Reduce the Operational Risk When Defending the Open Network with Microsoft PKI

  • Article

Introduction

Large organizations today rely on a secure and stable network to help ensure a sustained level of productivity among end users, remote users and systems. In an “open” network, where network resources exist inside and outside the corporate firewall, protection from malicious threats is a constant concern for system administrators. Proper identification, authentication, and authorization play an important role in the defense of open network resources such as Web sites, XML Web services, extranets, and remote access capabilities. The ability to distinguish valid users and devices from invalid ones depends on the successful planning and execution of a comprehensive network security plan that includes protection for resources at all levels of the network.

For decision-makers who have thought about deploying more rigid security measures, the choice of what to deploy and a plan of how to best integrate solutions into the existing environment can be complex. Public Key Infrastructure (PKI) security technology, such as smart cards, machine certificates, wireless security, rights management services, and protected remote access, are all possible approaches to improve the security and productivity while working to reduce the operational risk to the network.

A Microsoft® PKI solution allows network administrators to maintain a high level of security across open networks by using the most advanced security technologies, helping to ensure that only authorized users, machines, application and services have access to sensitive data and network resources.

This paper:

  • Discusses the challenges inherent in securing the open network
  • Provides details about a secure solution: Microsoft PKI
  • Presents the benefits of implementing Microsoft PKI with your Microsoft Windows ServerTM 2003 infrastructure.

Readers should be familiar with Microsoft Windows® networking technology in a server/client environment, and should understand related technologies, including Active Directory® Domain Services (AD DS) and Group Policy features.

Protecting an Open Network

One of the greatest challenges to a system administrator of an open network is ensuring that network resources are not only available to those users and systems who need it, while managing the risk to the network.  While PKI technologies can ease the task of securing these networks, most existing PKI projects focus on only two areas: employee identification and authentication and Web servers that use Secure Sockets Layer (SSL) certificates. Relying only on the employees and contractors to follow security protocols can be complicated and risky—unrealistic in today’s network environments and do not address all the areas of risk to a network. Traditional, manual processes for managing access to a large network also are becoming outdated, cumbersome to maintain and slow to respond to changes in the network.

The following sections discuss the security issues related to more traditional means of network security and outline the network requirements needed for a Defense in Depth approach to securing today’s open networks.

Limitations of Traditional Network Security

As connectivity to the corporate network becomes ubiquitous, the task of distinguishing authorized users, devices and applications from unauthorized ones becomes more and more difficult. While strong password policies, firewalls, and other traditional security measures provide a layer in Defense in Depth – they do not address the full areas of risk.

Corporate firewalls. Firewalls are extremely effective for blocking malicious scripts that take advantage of open ports and unmonitored network resources. However, when users need connectivity to resources that exist inside and outside the firewall, basic border security doesn’t provide the flexibility needed to effectively defend against internal threats and unauthorized users. Firewalls are essential to networks protection, but more comprehensive methods of providing security for resources that exist inside and outside the network are necessary.

Computer security requirements. Relying on end users to maintain security policies is fragile at best, uses when presented with a security choice will invariability select the choice that lets them complete their assigned task, which is not always the secure choice.  For instance, users who have access to multiple network resources are often required to create different passwords to access each one. Often, this leads end users to choose passwords that are easy to remember—and easy to exploit.

Access for remote users. For workers who connect from offsite locations, secure data transmission is essential. A traditional virtual private network (VPN) can provide a secure method of transmitting secure and reliable data. However, for organizations who want to take advantage of the increasing availability of broadband networking sources, a more secure option is desired—one that encompasses multiple levels of security and provides security settings equal to that of internal network sources.

Wireless connectivity. The 802.11b wireless networks provide users the freedom of broadband networking without the limitations of wired connections. This can provide an organization large gains in user productivity, but must be implemented and managed in a way to reduce the risk to the network.  In its most basic form, a wireless transmission is open to anyone who has the hardware and software to receive that information. Wireless security protocols and encryption methods, such as Wired Equivalent Privacy (WEP), encrypt wireless transmissions from unauthorized recipients. However, this simple encryption is not strong enough to deter hackers from breaking into static WEP keys on protected wireless networks.

Machine certificate technology and policies. Through the Web or over an internal network connection, machine certificates provide a secure method of controlling access to a network for authorized devices and users. However, the administrative issues around the process of requesting, and installing certificates, tracking their expiration and renewal are barriers to their wide spread adoption. If not monitored as certificates expire at the end of their lifetime access to trusted sites can be denied, authentication processes can fail causing increases in support desk calls and losses in productivity. 

Security Solution Requirements

Today, a Defense in Depth approach to networks security is a best practice and one area to incorporate is a PKI that extends beyond user authentication and SSL.  For networks with multiple resources types, a security infrastructure that efficiently protects all resources should be in place. The following list identifies elements of a successful network security solution that help reduce the risk to the network.

  • Multiple layers of security. A secure network should encompass multiple levels of security to secure all network resources, including domain access and control, e-mail, extranets and Web sites, and remote and wireless connectivity.
  • Security for server and client computers. Network security should be implemented at all levels of the network. Authentication to ensure users and computers are valid members of the network should occur at multiple levels of the log on process. After a user is properly authenticated, user privileges should propagate as that user accesses different parts of the network.
  • Secured lines of communication. The Internet is a cost-effective way of transmitting data from point to point, but security on open lines is minimal. Open standards such as Internet Protocol Security (IPSec) and SSL certificates allow organizations to secure their networks from outside intrusion by encrypting data and securing the lines that carry the data.

For e-mail communication, rights-management and s/mime software in applications such as Microsoft Outlook allows e-mail messages and attachments to be protected against access by unauthorized users. 

  • Protection for remote and wireless connections. VPN connections can be made more secure by adding multi-layers of identification and authentication.  For machines this would entail the issuance of machine certificates that allow for the identification of managed devices and for uses the incorporation of two factor identification and authentication. Two Factor authentication requires the end use to present something they have an something they know (the smart card and the pin). 

Wireless connections can take advantage of the 802.1x security protocol, which enhances WEP. Wireless access to network resources is vulnerable when WEP keys are not changed on a frequent basis because static WEP keys give hackers time to work on breaking the keys. Instead, WEP keys should be dynamic allocated to reduce this risk.

  • **Security that is easy to update and manage. ** With a centralized point of network management, network administrators would have greater control and visibility of threats to network resources.

Machine certificates should be renewed automatically, without the need for end-user or administrator intervention. When system administrators handle requests and renewals manually, the risk of unobserved machine certificate expiration increases dramatically.  Leading to additional calls to the support desk.

Solution: Microsoft PKI

System administrators can implement Microsoft PKI witin an existing network or third Party PKI to provide a multi-dimensional security solution. This section outlines the technical details of Microsoft PKI, including how it works, and offers illustrations of the technology in common organization scenarios.

How Microsoft PKI Works

Built into the Microsoft Windows Server family starting with Windows 2000, Microsoft PKI has features to help an organization implement a new public key infrastructure or extend an existing PKI.  The Microsoft PKI through Active Directory Certificate Services (AD CS) includes certificates, certificate templates, certificate services, certificate enrollment, Web enrollment pages, smart card support, and public key policies. Since AD CS is integrated on Active Directory Domain Services, administrators can use Group Policies Objects (GPO) to effect the CA’s operation.  For Example a certificate template can be configured for machine authentication that supports auto-enrollment and renewal.  Once this is configure using GPO and CA templates every machine in the Forest can request, receive and install a certificate that identifies the machine without needing any actions by the Administrators or end-users.  This will remove the issues identified earlier in this document around large scale use of machine certificates, and can provide a significant cost avoidance in the area of internal SSL certificates.  .

The following sections explain how certificate technology, Active Directory, and Group Policy features help system administrators implement a multi-level security infrastructure that helps meet the security demands of an open network.

Certificate services

Microsoft PKI allows organizations to implement the most advanced machine certificate technology available. Microsoft PKI uses the X.509v3 certificate format. This means that an X.509 certificate can include:

  • Information about the end user or entity to which the certificate is issued
  • Information about the certificate’s purpose and usage
  • Optional information about the certification authority issuing the certificate.

Microsoft PKI also supports the issuance of certificates on to smart cards for two factor authentication.  This provides an extra level of security for network identification an authentication of users and administrators. 

IPSec support

Microsoft PKI also supports the issuance of certificates for IPSec. IPSec provides an encrypted data stream for all Transmission Control Protocol/Internet Protocol (TCP/IP) connections between two points in the network. Computers accessing the network from outside the firewall can use Layer Two Tunneling Protocol (L2TP) technology to secure these connections. These technologies ensure the sensitive data is protected and data integrity is maintained for users inside and outside the network.  By using certificates the administrative and scalability issues experienced around a shared secret implementation are removed.

Encrypted e-mail communication

Users can protect e-mail messages sent using Microsoft Office Outlook by using issued certificates for S/MIME.  Additional policy can be managed and enforced by using Microsoft Windows Rights Management Services (RMS).  RMS can be applied to content that is then included in a S/MIME message delivering two layers of protection. RMS can protect e-mail messages from being viewed, shared, or sent to unauthorized users. RMS -protected data is encrypted and can only be accessed by recipients who have the proper security privileges.

Wireless security

Administrators can protect 802.11b wireless connections by using the 802.1X protocol to block any network activity until the machine and user have been successfully authenticated.  The use of a Machine Certificate allows system administrators to set up a wireless network that generates WEP keys dynamically. The WEP keys are changed at the beginning of each new network session, at scheduled time intervals, and as the user roams between Access Points.  Because authentication is handled by certificates, the changes in wireless security are transparent to the end user,

Centralized management features

Microsoft PKI easily integrates with existing Windows network administration technologies, such as Active Directory and Group Policy Objects. System administrators can easily manage and distribute certificates to employee computers and domain controllers.

Auto-Enrollment and renewal features in Microsoft PKI greatly reduce the administrative burden of deploying machine certificates.  Examples of Machine certificates that would have to be manually managed include Domain Controller, Machine authentication and internal SSL.  Auto-renewal ensure that certificates never unintentionally expire.

Scenarios

This section provides scenario-based descriptions that illustrate how Microsoft PKI can protect network resources by using advanced PKI authentication techniques.

Scenario 1: IPSec-enabled communication

System administrators set up networks that authenticate packet transmission and check data integrity from each point of connection. If the user account and password information is obtained by an unauthorized user, basic network security will be compromised. Using IPSec, administrators can reduce the attack surfaces on servers and client machines by requiring both participants in the communication to support IPSec to encrypting data streams between internal network connections. Data streams between computers inside the firewall are still protected against internal attacks. Machine certificates ensure that network connections are established only with authorized computers. When an employee is able to access the network, that person’s computer must be identified as a managed device and authenticated. This means that, when an unauthorized person is able to gain access to the network using stolen account information on a computer that doesn’t have an authorized machine certificate, the user would be unable to access network resources.  .

Scenario 2: Secured Remote access

As the number of public broad band connections continues to expand, organizations can provide additional levels of service / access to remote and mobile users which delivers additional productivity gains. Because most of these connections offer little or no protection against malicious attacks that originate from the Internet or on the host’s internal network, additional security measures are necessary. For workers who connect from locations outside of the physical network, administrators can secure communication to internal network resources by using Microsoft PKI. In order to secure connections between remote users and the internal network, Microsoft PKI offers advanced VPN access options with both hardware- and software-based security.

In this case, a person working remotely logs into their managed a computer.  They then establish a VPN connection to the Organizations Network using multiple  authentication steps, one is via two factor authentication (smart card login) the second is machine authentication. The smart card is used to provide the end user two factor identification and authentication while the machine certificate is used to identify the origin point as a managed device. These security measures help ensure only authorized users and managed devices have access to network resources.

Scenario 3: Wireless connectivity

In a basic wireless local area network (WLAN) setup, access to the network is gained with a valid WEP key. With 802.1x protocol implemented at the wireless access point (AP), admission is granted using Active Directory authentication methods. A WLAN can be even better protected using the 802.1x protocol working with a Microsoft PKI infrastructure. In this case, when a user is working off of a wireless AP that is connected to the network, the computer with wireless capability authenticates against an authentication server that supports Remote Authentication Dial-in User Service (RADIUS).  This process is used to confirm both certificate and user validity. Even with a valid WEP key, unauthorized users are denied access to the network if machine and user information cannot be authenticated.

To make accessing valid WEP keys more difficult for unauthorized users, system administrators should set up dynamic WEP keys that change when a user first connects to the network, at timed intervals, and  when the user roams from one AP to another.  As this key changing is transparent to the user there productivity is not impacted.

 

Benefits

Microsoft PKI offers an easy, cost-effective way to implement and manage advanced security technologies that allow organizations to deliver additional defense in depth to protect the networks against intrusions. The solution offers system administrators stronger security and greater visibility of network resources as well as simplified management.

Strong Security

Offering multiple levels of security, Microsoft PKI supports the most advanced security and authentication technologies:

  • Machine certificate technology provides a way of identifying managed devices that should be allowed access to the network that go beyond just authenticating valid users to networks through password authentication and firewalls.
  • Support for IPSec and L2TP protocols ensures integrity of data transmissions inside and outside the network.
  • Smart card and VPN software work together to provide a layer of authentication that surpasses traditional border security, allowing greater access of network resources to remote users.
  • 802.1x security allows for authentication-based wireless security.

In addition, with Microsoft PKI, administrators can deploy, integrate and manage multiple PKI-based security technologies into existing systems, and have the ability to scale when necessary. 

Simplified Administration

Microsoft PKI works with Active Directory Domain Services and Group Policy Objects to provide system administrators trouble-free management of network security. Certificates can be issued based on individual or group privileges, using certificate templates, and renewal processes are automatic. Simplified and automated administration also means that security requirements for workers are less demanding—end users do not have to be responsible for certificate renewals or certificate management. Administrators are freeded from having to request, track and renew certificates, this cost avoidance is especially visible for internal SSL certificate use.  Usually the first indication of an SSL certificate expiring is the calls to the support desk because users have been presented with a message about the sites certificate not being valid.  The costs an organization time, resources and causes undue end user confusion and frustration.  Auto-enrollment and renewal alleviate this issue

Cost-Effective Implementation

A Microsoft PKI infrastructure can be implemented without licensing costs when running a Windows Server 2003 or later and Active Directory. The technology is built into the Windows Server SystemTM, as Active Directory Certificate Services (AD CS), which provides system administrators the freedom to use the technology within existing systems—no need for certificate costs or third-party hardware and software.

In addition, Microsoft PKI saves organizations time in deployment because the software required for implementing PKI technologies is already installed on all Windows Server 2003-based server and client machines.

 

Conclusion

Microsoft PKI allows organizations to increase network security cost-effectively and easily. Often, organizations need a more comprehensive security solution when demands of the network become more complex. Because the technology already exists as part of Windows Server 2003, client machines, remote access, and wireless connectivity can be better protected using more advanced authentication features.