1
00:00:01,030 --> 00:00:04,700
We mentioned that it's necessary to confirm the identity of the remote user.

2
00:00:06,320 --> 00:00:09,500
There's a special type of server providing such services.

3
00:00:09,530 --> 00:00:14,100
It's called the radius server in the RAFC documents.

4
00:00:14,100 --> 00:00:21,360
The standard is labeled with the numbers 2 1 3 8 and 2 1 3 9 in the Microsoft environment.

5
00:00:21,370 --> 00:00:30,720
It's been implemented as the IAEA has or the server NPR's network policy server has been available from

6
00:00:30,720 --> 00:00:34,400
Windows Server 2008 onward.

7
00:00:34,590 --> 00:00:42,920
And I guess Internet authentication service can be found even in earlier versions of Windows.

8
00:00:43,130 --> 00:00:48,150
The radius server is a central place that allows you to authenticate remote users and control their

9
00:00:48,150 --> 00:00:55,190
access remote users are defined as those who connect from outside the local network using for example

10
00:00:55,370 --> 00:00:56,300
VPN.

11
00:00:57,630 --> 00:01:04,240
The radius server controls remote access servers or A-S.

12
00:01:04,340 --> 00:01:06,510
Let's see how it all works.

13
00:01:06,530 --> 00:01:13,490
First a user is trying to connect to a corporate network that is to say a remote access server the Ross

14
00:01:13,490 --> 00:01:20,040
server then the server which is configured as a central radious server client will send the request

15
00:01:20,040 --> 00:01:21,800
for it on behalf of the user.

16
00:01:22,750 --> 00:01:27,100
The radius server should be physically as close to the domain controller as possible.

17
00:01:28,310 --> 00:01:34,710
In the next step the radius will s the domain controller if the user provided correct credentials if

18
00:01:34,710 --> 00:01:38,060
the log in and password or the certificate are correct.

19
00:01:38,640 --> 00:01:43,320
If their credentials match and the user has the right to log on to the remote server the radius server

20
00:01:43,320 --> 00:01:45,650
will inform the remote access server.

21
00:01:46,650 --> 00:01:51,030
Then it will last through remote access server to create a virtual interface for the user.

22
00:01:51,240 --> 00:01:53,790
Eventually a connection is established.

23
00:01:55,740 --> 00:01:58,980
There exist several ways to check credentials.

24
00:01:59,070 --> 00:02:01,990
First of them is the chat protocol.

25
00:02:02,050 --> 00:02:06,850
It is specified in the RAFC documents 1994.

26
00:02:06,870 --> 00:02:13,530
This is one of the protocols which you should never use for CHEP to work you need irreversibly encrypted

27
00:02:13,530 --> 00:02:18,180
password this protocol doesn't encrypt the channel.

28
00:02:18,180 --> 00:02:22,860
Therefore the data is sent in clear text.

29
00:02:22,970 --> 00:02:30,370
The protocol has been modified by Microsoft and is called hemis chap this version allows you to encrypt

30
00:02:30,370 --> 00:02:32,980
the data to do this.

31
00:02:32,980 --> 00:02:38,570
It uses MPP Microsoft point to point encryption.

32
00:02:38,720 --> 00:02:44,330
However it does not protect against replay attacks or sesshin capture.

33
00:02:44,390 --> 00:02:48,940
We don't use them as cheap either because it doesn't provide mutual authentication.

34
00:02:51,320 --> 00:02:59,180
Mutual authentication is available only in M-S chap version to this protocol allows you to store reversibility

35
00:02:59,180 --> 00:03:05,570
encrypted passwords and this chap Version 2 is the least secure protocol among those that we should

36
00:03:05,570 --> 00:03:06,870
use in practice.

37
00:03:08,040 --> 00:03:11,010
In every possible case and there are many.

38
00:03:11,220 --> 00:03:18,000
You should use the extensible authentication protocol EAP in one of the available modes for example

39
00:03:18,000 --> 00:03:25,370
the TLM mode at present this is the only protocol that guarantees the security of the authentication

40
00:03:25,370 --> 00:03:29,040
data and the data is sent through the channel established in this way.

41
00:03:30,800 --> 00:03:36,270
It also allows you to confirm the identity of a user or a host not only with a password but with a public

42
00:03:36,270 --> 00:03:40,240
key certificate a smart card.

43
00:03:40,250 --> 00:03:45,680
There are two more protocols that can be found on the lists of older network devices Rosse servers and

44
00:03:45,680 --> 00:03:46,810
Windows systems.

45
00:03:47,880 --> 00:03:51,440
You should not however ever use them.

46
00:03:51,450 --> 00:03:58,470
These are the IP protocol which sends the password in clear text and the later version of PSP which

47
00:03:58,470 --> 00:04:05,260
uses reversible password encryption the latter can be broken by modern computers in real time.

48
00:04:05,540 --> 00:04:12,710
And when it comes to the former there's nothing to be cracked.

49
00:04:12,860 --> 00:04:19,270
The last topic we'll discuss in this module is network access control and corporate networks.

50
00:04:19,270 --> 00:04:22,690
There are more and more computers that are beyond direct control.

51
00:04:23,770 --> 00:04:26,700
These are not the demilitarized zone computers.

52
00:04:26,770 --> 00:04:29,500
These are users laptops and mobile devices.

53
00:04:30,520 --> 00:04:33,470
Therefore you have to take a different approach to subnetwork.

54
00:04:34,610 --> 00:04:36,160
They're not croupe computers in the sun.

55
00:04:36,150 --> 00:04:42,270
That's according to their IP addresses or their function should be grouped according to their security

56
00:04:42,270 --> 00:04:44,240
level.

57
00:04:44,260 --> 00:04:52,290
This is how the network access protection or any IP works and AP is a mechanism supposed to automatically

58
00:04:52,290 --> 00:04:55,630
verify the conformity of your computer with certain standards.

59
00:04:56,360 --> 00:05:02,270
For example if the internet connection firewall is enabled whether the virus scanner is installed and

60
00:05:02,270 --> 00:05:08,360
whether it is active or if the operating system is updated or if there exists a fixed list of tests

61
00:05:08,360 --> 00:05:11,470
that the computer must pass before it's connected to the network.

62
00:05:13,420 --> 00:05:17,130
Until the computer meets these requirements it will be isolated.

63
00:05:17,380 --> 00:05:20,950
It will be automatically connected to a specific separate subnet.

64
00:05:25,980 --> 00:05:28,680
How can you create such a subnet.

65
00:05:28,840 --> 00:05:35,760
The first ways to use IP SEC unless the client meets the security requirements it will not be given

66
00:05:35,760 --> 00:05:42,240
a certificate which can be used to communicate with IP SEC without this certificate.

67
00:05:42,270 --> 00:05:50,180
The computer has access only to selected subnets such a separate subnet should consist of a remediation

68
00:05:50,180 --> 00:05:57,900
server and a server allowing to download and install missing updates another way to implement network

69
00:05:57,900 --> 00:06:06,900
access control is to use code to dot one X protocol which we have discussed earlier you can enable or

70
00:06:06,900 --> 00:06:11,260
disable a switch port depending on whether the computer passed all the tests or not.

71
00:06:13,120 --> 00:06:19,870
You can also assign the computer to an appropriate VLAN network access control can also be implemented

72
00:06:19,870 --> 00:06:29,290
with the use of the DHC server a DHC server with two address pools grants addresses from the pool age

73
00:06:29,330 --> 00:06:36,140
to computers that meet the policies requirements whereas to computers who don't get grants addresses

74
00:06:36,140 --> 00:06:44,020
from will be clients to connect remotely to our network can also be verified by the radius server.

75
00:06:47,120 --> 00:06:52,640
The mechanism described implemented in the way that's usually done then Windows has one more important

76
00:06:52,640 --> 00:06:58,620
vantage rather than being carried out on a one off basis during the connection.

77
00:06:58,670 --> 00:07:06,100
Computer security tests are carried out regularly over a period of time specified by the MP s policy.

78
00:07:07,530 --> 00:07:12,180
If someone turns off the firewall while connected to their corporate network there will be immediately

79
00:07:12,180 --> 00:07:20,180
disconnected from them that work or the firewall will automatically be enabled by the server.

80
00:07:20,230 --> 00:07:23,230
The technical implementation should proceed as follows.

81
00:07:24,320 --> 00:07:29,790
First we need agents that will gather information about the computer's configuration.

82
00:07:29,810 --> 00:07:36,980
Also there must exist a mechanism that will implement the method we've just discussed will demonstrate

83
00:07:36,980 --> 00:07:39,460
how it will work on the safest mode possible.

84
00:07:41,910 --> 00:07:44,100
That is the IP stack mode.

85
00:07:44,550 --> 00:07:47,710
First connect the computer to the corporate network.

86
00:07:47,940 --> 00:07:53,910
In Windows systems there's a security agent that assesses the security level of the computer this service

87
00:07:53,950 --> 00:08:01,770
is installed along with the operating system the service communicates with the quarantine server the

88
00:08:01,770 --> 00:08:09,720
networks access control server in order to check the rules currently enforce the agent evaluates the

89
00:08:09,720 --> 00:08:15,210
computer in terms of compliance with these rules in force and reports on the result of the evaluation

90
00:08:15,210 --> 00:08:16,570
to the server.

91
00:08:17,410 --> 00:08:24,110
If the result is positive the computer will be given a certificate a certification authority issued

92
00:08:24,110 --> 00:08:30,580
a certificate that will be downloaded automatically certificates used in the network access control

93
00:08:30,630 --> 00:08:37,750
or short lived certificates their default validity period is 10 hours.

94
00:08:37,780 --> 00:08:42,820
This means that the entire infrastructure associated with the certificate evocation and status checking

95
00:08:42,820 --> 00:08:43,900
is not needed.

96
00:08:46,520 --> 00:08:48,460
This is a very simple mechanism.

97
00:08:49,460 --> 00:08:55,580
If a computer fails the test it will be redirected to a remediation server and as a consequence its

98
00:08:55,600 --> 00:08:57,580
security level will increase.

99
00:08:59,390 --> 00:09:06,680
It could involve for example installing missing patches likely it will happen automatically and go unnoticed

100
00:09:06,680 --> 00:09:07,670
by the user.

101
00:09:08,720 --> 00:09:13,910
After the patches had been installed the agent should assess the computer security status as consistent

102
00:09:13,910 --> 00:09:16,740
with the security policy.

103
00:09:16,740 --> 00:09:23,070
This means that it will be granted a certificate thanks to this you will be able to use IP and get full

104
00:09:23,070 --> 00:09:26,480
access to the corporate network.

105
00:09:26,510 --> 00:09:33,440
The whole mechanism is not strictly speaking a solution for security but it fits very well with current

106
00:09:33,440 --> 00:09:42,340
trends in computer systems security it eliminates the risk coming from neglectful users who for communication

107
00:09:42,340 --> 00:09:47,860
with the network use computers which have been connected to open public networks and which have run

108
00:09:47,860 --> 00:09:50,150
the programs from trusted sources.

109
00:09:51,960 --> 00:09:56,910
The second part of this module has been devoted to the additional protocols and services that help secure

110
00:09:56,910 --> 00:10:00,000
the computer infrastructure.

111
00:10:00,060 --> 00:10:00,510
Thank you.