Options
299 Notes #3
Psoasman
Member Posts: 2,687 ■■■■■■■■■□
Chapter 9:
1. The simplest way to deploy IPSec is to configure IPSec policies by using the GPOE and distributing the GPOs by using AD
2. You can configure IPSec policies on individual computers by using command line tools. These will be overwritten by domain policies. For server 2k3 use netsh. For xp use IpsecCmd, for 2k use ipsecpol.
3. If all IPSec peers aren’t trusted in AD domain, you can use certificates to authenticate computers.
4. To audit IPSec connections, first enable success or failure auditing for audit policy change and possibly audit process tracking, the use EV to track the logs.
5. To analyze dropped packets, enable IPSec driver event logging by using Netsh command on server 2k3.
6. When you need detailed troubleshooting, enable IKE tracking by using Netsh, then examine the %systemroot%\debug\oakley.log file.
7. You can isolate IPSec problems by temporarily changing to the preshared key method.
8. Firewalls, routers, and other packet-filtering devices must allow traffic on UDP port 4500 with IP protocol 50 for ESP IPSec.
9. Understand the various methods for deploying IPSec to large numbers of computers.
10. Be familiar with the various tools for monitoring IPSec.
Chapter 10:
1. Wireless networks have a high potential for abuse because potential attackers can access the network without physically entering a building.
2. WEP provides authentication and encryption. Static WEP is vulnerable to cracking.
3. 801.1X addresses this issue and forces wireless clients to reauthenticate to a RADIUS service on a regular basis, making a new shared secret.
4. To authenticate users by using a username / password, use PEAP authentication. To authenticate with PKI use EAP-TLS.
5. WPA provides stronger encryption than WEP, but isn’t as widely supported.
6. Create groups for wireless users.
7. If you use WEP encryption, you can configure XP and 2k3 clients by using a GPO>
Chapter 11:
1. Applications can use SSL to provide authentication, data integrity, and encryption for network communications.
2. When an SSL connection is established, the client retrieves the server’s public key and uses it to encrypt the rest of the session.
3. SSL and IPSec provide similar functionality. SSL is more commonly used on the internet, because it doesn’t require the client to have public key cert.
4. When SSL is used to protect a session, the communications use a different TCP port number.
5. Although the only server requires an SSL certificate to establish an HTTPS session, you can use client certificates to authenticate users.
6. Allowing LDAP queries to be encrypted requires only enrolling the DC w/ a computer certificate. No manual configuration is required.
7. SSL certs can be used to encrypt SQL queries. Encryption must either be required on the computer running SQL server or enabled in the SQL client application configuration.
8. The best way to encrypt messaging is to install a computer certificate on the mail server and then configure the mail clients to use SSL encryption
Chapter 12:
1. Server 2k3 supports 2 VPN protocols: PPTP and L2TP/IPSec.
2. Server 2k3 supports 8 methods for authenticating users: EAP, MS-CHAP v1, v2, CHAP, SPAP, PAP, preshared keys and unauthenticated access.
3. Use EAP to authenticate users with PKI or smart card. Only windows server 2k3, 2k, XP support EAP.
4. You can configure a RAS and clients without changing the default settings. By default, encryption is required and MS-CHAP v1 or v2 will be used.
5. Edit the RAS properties to increase or restrict the available authentication protocols. Select EAP authentication to enable authentication with PKI or smart cards.
6. User authorization can be controlled from 3 places: the user’s dial-in properties, a RAP on the IAS RADIUS server or the RAS.
7. You can manually configure remote access authentication and encryption settings on individual client computers by editing the properties of the network connection.
8. Use the CMAK wizard to create executable files that create preconfigured remote access connections on client computers.
1. The simplest way to deploy IPSec is to configure IPSec policies by using the GPOE and distributing the GPOs by using AD
2. You can configure IPSec policies on individual computers by using command line tools. These will be overwritten by domain policies. For server 2k3 use netsh. For xp use IpsecCmd, for 2k use ipsecpol.
3. If all IPSec peers aren’t trusted in AD domain, you can use certificates to authenticate computers.
4. To audit IPSec connections, first enable success or failure auditing for audit policy change and possibly audit process tracking, the use EV to track the logs.
5. To analyze dropped packets, enable IPSec driver event logging by using Netsh command on server 2k3.
6. When you need detailed troubleshooting, enable IKE tracking by using Netsh, then examine the %systemroot%\debug\oakley.log file.
7. You can isolate IPSec problems by temporarily changing to the preshared key method.
8. Firewalls, routers, and other packet-filtering devices must allow traffic on UDP port 4500 with IP protocol 50 for ESP IPSec.
9. Understand the various methods for deploying IPSec to large numbers of computers.
10. Be familiar with the various tools for monitoring IPSec.
Chapter 10:
1. Wireless networks have a high potential for abuse because potential attackers can access the network without physically entering a building.
2. WEP provides authentication and encryption. Static WEP is vulnerable to cracking.
3. 801.1X addresses this issue and forces wireless clients to reauthenticate to a RADIUS service on a regular basis, making a new shared secret.
4. To authenticate users by using a username / password, use PEAP authentication. To authenticate with PKI use EAP-TLS.
5. WPA provides stronger encryption than WEP, but isn’t as widely supported.
6. Create groups for wireless users.
7. If you use WEP encryption, you can configure XP and 2k3 clients by using a GPO>
Chapter 11:
1. Applications can use SSL to provide authentication, data integrity, and encryption for network communications.
2. When an SSL connection is established, the client retrieves the server’s public key and uses it to encrypt the rest of the session.
3. SSL and IPSec provide similar functionality. SSL is more commonly used on the internet, because it doesn’t require the client to have public key cert.
4. When SSL is used to protect a session, the communications use a different TCP port number.
5. Although the only server requires an SSL certificate to establish an HTTPS session, you can use client certificates to authenticate users.
6. Allowing LDAP queries to be encrypted requires only enrolling the DC w/ a computer certificate. No manual configuration is required.
7. SSL certs can be used to encrypt SQL queries. Encryption must either be required on the computer running SQL server or enabled in the SQL client application configuration.
8. The best way to encrypt messaging is to install a computer certificate on the mail server and then configure the mail clients to use SSL encryption
Chapter 12:
1. Server 2k3 supports 2 VPN protocols: PPTP and L2TP/IPSec.
2. Server 2k3 supports 8 methods for authenticating users: EAP, MS-CHAP v1, v2, CHAP, SPAP, PAP, preshared keys and unauthenticated access.
3. Use EAP to authenticate users with PKI or smart card. Only windows server 2k3, 2k, XP support EAP.
4. You can configure a RAS and clients without changing the default settings. By default, encryption is required and MS-CHAP v1 or v2 will be used.
5. Edit the RAS properties to increase or restrict the available authentication protocols. Select EAP authentication to enable authentication with PKI or smart cards.
6. User authorization can be controlled from 3 places: the user’s dial-in properties, a RAP on the IAS RADIUS server or the RAS.
7. You can manually configure remote access authentication and encryption settings on individual client computers by editing the properties of the network connection.
8. Use the CMAK wizard to create executable files that create preconfigured remote access connections on client computers.
Comments
-
Options
mikesz
Member Posts: 115
Thanks for the notes.
mikeszLong term plan:
2011: CCNA (70%), CCNA: Security, MCITP:Messaging
2012: VCP, CEH, Linux+, start RHCA/E
2013: finish RHCA/E, CCNP
