MCSE 04 Planning of a Network Infrastructure 01 Theory

8/6/2019 MCSE 04 Planning of a Network Infrastructure 01 Theory

1/47

ADVANTAGE PRO Chennais Premier Networking Training Centre

Certificate Services


2/47


Topics of Discussion Certificate Authority overview

Certificate Authority configuration

Smart card logon

Troubleshooting Certificate Authority


3/47


Certificate Authority Overview Windows 2003 CA policies

Enterprise CA

Stand-alone CA


4/47


Certificate Authority OverviewWindows 2003 CA policies

Enterprisepolicies

Stand-alone policies

Active Directory

Authentication

Certificate templates


5/47


Certificate Authority OverviewEnterprise CA

Active Directory

Windows 2003 security model

Templates

CA certificate templates CA e nrollment

CA security model


6/47


Certificate Authority Enterprise CA

CA enrollment

User domain authentication Computer auto-enrollment

CA security model

Controlling enrollment through DACLs (discretionary accesscontrol lists)


7/47


Certificate Authority Enrollment

Web-based

Gr oup Policy

Hierarchy of Certificate Authorities

Enterprise

Intermediate Subordinate

Offline root CA


8/47


Certificate Authority Enterprise CA security model

DACLS

Revoking certificates Renewing the CA

Certificate revocation lists CDP (certificate distributionpoints)

Publication


9/47


Certificate Authority Stand-alone CA

Active Directory

Templates


10/47


Certificate Authority Configuration Stand-alone CA

Stand-alone subordinate CA

Root CA

Enterprise CA

Root CA

Intermediate CA

Enterprise subordinate CA


11/47


Smart Card Logon What is a smart card?

What is PKI (public key infrastructure)?

Active Directory and Kerberos concepts Authentication

Deployment


12/47


What Is a Smart Card?A smart card is essentially a miniature computer,

embedded inplastic in the form of a credit card, with

limited storage andprocessing capability.

The circuitry in a smart card derivespower from a

smart card reader after the card is inserted into the

reader.


13/47


What is PKI?Apublic key infrastructure (PKI) is a set of

components that manages certificates and keys used by

encryption and digital signature services.

A good PKI must provide services for cryptographic

operations, certificate enrollment and renewal,

certificate distribution and validation, certificaterevocation,plus administrative tools and services for

managing all of the above.


14/47


Active Directory and KerberosConcepts

Kerberos

PKINIT Key Distribution Center

Authenticating service

TGS (ticket granting service)

Active Directory


15/47


Authentication Interactive logon

Logon request

Certificate verification Offline logon

Remote access

Local versus domain logon


16/47


Deploying Smart Cards Who should use smart cards?

Whatpolicies are needed?

Smart card required On smart card removal

Personal identificationnumbers


17/47


How Should Smart Cards BeIssued?

Smart Card Enrollment Station

Enrollment agent


18/47


Troubleshooting Smart Card Logon

Strategies

Optimizations

Considerations

DSSTORE tool


19/47


Effects of latency caused by Active Directoryreplication

Time lag for validity of Smart Card Enrollment Station

Authenticating domain controllers may not be aware of a newCA

Enrollment against an enterprise CA requires a root certificateto be in the chain

StrategiesStrategies


20/47


Optimizations

Certificate revocation lists (CRL)

When a certificate is revoked, it appears in theissuers CRL

Smart card logon uses Microsoft Cryptographic

Application Program Interface (CryptoAPI) 2.0


21/47


CRLs are cached in the context of the useror

computer and updates occur after its expiration

Recommended CRL lifetime of 24 hours


22/47


Considerations

Properly removing a root CA

Remove root CAs certificate from manually createdGroup Policy objects

Remove the root CA certificate from the rootcertificate store


23/47


Delete certificates for the root CA

Properly removing a subordinate CA

The certificate should be revoked by its issuer


24/47


DSSTORETool Included in the Windows 2003 Resource Kit

Provides the following abilities:

Force auto-enrollment events Manage and verify certificates

List certificates in the enterprise

Troubleshoot certificate chains


25/47


Wireless Networking


26/47


Wireless Networking - any networking

that doesnt use a wire

Radio Waves - electromagnetic waves

that travel through the air and are used to

carry signals backand forth between

your device and an access point (twoways)


27/47


Acc

ess Points - networknodes connecteddirectly to a wired local area network

(air wire)

Wireless Ports - devices that you plug intoa computer to enable wireless connection

-- PCMCIA wireless cards forportables

-- PCI and USB adapters for desktops

* Some computers nowadays come with thesedevices already built into the computers


28/47


Used For Portables:

PCMCIA

wireless

card

PCMCIA wireless card


29/47


PCI and USB adapters

Used For Desktops:

PCI adapter

(inside)USBadapter

(outside)


30/47


Common Types of Wireless Networking

IrDA

Bluetooth

IEEE 802.11


31/47


IrDA

Established in 1993

Cheap

Infrared connection (same basictechnology as

is used in a TV remote control)

Low power Very short range (3 - 6 ft)


32/47


Bluetooth

Introduced in 1998

Emerging replacement for IrDA to

connect peripherals/devices to computers

or cell phones

Can connect up to 8 devices

Very low power Short range (typically within a room)


33/47


IEEE 802.11

Multiple flavors (802.11a, b, & g)

802.11b was first widespread technology.

802.11g is the latest technology and it offersthe same data rate as 11a, but uses the same

frequency as 11b.


34/47


Uses for Wireless Networking

Connecting mobile professionals/workers tocompany networks and to the Internet (instantdata when you need it)

-- Store clerks doing inventory

-- Store clerks helping customers get more infoona product

-- Airport gatepersonnel getting informationonplane status,passengers,

-- Managers in a meeting room sharing information


35/47


WLANs

Wireless networks come in three majormodes:

Ad hoc Infrastructure

Hybrid.


36/47


Ad hoc

Ad hoc mode refers to a wireless peer-to-peernetwork: that is, a network in which each device

(usually a PC) connects via wireless radio to

every other PC directly.

The primary technical distinction between ad

hoc and infrastructure networks is that

infrastructure networks use an access point,

while ad hoc networks do not.

you connect each PC as you require it, but in a

completely non-centralized way.


37/47


Ad hoc


38/47


Infrastructure

Infrastructuremode refers to a wirelessnetwork controlled through a wireless access

point that generates the signals for the

individual devices to read through their wireless

network adapters.

The access point acts as a central traffic cop for

the signals, and because you place it physically

for the best possible reception, it provides more

reliable connectivity than ad hoc networks.


39/47


Infrastructure


40/47


Hybrid mode Hybridmode consists of a combination of ad

hoc and infrastructure networks.

In this mode, you create an infrastructurenetwork, and you then create ad hoc networksamong the devices connected to theinfrastructure.

Hybrid mode maximizes the bandwidth of awireless network by relieving the access point ofthe need to handle all traffic; instead, PCstransmit data to one another when possible,leaving the access point free to relay data to and

from the wired LAN and to other access points.


41/47


Hybrid mode


42/47


Wireless Security

Wireless SecurityVery Important!!!

Why is it important?

-- to control who is allowed in-- toprevent eavesdropping

Two mechanisms for enforcing security:-- Authentication (who are you?)

-- Encryption (coded)


43/47


IEEE Standards

IEEE 802.11 Multiple flavors (802.11a, b, & g)

802.11b was first widespread technology.

802.11g is the latest technology and it offers thesame data rate as 11a, but uses the same

frequency as 11b.


44/47


IEEE 802.11b,a, & g

STANDARD 802.11b 802.11a 802.11g

SPEED

11 Mbps 54 Mbps 54 Mbps

RANGE

100 150 feet indoors 25 75 feet indoors 100 150 feet indoors

FREQUENCY

2.4Ghz, a band already

crowded with cordless

phones

5Ghz, an uncrowded

band

2.4Ghz, still a crowd

of cordless phones and

microwaves

ACCEPTANCE

Hot spots are already

established using b.

Equipment is readily

available.

More common in

corporate and office

environments.

g is compatible with

the specs for b,

meaning it can be used

on a networkbased on

b or g versions.


45/47


Uses ofWireless Networking

Connecting mobile machines to support orservice centers

-- Elevators (Kone has 100,000 elevators in

Florence under service contract)

-- Cars (airbag discharged)

-- Vending machines

-- Tracking movement and status of big,expensive machines (forestry logging

equipment, )


46/47


Uses ofWireless Networking

Making all ofour lives easier and better

-- Access to personal data and records while

away from home-- Entertainment

-- Use our computing devices throughout the

house rather than just one spot

-- Microwaves do all of the work for you

-- Groceries get sent straight to your door


47/47

ADVANTAGE PRO Ch i P i N t ki T i i C t

ALL THE BEST

Documents

MCSE 04 Planning of a Network Infrastructure 01 Theory