Secure Network Connectivity
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Abstract
Organizations of all sizes want secure network connectivity to their business data and applications. The need to connect and collaborate with partners, customers, and remote/mobile employees anytime and anywhere has expanded network connectivity requirements beyond traditional wired Local Area Networks (LANs) to include dial-up remote access, virtual private networks (VPNs), and wireless networks. To enable greater access to the network and higher productivity, customers must address issues around security, management complexity, and cost. With Microsoft® Windows® 2000, Windows XP, Internet Security and Acceleration (ISA) Server 2000, administrators can provide secure and integrated network connectivity to business critical applications and data.
On This Page
Introduction
Challenges in Secure Network Connectivity
Solutions for Secure Network Connectivity
Conclusion
Introduction
Enterprises are competing globally to provide access to information, to enhance productivity, and to deliver services quickly—all at the lowest possible cost. The ability to communicate and collaborate with partners, suppliers, customers, and employees anytime and anywhere is now a requirement. Gone are the days when only a selected group of people had network access to business applications and data.
The advent and acceptance of new computing technologies and the Internet have changed the way information is stored, accessed, and shared. Companies have implemented a more open and distributed information model resulting in benefits that include:
Increased Employee Productivity: Enables employees to be flexible, make better decisions, and respond quickly to the changing demands of the marketplace by providing secure access to the information they need anywhere at anytime.
Lower Cost: Decreases costs and increases efficiency by safely leveraging the power of collaboration and network connectivity.
Integrated Business Processes: Increases sales by enabling closer relations with customers and partners through secure communications and collaboration.
To take advantage of these benefits, companies need a secure IT infrastructure that can minimize security risks and decrease the costs of security management and operations. This paper is one of a series of three papers:
Secure Network Connectivity presents Microsoft's offering for ensuring secure access to corporate information assets from within an organization, or externally from the Internet.
Identity Management presents Microsoft's offering for managing user access to all corporate information assets.
Security Management and Operations presents Microsoft's offering for managing the people, technology, and process aspects of security.
The Need for Secure Network Connectivity
The need to connect and collaborate with partners, suppliers, customers, and employees anytime and anywhere has expanded network connectivity requirements beyond traditional wired Local Area Networks (LANs) to include dial-up remote access, virtual private networks (VPNs), and wireless networks. When addressing secure network connectivity, administrators need to consider the following:
Security: Employees not only work from corporate offices, but also from branch offices, home offices, or from the road. Providing remote connectivity requires solutions that are secure, standards-based, and manageable.
Management complexity: Many vendors offer dedicated product solutions with little integration with other products and infrastructure. Setting up wireless clients with centralized authentication and policies can be a challenge unless there are integrated solutions.
Lowering cost: Secure networking can be expensive if there are multiple products and technologies with separate licensing, support contracts, and training. For example, a secure VPN implementation may require separate certificate authority for PKI, separate authentication model, client-side software, and additional server gateways and firewalls.
By addressing these key secure connectivity challenges, organizations can achieve greater employee productivity, decrease costs, and improve business integration.
Challenges in Secure Network Connectivity
Security
Whereas the LAN once formed a de facto security boundary, it is now common for companies to open parts of their internal networks to suppliers, business partners, and other stakeholders. By providing greater network access, companies will need to increase their level of security to safeguard against unauthorized access and usage of internal assets. Security challenges to consider include:
Security procedures and policies that are adequate to protect LAN data may be ineffective when the network is opened to outsiders.
Weak authentication used on external networks can compromise network entry points and allow unauthorized access.
Sensitive data sent over the Internet or wireless networks can be compromised without the proper level of encryption.
Application-aware firewalls are necessary to ensure traffic is filtered before being allowed onto the internal network since hackers are now using more sophisticated application-layer attacks.
Management Complexity
Expanding network connectivity brings a set of technology and process management challenges that make it difficult for administrators to provide a centralized and consistent approach to network access. Management challenges to consider include:
Consistent network access control: This requires synchronizing and managing across multiple network access points such as Internet, extranets, leased lines, wireless LANs, VPN and dial-up access, etc.
Access policies: Different users require different levels of access rights and permissions. Administrators should consider enforcing policies based on identity, time, location, and device type.
Single authentication model: A single method for authentication regardless of the type of access (dial-up, wireless, VPN, etc.) is highly desired for ease of management.
Lowering Cost
Providing secure network access can increase employee productivity and expand business integration; however, deploying, managing, and maintaining the necessary network access can be costly. Cost challenges to consider include:
Administrators will spend significant time and effort if each access method has to be managed separately with separate authentication and access control databases.
Security systems are frequently expensive to acquire, difficult to manage, and obtrusive to end users' workflow. This may encourage users to find ways to circumvent systems, or administrators to minimize their safeguards, leading to less security instead of more.
In systems with distributed authentication databases, customers and partners who need access to data may be forced to wait while the network staff creates and manages their credentials, leading to productivity loss.
Solutions for Secure Network Connectivity
Microsoft® Windows 2000 Server, with its rich feature set that includes Active Directory®, Certificate Authority, and RRAS (Routing and Remote Access Service) in combination with other Microsoft products, such as Windows XP, ISA Server, and Microsoft Exchange, provide the foundation that companies can use today to provide secure network communications to employees, partners, and suppliers. These technologies and products work together to provide three fundamental capabilities that help deliver secure communications and address business concerns around security, management complexity, and cost.
Securing the Network Perimeter
The network access points of corporate networks must be secured against hackers and unauthorized access. Blocking traffic and shutting down ports are not sufficient or feasible in an Internet-connected organization. Having security solutions that "look inside" network traffic to validate application-specific requests mitigates risks. ISA Server, Microsoft's Enterprise firewall, provides organizations with the stateful-packet inspection and application-layer firewall protection required to protect against today's sophisticated attacks. With ISA Server's application-level filtering technology, attacks such as Code Red and Nimda can be mitigated at the firewall before entering company networks.
ISA Server integrates with Microsoft Management Console (MMC) and Active Directory to provide a single directory to validate and manage all access requests for application data or services. This enables consolidation of access control and authorization policy in a centrally managed, replicated, and secure repository. ISA Server is also designed to work best with Microsoft Exchange 2000 and Internet Information Services (IIS) to provide fast and secure access to e-mail and web content.
Providing Strong Authentication and Encryption
Accessing the corporate network requires administrators to enforce strong authentication to validate identity as well as provide strong encryption to prevent data from being communicated "in the clear". Whether using VPN or wireless LANs, Microsoft's Windows 2000 and Windows XP provide the authentication and encryption infrastructure to enable secure connectivity.
With Windows 2000 built-in VPN server and Windows XP VPN client, organizations can take advantage of secure standards-based VPN directly "out of the box". Because Microsoft supports VPN standards such as L2TP/IPSec and smart card authentication, organizations have access to the encryption, authentication, and interoperability that best meet their VPN security needs.
While VPNs are often used to encrypt traffic over the Internet between users and the corporate network, encryption can also be implemented between any Windows 2000, Windows Server 2003, and Windows XP machine. Since Microsoft has full standards-based support for the IPSec security extensions, organizations can provide robust encryption of all network traffic, without requiring cumbersome changes to deployed applications, servers, or network hardware.
In addition to strong encryption, authentication requirements can be met through Windows 2000 support for the IEEE 802.1x authentication protocol. This allows network clients and servers to securely authenticate each other using digital certificates. 802.1x provides port-level control that can stop interlopers from connecting to the network and thus prevent any malicious activity.
Companies that want to build an integrated authentication system that securely authenticates users against a single directory, regardless of the access method or device they are using, can take advantage of Windows 2000's Internet Authentication Service (IAS). This built-in industry-standard RADIUS server interoperates with network access devices from a multitude of vendors.
Securing Wireless Access
In addition to adding remote access connectivity, customers are also exploring wireless LANs to provide their mobile laptop users with anytime, anywhere access. Authentication and encryption concerns as well as security weaknesses in the IEEE 802.11b protocol have slowed the adoption of wireless LANs. Microsoft has tackled the WLAN security problem in Windows 2000 and Windows XP by working within the 802.1X standard to support EAP-TLS (Extensible Authentication Protocol – Transport Layer Security). EAP-TLS provides certificate-based, mutual authentication for clients and access points. This counters the rouge access point threat and supports dynamic session keys that minimizes the key theft problem. EAP can also be used with smart cards and biometric authenticators to provide added security.
Organizations can take advantage of Microsoft's technologies and products to enable: secure Internet connectivity, secure messaging, strong user authentication, VPN and wireless LAN access to corporate networks. All these solutions can be controlled by a common management interface and can be administered using Active Directory policies. This ensures consistent and complete application of policies to all access requests, regardless of where they originate.
Conclusion
To take advantage of the networked world, organizations must prevent unauthorized users from accessing their networks, and at the same time, ensure that authorized users have access only to authorized assets. By providing advanced security technologies, common management, and lower cost through integrated solutions, Microsoft can enable businesses to take advantage of the network connectivity.
Several organizations have already benefited from utilizing Microsoft's technologies to secure their network, including:
Silver Lake Partners, a leading private equity investment partnership, is using Microsoft's VPN solution to provide its employees secure remote access to their corporate network. Their employees can be as productive remotely as when they are at their desks. Moreover, with the Microsoft solution, setting up new user access takes 75 percent less time than their previous VPN solution; and novice users can connect to the private network by simply supplying their network credentials.
GKC Theaters installed Microsoft Internet Security and Acceleration (ISA) Server 2000 as an enterprise firewall to secure their network perimeter. GKC chose ISA Server because it provided state-of-the-art security, was 67 percent less expensive than competing products, and offered easy-to-use management tools.
https://www.microsoft.com/resources/casestudies/casestudy.asp?casestudyid=12047
Novotel Offenbach, an Accor Group company, provides its hotel guests with hassle-free and fast access to the Internet through a wireless network accessible throughout the entire building. According to the hotel manager, "Because the Microsoft server products are so easy to configure, the project costs are surprisingly low."
https://www.microsoft.com/resources/casestudies/casestudy.asp?casestudyid=13233
ABN AMRO upgraded the security of its branch office network infrastructure by installing Microsoft Internet Security and Acceleration (ISA) Server 2000. By integrating Windows 2000 Active Directory with ISA Server, ABN AMRO increased their network security and reduced the administrative burden of managing multiple branch offices. For more information on Active Directory, see the Identity Management overview paper.
https://www.microsoft.com/resources/casestudies/casestudy.asp?casestudyid=10702
Celestial Asia Securities Holdings Ltd. (CASH) is using Microsoft Windows and Microsoft Internet Security and Acceleration (ISA) Server 2000 to secure their network perimeter. CASH implemented a scalable, easily managed solution for bridging the gap between their internal networks and the Internet. According to CASH's head of IT, Microsoft ISA "was easy to manage, could painlessly scale, and integrated completely with our existing infrastructure."
https://www.microsoft.com/resources/casestudies/casestudy.asp?casestudyid=12000
Additional Information and Resources
For additional information on how to successfully implement a secure network connectivity solution using Microsoft products, visit the following Microsoft Web sites:
https://www.microsoft.com/technet/security/default.mspx
https://www.microsoft.com/security/
https://www.microsoft.com/ISAServer/
https://www.microsoft.com/windows2000/technologies/directory/ad/
https://www.microsoft.com/windows2000/technologies/communications/
https://www.microsoft.com/serviceproviders/
https://www.microsoft.com/exchange/