edge Firewall :
One of the primary deployment scenarios for ISA Server 2004 is as an Internet-edge firewall. An Internet-edge firewall is deployed at the connecting point between the Internet and the internal network. In this scenario, ISA Server provides both a secure gateway for internal users to the Internet and a firewall that prevents unauthorized access and malicious content from entering the network.
As an Internet-edge firewall, ISA Server is the one entry point, as well as the primary security boundary, between the internal network and the Internet. ISA Server is deployed with one network interface card (NIC) connected to the Internet and a second NIC connected to the internal network. In some cases, ISA Server may also have a third NIC that is connected to a perimeter network. In this scenario, the following occurs:
1- ISA Server blocks all Internet traffic from entering an organization’s network unless the traffic is explicitly allowed. Because ISA Server is the primary security boundary, all components of ISA Server firewall functionality are implemented, including multilayered traffic filtering, application filtering, and intrusion detection. In addition, the operating system on the ISA Server computer must be hardened
to protect against operating system–level attacks.
2- ISA Server is used to make specified servers or services on the internal network accessible to Internet clients. This access is configured by publishing the server or by configuring firewall access rules. ISA Server filters all inbound requests and allows only traffic specified by the access rules.
3- ISA Server may also be the VPN access point to the internal network. In this case, all VPN connections from the Internet are routed through ISA Server. All access rules and quarantine requirements for VPN clients are enforced by ISA Server.
How ISA Server Works as a Back-End Firewall :
In some cases, an organization may choose to deploy ISA Server as a second firewall in a multiple-firewall configuration. This scenario enables organizations to use their existing firewall infrastructure but also enables the use of ISA Server as an advanced application-filtering firewall.
For organizations that already have a hardware-based firewall deployed as the Internet- edge firewall, ISA Server can provide valuable additional functionality as the backend firewall. In particular, the advanced application-filtering functionality of ISA Server can ensure that specific applications are published securely. In this scenario, the following occurs:
1- ISA Server can be used to provide secure access to an organization’s Exchange Server computers. Because computers running Exchange Server must be members of an Active Directory domain, some organizations prefer not to locate the Exchange Server computers in a perimeter network. ISA Server enables access to the Exchange Server computers on the internal network through secure OWA pub-lishing, secure SMTP server publishing, and secure Exchange RPC publishing for Outlook clients.
2- ISA Server may also be used to publish other secure Web sites or Web applications. If the Web servers are located on the internal network, ISA Server can be configured to publish the Web servers to the Internet. In this case, the advanced application filters on ISA Server can be used to inspect all network traffic being forwarded to the Web server.
3- ISA Server may also be used as a Web proxy and caching server in the above scenario. In this case, all client requests for resources on the Internet or within the perimeter network pass through ISA Server. ISA Server enforces the organization’s policies for secure Internet access.
70-299 : Module 12 : Securing Remote Access
Windows Server 2003 provides two main types of remote access methods: dial-up and VPN. For each remote access type, there are several authentication and encryption protocols to choose from. You will have to choose the remote access type and security protocols based on the clients that will be connecting to your internal network and based on your existing infrastructure. This lesson will describe the two remote access methods and the various encryption and authentication protocols to allow you to make educated recommendations.
Remote Access Methods :
There are two primary methods for connecting remote users to a private network: dialup networking and virtual private networking. Dial-up networking enables a remote access client to establish a temporary dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone lines, Integrated Services Digital Network (ISDN), or X.25. The most common use of dial-up networking is that of a dial-up networking client that dials the phone number of a modem attached to the remote access server. This establishes a circuit
between the two devices.
Virtual private networking is the creation of an encrypted, authenticated point-to-point connection across a public network such as the Internet. A VPN client uses special network protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server.
VPN Protocols :
Windows Server 2003 supports two VPN protocols: PPTP and L2TP. In most circumstances,either protocol will work equally well. They both provide similar levels of privacy and data integrity because they support the same authentication and encryption standards. They primarily differ in stability and compatibility. PPTP is more mature, but it is not an Internet standard. L2TP is relatively new, but it might be supported by a wider variety of non-Microsoft clients because it is an Internet standard.
10 Planning and Implementing Security for Wireless Networks
Although WEP with dynamic re-keying is secure enough to meet the needs of most organizations, WEP still has security weaknesses. WEP still uses a separate static key for broadcast packets. An attacker can analyze these broadcast packets to build a map of private IP addresses and computer names. WEP keys have to be renewed frequently, which places an additional burden on RADIUS services.
To address these lingering weaknesses with WEP, the Wi-Fi Alliance, a consortium of the leading wireless network equipment vendors, developed Wi-Fi Protected Access (WPA). WPA can use the same authentication mechanisms and encryption algorithms as WEP. This compatibility allows support for WPA to be added to WAPs with a simple firmware upgrade. However, WPA virtually eliminates WEP’s most exploited vulnerability by using a unique encryption key for each packet.
Other Wireless Security Techniques :
WEP and WPA are the most important wireless network security techniques. However,there are several secondary security techniques that you should be familiar with: media access control (MAC) address filtering, disabling SSID broadcasts, and VPNs.
MAC address filtering
One common technique used to make it more difficult for a casual user to connect to your wireless network is to configure your WAPs to allow only a predefined set of MAC addresses. Just like wired Ethernet cards, every wireless network card is assigned a unique MAC address by the manufacturer.
When a WAP is configured to use MAC address filtering, it will ignore any messages from wireless cards that use a MAC address not on the approved list. While this does improve security, it has significant manageability drawbacks. First, you must manually maintain the list of MAC addresses on your WAP, which would be impossible to do if you managed more than a dozen computers or multiple WAPs. Second, WAPs typically have limited memory and might not be able to store your organization’s complete list of MAC addresses. Third, if an attacker is knowledgeable and determined enough to
circumvent your WEP or WPA encryption, the attacker will also be able to identify and spoof an approved MAC address.
Disabling SSID broadcasts :
WAPs provide the option of disabling SSID broadcasts, but this should not be treated as a security feature. SSID broadcasts allow wireless clients to detect an available wireless network. In fact, Windows XP displays a notification to the user when it first receives a SSID broadcast from a wireless network. This is convenient; if you want users to be actively notified of the presence of the wireless client, you should enable SSID broadcasts.
Disabling SSID broadcasts will prevent the casual computer user from discovering your network, but it does nothing to prevent a skilled attacker from detecting your network. For example, a user with the free Network Stumbler tool installed can quickly identify the SSID of a wireless network that has SSID broadcasts disabled, because 802.11 association/ disassociation messages are always sent unencrypted and contain the SSID that the client wants to associate to or disassociate from.
VPNs :
While a VPN is an excellent solution for securely traversing a public network such as the Internet, VPNs are not the best solution for securing wireless networks. For this kind of application, a VPN is unnecessarily complex and costly. It adds little additional security to dynamic WEP, but it significantly increases costs, reduces usability, and removes important pieces of the functionality.
VPN clients usually require the user to initiate a connection to the VPN server; therefore, the connection will never be as transparent as a wired network connection. Non-Microsoft VPN clients might also prompt for logon credentials, in addition to the standard network or domain logon, when the connection is established. If the VPN disconnects because of a poor wireless signal or because the user is roaming between WAPs, the user has to repeat the connection process.
Pratique MCP 3 : 70-291 Configuration du routage à l'aide du service Routage et accès distant
Introduction :
Les routeurs constituent un système intermédiaire au niveau de la couche réseau qui permet de connecter des réseaux grâce à un protocole de couche réseau commun. Les systèmes intermédiaires sont des périphériques réseau capables d'acheminer des paquets entre différents segments d'un réseau.
Rôle des routeurs :
Les routeurs vous permettent de faire évoluer votre réseau et d'en préserver la bande passante en segmentant le trafic. Par exemple, les ordinateurs de test d'une organisation peuvent se trouver sur un segment du réseau et les ordinateurs de production sur un autre segment. Un routeur permet de connecter ces deux segments distincts.
Procédure : Activation et configuration du service Routage et accès distant :
Pour activer et configurer le service Routage et accès distant :
1. Ouvrez une session en utilisant un compte d'utilisateur ne disposant pas de droits d'administration. 2. Cliquez sur Démarrer, puis sur Panneau de configuration.
3. Dans le Panneau de configuration, ouvrez Outils d'administration, cliquez avec le bouton droit sur Gérer votre serveur, puis sélectionnez Exécuter en tant que.
4. Dans la boîte de dialogue Exécuter en tant que, sélectionnez L'utilisateur suivant, entrez un compte d'utilisateur, avec le mot de passe approprié, qui a l'autorisation d'effectuer la tâche, puis cliquez sur OK.
5. Dans l'outil Gérer votre serveur, cliquez sur Ajouter ou supprimer un rôle.
6. Dans la page Étapes préliminaires, cliquez sur Suivant.
7. Dans la page Rôle du serveur, sélectionnez Serveur VPN / Accès distant, puis cliquez sur Suivant.
8. Dans la page Aperçu des sélections, cliquez sur Suivant.
9. Dans la page Bienvenue !, cliquez sur Suivant.
10. Dans la page Configuration, sélectionnez Configuration personnalisée, puis cliquez sur Suivant.
11. Dans la page Configuration personnalisée, sélectionnez l'option Routage réseau, puis cliquez sur Suivant.
12. Dans la page Fin de l'Assistant Installation du serveur du routage et d'accès distant, cliquez sur Terminer.
13. Dans la boîte de dialogue d'avertissement Routage et accès distant, cliquez sur Oui pour démarrer le service.
14. Dans la page Ce serveur est maintenant un serveur d'accès distant et de réseau VPN, cliquez sur Terminer.
Procédure 2 :
Pour configurer des filtres de paquets :
1. Dans l'arborescence de la console Routage et accès distant, développez successivement Nom_Ordinateur, Routage IP, puis cliquez sur Général.
2. Dans le volet d'informations, cliquez avec le bouton droit sur l'interface à laquelle vous souhaitez ajouter un filtre, puis cliquez sur Propriétés.
3. Sous l'onglet Général, cliquez sur Filtres d'entrée ou Filtres de sortie, puis cliquez sur Nouveau.
4. Dans la boîte de dialogue Ajouter le filtre IP, identifiez le réseau source en configurant les paramètres suivants :
a. Adresse IP : tapez l'ID réseau de l'adresse IP source ou une adresse IP source.
b. Masque de sous-réseau : tapez le masque de sous-réseau correspondant à l'ID du réseau source ou tapez 255.255.255.255 comme adresse IP source.
5. Dans la boîte de dialogue Ajouter le filtre IP, identifiez le réseau de destination en configurant les paramètres suivants :
a. Adresse IP : tapez l'ID réseau de l'adresse IP de destination ou une adresse IP de destination.
b. Masque de sous-réseau : tapez le masque de sous-réseau correspondant à l'ID du réseau de destination ou tapez 255.255.255.255 comme adresse IP de destination.
6. Dans la boîte de dialogue Ajouter le filtre IP, sélectionnez le protocole approprié.
a. TCP : sélectionnez cette option pour spécifier un port TCP source et un port TCP de destination.
b. TCP (établi) : sélectionnez cette option uniquement pour intégrer les paquets TCP qui font partie d'une connexion TCP précédemment établie.
c. UDP : sélectionnez cette option pour spécifier un port UDP source et un port UDP de destination.
d. ICMP : sélectionnez cette option pour spécifier un code ICMP et un type ICMP.
e. N'importe lequel : sélectionnez cette option pour que toute valeur de protocole IP soit applicable quelle qu'elle soit.
f. Autre : sélectionnez cette option pour spécifier tout protocole IP quel qu'il soit.
7. Dans la boîte de dialogue Ajouter le filtre IP, cliquez sur OK.
8. Dans la boîte de dialogue Filtres, sélectionnez l'une des actions de filtrage appropriées suivantes, puis cliquez sur OK.
a. Recevoir tous les paquets sauf ceux qui répondent aux critères suivants
b. Rejeter tous les paquets à l'exception de ceux qui répondent aux critères suivants
