Module 9: Fundamentals of

Securing Network Communication

Module 9: Fundamentals of Securing Network Communication

• Public Key Infrastructure

• Using Certificates

Lesson 1: Public Key Infrastructure

• Components of Public Key Infrastructure

• Selecting a Certification Authority

• What Is a Certificate?

• Types of Certificates

• What Is a Certificate Template?

• New Certificate Features in Windows Server® 2008

Components of Public Key Infrastructure

Certificate and CAManagement ToolsCertificate and CAManagement Tools

Certification Authority

Certification Authority

Certificate and CRLDistribution PointsCertificate and CRLDistribution Points

Certificate Template

Certificate Template

Digital Certificate

Digital Certificate

Certificate Revocation List

Certificate Revocation List

Public Key-EnabledApplications and Services

Public Key-EnabledApplications and Services

Selecting a Certification Authority

Internal CAs:

• Generate certificates free of charge

• Are trusted by internal computers

• Are not trusted by computers outside the organization

External CAs:

• Require a fee for each certificate

• Are trusted by internal and external computers

What Is a Certificate?

A digital certificate:

• Can be used to verify identity

• Contains a public key

• Contains information about the issuer and the subject

• Is signed by a CA

Types of Certificates

Certificate Type Description

User Assigned to users for performing actions such as file encryption

Computer Assigned to computers for performing actions such as domain communication

CA Assigned to certification authorities to authorize the issuing of certificates

Certificates can be for limited uses:

What Is a Certificate Template?

Certificate Template Description

Administrator Allows trust list signing and user authentication

Basic EFS Used by Encrypting File System (EFS) to encrypt data

Computer Allows a computer to authenticate itself on the network

Domain Controller All-purpose certificates held by domain controllers

IPSec Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication

User Certificate to be used by users for e-mail, EFS, and client authentication

Web Server Proves the identity of a Web server

Certificate templates include:

New Certificate Services Features in Windows Server 2008

New Feature Description

Enterprise PKI A tool for monitoring your PKI environment

Network Device Enrollment Service

Allows routers and switches to obtain X.509 certificates

Online certificate status protocol Allows queries to view the validity of certificates

Policy settings Updated with addition features for managing certificated by using Group Policy

Web enrollment Updated to use a new DLL for enrollment control

Cryptography Next Generation

A set of APIs for performing cryptographic operations

Restricted Enrollment Agent

An authorized individual that can approve certificate requests for specific security groups

New certificate services features include:

Lesson 2: Using Certificates

• What Is the Certificates Snap-in?

• What Is SSL?

• What Is IPSec?

• What Is S/MIME?

• How Certificates Are Used for Remote Access

• Demonstration: Obtaining a User Certificate

What Is the Certificates Snap-in?

The Certificates snap-in manages user and computer certificates

The Certificates snap-in manages user and computer certificates

What Is SSL?

Secure Sockets Layer (SSL):

• Encrypts communication between a client and server

• Requires no client configuration

• Is commonly used with basic authentication

• Uses asymmetric encryption to establish a secure channel

• Uses symmetric encryption to secure data in transit

Server Client

Encrypted TextEncrypted TextUnencrypted TextUnencrypted Text

What Is IPSec?

IPSec:

• Secures communication between two hosts

• Authenticates both hosts

• Is configured by using Windows Firewall with Advanced Security

• Can use multiple authentication types:

– Pre-shared key

– Kerberos version 5 protocol

– Certificates

What Is S/MIME?

Secure Multipurpose Internet Mail Extensions (S/MIME):

• Is a standard for helping to secure e-mail communication

• Can encrypt e-mail messages

• Can digitally sign e-mail messages

• Is supported by most e-mail clients

• Requires coordination between senders

How Certificates Are Used for Remote Access

When certificates are used for remote access:

• The certificates are used as an authentication method

• Security is increased over using a username and password

• Can be placed on a smart card for additional security

Demonstration: Obtaining a User Certificate

In this demonstration, you will see how to obtain a user certificate.

Lab: Securing Web Communication

• Exercise 1: Verifying the Trusted Root CA

• Exercise 2: Securing a Web site by using SSL

Logon information

Virtual computer NYC-DC1, NYC-CL1

User name Administrator

Password Pa$$w0rd

Estimated time: 60 minutes

Lab Review

• Why does accessing the Web site by IP address trigger a warning?

• What is the difference between removing the HTTP binding for a Web site and requiring the use of SSL?

• What is the difference between a certificate request, a domain certificate, and a self-signed certificate?

Module Review and Takeaways

• Review Questions

• Real-world Issues and Scenarios

• Best Practices

• Tools