Upload
susan-estella-logan
View
229
Download
5
Embed Size (px)
Citation preview
Module 9: Fundamentals of
Securing Network Communication
Module 9: Fundamentals of Securing Network Communication
• Public Key Infrastructure
• Using Certificates
Lesson 1: Public Key Infrastructure
• Components of Public Key Infrastructure
• Selecting a Certification Authority
• What Is a Certificate?
• Types of Certificates
• What Is a Certificate Template?
• New Certificate Features in Windows Server® 2008
Components of Public Key Infrastructure
Certificate and CAManagement ToolsCertificate and CAManagement Tools
Certification Authority
Certification Authority
Certificate and CRLDistribution PointsCertificate and CRLDistribution Points
Certificate Template
Certificate Template
Digital Certificate
Digital Certificate
Certificate Revocation List
Certificate Revocation List
Public Key-EnabledApplications and Services
Public Key-EnabledApplications and Services
Selecting a Certification Authority
Internal CAs:
• Generate certificates free of charge
• Are trusted by internal computers
• Are not trusted by computers outside the organization
External CAs:
• Require a fee for each certificate
• Are trusted by internal and external computers
What Is a Certificate?
A digital certificate:
• Can be used to verify identity
• Contains a public key
• Contains information about the issuer and the subject
• Is signed by a CA
Types of Certificates
Certificate Type Description
User Assigned to users for performing actions such as file encryption
Computer Assigned to computers for performing actions such as domain communication
CA Assigned to certification authorities to authorize the issuing of certificates
Certificates can be for limited uses:
What Is a Certificate Template?
Certificate Template Description
Administrator Allows trust list signing and user authentication
Basic EFS Used by Encrypting File System (EFS) to encrypt data
Computer Allows a computer to authenticate itself on the network
Domain Controller All-purpose certificates held by domain controllers
IPSec Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication
User Certificate to be used by users for e-mail, EFS, and client authentication
Web Server Proves the identity of a Web server
Certificate templates include:
New Certificate Services Features in Windows Server 2008
New Feature Description
Enterprise PKI A tool for monitoring your PKI environment
Network Device Enrollment Service
Allows routers and switches to obtain X.509 certificates
Online certificate status protocol Allows queries to view the validity of certificates
Policy settings Updated with addition features for managing certificated by using Group Policy
Web enrollment Updated to use a new DLL for enrollment control
Cryptography Next Generation
A set of APIs for performing cryptographic operations
Restricted Enrollment Agent
An authorized individual that can approve certificate requests for specific security groups
New certificate services features include:
Lesson 2: Using Certificates
• What Is the Certificates Snap-in?
• What Is SSL?
• What Is IPSec?
• What Is S/MIME?
• How Certificates Are Used for Remote Access
• Demonstration: Obtaining a User Certificate
What Is the Certificates Snap-in?
The Certificates snap-in manages user and computer certificates
The Certificates snap-in manages user and computer certificates
What Is SSL?
Secure Sockets Layer (SSL):
• Encrypts communication between a client and server
• Requires no client configuration
• Is commonly used with basic authentication
• Uses asymmetric encryption to establish a secure channel
• Uses symmetric encryption to secure data in transit
Server Client
Encrypted TextEncrypted TextUnencrypted TextUnencrypted Text
What Is IPSec?
IPSec:
• Secures communication between two hosts
• Authenticates both hosts
• Is configured by using Windows Firewall with Advanced Security
• Can use multiple authentication types:
– Pre-shared key
– Kerberos version 5 protocol
– Certificates
What Is S/MIME?
Secure Multipurpose Internet Mail Extensions (S/MIME):
• Is a standard for helping to secure e-mail communication
• Can encrypt e-mail messages
• Can digitally sign e-mail messages
• Is supported by most e-mail clients
• Requires coordination between senders
How Certificates Are Used for Remote Access
When certificates are used for remote access:
• The certificates are used as an authentication method
• Security is increased over using a username and password
• Can be placed on a smart card for additional security
Demonstration: Obtaining a User Certificate
In this demonstration, you will see how to obtain a user certificate.
Lab: Securing Web Communication
• Exercise 1: Verifying the Trusted Root CA
• Exercise 2: Securing a Web site by using SSL
Logon information
Virtual computer NYC-DC1, NYC-CL1
User name Administrator
Password Pa$$w0rd
Estimated time: 60 minutes
Lab Review
• Why does accessing the Web site by IP address trigger a warning?
• What is the difference between removing the HTTP binding for a Web site and requiring the use of SSL?
• What is the difference between a certificate request, a domain certificate, and a self-signed certificate?
Module Review and Takeaways
• Review Questions
• Real-world Issues and Scenarios
• Best Practices
• Tools