Ipsec Traffic Cannot Pass Through Older Nat Servers.

By Author: Mike Jones
Total Articles: 256

SSL (Secure Sockets Layer) and TLS (Transport Level Security) both use public key and symmetric mcse training key encryption for TCP-based communications. They provide session encryption and integrity, and server authentication. This prevents eavesdropping, tempering, and message forging. Both SSL and TLS require digital certificates! SSL and TLS can be used to secure web, email, news, and FTP traffic.
PPTP over TCP/IP can be used to secure upper layer protocol traffic between clients and servers for such things as VPNs. It uses either PAP (Password Authentication Protocol) or MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) for the exchange process of credentials. PPTP traffic can pass through all NAT servers, but PPTP does not provide for data integrity.
SMB (Server Message Block) signing can be used to secure client-to-server file sharing traffic on a Windows network. SMB signing can be enabled using GPOs and uses a method of digital signing and a keyed hash to protect the integrity of each SMB packet.
WEP (Wired Equivalent Privacy) is used to secure wireless data traffic between wireless clients and access points connected to a wired network.
Remote client traffic can be secured using various methods and protocols. PPTP and IPSec/L2TP to create a VPN connection are becoming the most widely used.
EAP-TLS (for Extensible Authentication Protocol-Transport Level Security) is the most secure remote access method and protocol. Because of its support for two-factor authentication with the use of smart cards or USB keys, and certificates, it meets all the requirements of message and data CIA (Confidentiality Integrity Authentication).
Tip: If the network includes smart cards and mcts windows server 2008 certificate services is present to issue both user and computer certificates, use EAP-TLS for the most security.
For the exam you'll also need to be familiar with CMAK (Connection Manager Administration Kit), a tool for managing remote connections and remote access policies. CMAK allows administrators to pre-configure remote access clients, add custom behavior and appearance and provide an updateable phonebook that users can turn to and find the most convenient dial-up access numbers. When gaining that all-important hands-on experience for this exam, be sure to load up CMAK and create a profile or two.
Familiarity with Microsoft's Internet Security and Acceleration server is also a must for this exam. ISA server provides perimeter firewall services, proxy caching services, policy-based access control, secure web publishing, and intrusion detection services.
Tip: Client computers may need to install the ISA server firewall client to access the internal or external network.
Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI
This objective includes topics such as authentication, authorization, security groups, and certificate services. Know your group types, distribution and security, scopes; universal, domain local, global, local, and the recommended group strategy; A-G-DL-P Accounts get placed into Global groups which get placed into Domain Local groups which are assigned Permissions.
Tip: Group nesting is supported when a domain is at functional level Windows 2000 native or higher.
The special group type, Self, represents the MCSA Certification permissions assigned to the ACE (Access Control Entry) of a user, group, or computer and is a placeholder for that security principal.