Module 9: Fundamentals of Securing Network Communication
Module 9: Fundamentals of Securing Network CommunicationPublic Key InfrastructureUsing Certificates
Lesson 1: Public Key InfrastructureComponents of Public Key InfrastructureSelecting a Certification AuthorityWhat Is a Certificate?Types of CertificatesWhat Is a Certificate Template?New Certificate Features in Windows Server 2008
Components of Public Key InfrastructureCertificate and CA Management ToolsCertification AuthorityCertificate and CRL Distribution PointsCertificate TemplateDigital CertificateCertificate Revocation ListPublic Key-Enabled Applications and Services
Selecting a Certification AuthorityInternal CAs:Generate certificates free of chargeAre trusted by internal computersAre not trusted by computers outside the organizationExternal CAs:Require a fee for each certificateAre trusted by internal and external computers
What Is a Certificate?A digital certificate:Can be used to verify identityContains a public keyContains information about the issuer and the subjectIs signed by a CA
Types of CertificatesCertificates can be for limited uses:
Certificate TypeDescriptionUserAssigned to users for performing actions such as file encryptionComputerAssigned to computers for performing actions such as domain communicationCAAssigned to certification authorities to authorize the issuing of certificates
What Is a Certificate Template?Certificate templates include:
Certificate TemplateDescriptionAdministratorAllows trust list signing and user authenticationBasic EFSUsed by Encrypting File System (EFS) to encrypt dataComputerAllows a computer to authenticate itself on the networkDomain ControllerAll-purpose certificates held by domain controllersIPSecUsed by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communicationUserCertificate to be used by users for e-mail, EFS, and client authenticationWeb ServerProves the identity of a Web server
New Certificate Services Features in Windows Server 2008New certificate services features include:
New FeatureDescriptionEnterprise PKIA tool for monitoring your PKI environmentNetwork Device Enrollment ServiceAllows routers and switches to obtain X.509 certificatesOnline certificate status protocolAllows queries to view the validity of certificatesPolicy settingsUpdated with addition features for managing certificated by using Group PolicyWeb enrollmentUpdated to use a new DLL for enrollment control Cryptography Next GenerationA set of APIs for performing cryptographic operationsRestricted Enrollment AgentAn authorized individual that can approve certificate requests for specific security groups
Lesson 2: Using CertificatesWhat Is the Certificates Snap-in?What Is SSL?What Is IPSec?What Is S/MIME?How Certificates Are Used for Remote AccessDemonstration: Obtaining a User Certificate
What Is the Certificates Snap-in?The Certificates snap-in manages user and computer certificates
What Is SSL?Secure Sockets Layer (SSL):Encrypts communication between a client and serverRequires no client configurationIs commonly used with basic authenticationUses asymmetric encryption to establish a secure channelUses symmetric encryption to secure data in transitServerClientEncrypted TextUnencrypted Text
What Is IPSec?IPSec:Secures communication between two hostsAuthenticates both hostsIs configured by using Windows Firewall with Advanced SecurityCan use multiple authentication types:Pre-shared keyKerberos version 5 protocolCertificates
What Is S/MIME?Secure Multipurpose Internet Mail Extensions (S/MIME):Is a standard for helping to secure e-mail communicationCan encrypt e-mail messagesCan digitally sign e-mail messagesIs supported by most e-mail clientsRequires coordination between senders
How Certificates Are Used for Remote AccessWhen certificates are used for remote access:The certificates are used as an authentication methodSecurity is increased over using a username and passwordCan be placed on a smart card for additional security
Demonstration: Obtaining a User CertificateIn this demonstration, you will see how to obtain a user certificate.
Lab: Securing Web CommunicationExercise 1: Verifying the Trusted Root CAExercise 2: Securing a Web site by using SSLLogon informationEstimated time: 60 minutes
Virtual computerNYC-DC1, NYC-CL1User nameAdministratorPasswordPa$$w0rd
Lab ReviewWhy does accessing the Web site by IP address trigger a warning?What is the difference between removing the HTTP binding for a Web site and requiring the use of SSL?What is the difference between a certificate request, a domain certificate, and a self-signed certificate?
Module Review and TakeawaysReview QuestionsReal-world Issues and ScenariosBest PracticesTools
Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Presentation: 30 minutesDemonstration: 10 minutesThis module helps students to describe how to secure network traffic by using certificates.
After completing this module, students will be able to: Describe public key infrastructure components and certificates Describe methods for securing network communication by using certificates
Required materialsTo teach this module, you need the Microsoft Office PowerPoint file 6420A_09.ppt.
Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.
Preparation tasksTo prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.
Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Describe each of the Public Key Infrastructure (PKI) components and describe why each is relevant. Describe the basic process for obtaining a certificate:1.Generate a certificate signing request (CSR).2.Submit the CSR to a certification authority (CA).3.Certification authority generates a response.4.Client import the response from the CA.In some cases this process may be automated.
Question: Can you think of a situation where certificates can be used without being issued by a CA?Answer: Some applications are capable of creating self-signed certificates that are not issued by a CA. These certificates are not automatically trusted, which can cause communication problems. However, self-signed certificates allow applications to use encryption without further configuration. For example, Microsoft Exchange Server2007 creates a self-signed certificate during installation that is used to secure Web services.
Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Describe internal and external CAs. When users outside the organization will be involved, then an external CA is used to reduce configuration issues.Give an untrusted Secure Sockets Layer (SSL) certificate as one example of a problem with using internal certificates for external users.
Question: Which type of CA would you use to secure access to a Web server?Answer: If the Web server is used for an internal application, then using an Internal CA is possible. If the Web server is used by external users, then an external CA should be considered.
Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Mention that a certificate includes both a public key and a private key that can be used for asymmetric encryption. Also mention that the many purposes the subject in the certificate must match the Domain Name System (DNS) name that is used to access the host. This is a common issue when securing network communication.
Question: How does a certificate uniquely identify a subject?Answer: The combination of a public key and a private key uniquely identify a subject. Only the holder of the matching private key can decrypt messages encrypted by the public key. The certification authority links the identity of the subject to the pubic key with the certificate.Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*Describe to students that you want to restrict certificate uses to prevent unauthorized actions on the part of users or computers. You may have different requirements for issuing a computer certificate than a user certificate.
Question: Why is it important to understand the multiple types of certificates?Answer: When implementing a system that requires a certificate, you must request the appropriate type of certificate. The fees charged by external CAs vary based on the type of certificate.Module 9: Fundamentals of Securing Network CommunicationCourse 6420A*The Windows Server 2008 operating system can use certificate templates to easily define various characteristics of certificates and control how each is issued. This simplifies administration of certificate and allows automation of certificate approval. Certificate templates are available only for Enterprise certification authorities.
Question: Why are certificate templates useful?Answer: Certificate templates reduce that administrative overhead of maintaining an internal CA. Templates can be created for approved purposes to simplify issuance of new c