The connections between computers in a network are a potential security vulnerability, because network data can be read on the computers it passes through. This becomes a much more serious issue when public networks, such as the Internet, are involved.
The following sections discuss some key methods of securing network connectivity:
Providing secure access to public networks, such as the Internet
Using the Internet to create virtual private networks (VPNs)
Using Server Message Block (SMB) signing to add security to network file sharing
The simplest method of providing a network with connectivity to the Internet is to assign a public IP address to each computer on the network and use a router to provide all computers with connectivity to the network. This works, but has several disadvantages:
A limited number of public IP addresses are available, and you may not be able to obtain enough for all of the computers on the network.
All computers are accessible by anyone on the Internet, providing infinite possibilities for security problems.
There is no way to control which local resources can be accessed from the Internet or which Internet resources can be accessed.
The solution to these problems is to use a separate internal IP addressing scheme and use a translation system or a proxy server to provide connectivity between public and private networks. Windows 2000 provides two methods of accomplishing this:
- NAT (Network Address Translation)
NAT translates between local (private) IP addresses and public addresses. This provides a simple method of allowing Internet access and a limited way of allowing access to local resources from the Internet.
- Proxy Server
Proxy Server acts as a proxy between local computers and the Internet. The proxy’s IP address is the only one exposed to the public network. Proxy Server also provides additional security features, such as customizable filters and user-based security.
Regardless of the method you use, you should include policies in your network security design for two critical items: access to the Internet from local computers and access to local computers from the Internet. These are discussed in the following sections.
Your security design should specify who can access the Internet and whether you will limit the sites that can be accessed. If you wish to limit access to individual sites or control access based on users and groups, you will require a firewall, such as Microsoft Proxy Server.
It is also important to provide a single access point to the Internet, typically the NAT or Proxy Server machine. If separate modems throughout the network can be used for Internet access, there is no way to centralize security.
Both Proxy Server and NAT allow you to make one or more local computers reachable over the Internet, without exposing their IP address. This is useful for web servers and other public services. Proxy Server allows precise filtering, management, and logging of incoming traffic.
A VPN, or virtual private network, allows two or more computers to form a virtual LAN connection using a public network, such as the Internet, as the transport. Because all of the data travels across public channels, VPNs require encryption.
Windows 2000 supports two VPN protocols, PPTP and L2TP. These are described in the following sections.
PPTP (Point-to-Point Tunneling Protocol) is a VPN protocol based on the PPP (Point-to-Point Protocol) dial-up protocol. PPTP encapsulates local data within IP packets for transmission via the public network.
PPTP does not itself include encryption. Windows 2000 encrypts PPTP data using MPPE (Microsoft Point-to-Point Encryption). MPPE is based on an RSA encryption scheme, which uses an algorithm to generate cipher keys that change with each packet.
L2TP (Layer 2 Tunneling Protocol) is an IETF standard for VPN tunneling. L2TP is based on a combination of L2F (Layer 2 Forwarding) and PPTP.
As with PPTP, L2TP does not in itself provide encryption. Windows 2000’s implementation of L2TP is designed to be used with IPSec to encrypt data. IPSec is explained in detail later in this chapter.
SMB (Server Message Block) is the protocol Windows NT and Windows 2000 servers use for file sharing. Windows 2000 improves upon the security of the basic SMB protocol by adding two features:
- Mutual authentication
Requires both the SMB client and server to identify themselves, preventing an unauthorized node from intercepting file sharing messages
- SMB signing
Adds digital signatures to SMB messages, further preventing the possibility of unauthorized access
SMB signing is also supported by Windows NT 4.0 SP3 or later and by Windows 98, but not enabled by default. To enable SMB signing on these systems, edit the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanManServer Parameters
To enable signing, add one or both of the following values under this
key. Both are word values and should be set to 1
to enable or 0 to disable:
- EnableSecuritySignature
If this feature is enabled, SMB signing is supported and will be used whenever a file sharing connection is made with a client that also has this feature enabled.
- RequireSecuritySignature
If this feature is enabled, SMB signing is required: only clients that support SMB signing and have the feature enabled will be able to share files. The EnableSecuritySignature key should also be set.