Lesson 8: IPSec
-
Upload
mahmmoud-mahdi -
Category
Documents
-
view
35 -
download
0
description
Transcript of Lesson 8: IPSec
Protecting Network Traffic with IPSec
Mahmmoud A. Mahdi
Protecting Network Traffic with IPSec
Internet Protocol Security (IPSec): Protects networks by securing IP packets through
encryption and through the enforcement of trusted communication.
You can manage IPSec through: Local Security Policy. Group Policy. Command-line tools.
Exam objectives
Configure IPSec.
Configuring IPSec
IP Security (IPSec) is a means to protect network data by ensuring its authenticity, its confidentiality.
What Is IPSec?
IPSec is Essentially a way to provide security for data sent between two computers on an IP network.
IPSec Protects data between two IP addresses by providing the following services:1. Data Authentication:▪ Data origin authentication▪ You can configure IPSec to ensure that each packet you receive from a trusted party in fact
originates from that party and is not spoofed.
▪ Data integrity▪ You can use IPSec to ensure that data is not altered in transit.
▪ Anti-replay protection▪ You can configure IPSec to verify that each packet received is unique and not duplicated.
2. Encryption▪ You can use IPSec to encrypt network data so that the data is unreadable if
captured in transit.
What Is IPSec?
In Windows Server 2008 and Windows Vista, IPSec is enforced either by:
1. IPSec Policies▪ By default attempt negotiate both authentication and
encryption services.
2. Connection security rules▪ By default attempt to negotiate only authentication
services.
1. IPSec Policies
Define how a computer or group of computers handle IPSec communications
Assign an IPSec Policy To an individual computer ▪ by using Local Security Policy
To a group of computers ▪ by using Group Policy.
IPSec Policies in GPO
IPSec Policies
Every IPSec Policy is composed of one or more IPSec Policy rules that determine when and how IP traffic should be protected.
Each Policy rule, in turn, is associated with one IP filter list and filter action.
IP filter lists contain a set of one or more IP filters that capture IP traffic for an IPSec Policy.
IP filters define a source or destination address, address range, computer name, TCP/UDP port, or server type (DNS, WINS, DHCP, default gateway).
IPSec Policy Example
IPSec Policies, rules, filters, and filter actions
Quick Check
1. Does every IPSec Policy rule have an IP filter list?
2. In terms of its function within an IPSec Policy, what does a filter action do?
Quick Check Answer:1. Yes, even if the list has only one IP filter.2. A filter action determines whether the traffic
captured by an IP filter in a given policy rule is permitted, blocked, encrypted, or authenticated.
2. Connection Security Rules
Used to configure IPSec settings for connections between computers. Like IPSec Policies▪ Connection security rules evaluate network traffic and
then block, allow, or negotiate security for messages based on the criteria you establish.
Unlike IPSec Policies▪ Connection security rules do not include filters or filter
actions.
2. Connection Security Rules
The filtering capabilities in connection security rules are not as powerful as those of IPSec Policies.
Connection security rules: Do not apply to types of IP traffic, such as IP traffic
that passes over port 23 Apply to all IP traffic originating from or destined
for certain IP addresses, subnets, or servers on the network.
2. Connection Security Rules
A Connection Security Rule First: authenticates the computers defined in the rule before they begin
communication. Then: it secures the information sent between these two authenticated
computers.▪ If you have configured a Connection Security Rule that requires security for a
given connection and the two computers in question cannot authenticate each other, the connection is blocked.
By default, connection security rules provide only data authentication security (data origin authentication, data integrity, and anti-replay security).
Configure connection security rules for any computer in the Windows Firewall with Advanced Security (WFAS) console or the WFAS node in Server Manager.
Defining connection security rules in Group Policy
Note
Exporting connection security rules: By using the Export Policy and Import Policy
functions in the WFAS console, you can create one set of connection security rules and export them to other computers or GPOs.
Security Associations
After two computer negotiate an IPSec connection The data sent between those computers is secured in what is known as a Security
Association (SA). Security for an SA is provided by the two IPSec protocols
These protocols provide data integrity, and anti-replay protection for the entire IP packet in an SA.
1. Authentication Header (AH)▪ Provides data origin authentication, data integrity, and anti-replay protection for the
entire IP packet.
2. Encapsulating Security Payload (ESP).▪ Provides data encryption, data origin authentication, data integrity, and anti-replay
protection for the ESP payload. To secure data within any SA, you can use:
AH alone. ESP alone. AH and ESP together.
Exam Tip
You need to know the basic difference between AH and ESP for the 70-642 exam.
If you need encryption, use ESP if you just need to authenticate the data origin or verify data integrity, use AH.
How IPSec Connections Are Established
To establish SAs dynamically between IPSec peers, the Internet Key Exchange (IKE) protocol is used.
To ensure successful and secure communication IKE performs a two-phase negotiation operation,
each with its own SAs.▪ Phase 1: main mode negotiation.▪ Used to secure the second IKE negotiation phase.
▪ Phase 2: quick mode negotiation.▪ Used to protect application traffic.
How IPSec Connections Are Established
The steps for establishing an IPSec connection:1. Set up a main mode SA.2. Agree upon the terms of communication and
encryption algorithm.3. Create a quick mode SA.4. Send data.
Using IPSec in Tunnel Mode
1. IPSec by default operates in transport mode Used to provide end-to-end security between computers. Used in most IPSec-based VPNs, for which the Layer Two
Tunneling Protocol (L2TP)protocol is used to tunnel the IPSec connection through the Public network.
2. When a particular VPN gateway is not compatible with L2TP/IPSec VPNs, use IPSec in tunnel mode instead.
With tunnel mode, an entire IP packet is protected and then encapsulated with an additional, unprotected IP header.
Authentication Methods for IPSec
IPSec requires a shared authentication mechanism between communicating computers.
Three methods to authenticate the hosts communicating through IPSec:1. Kerberos2. Certifications3. Preshared key
Authentication Methods for IPSec
1. Kerberos (Active Directory) The easiest way to configure authentication for IPSec is to
implement IPSec within a single Active Directory forest. When the two IPSec endpoints can be authenticated by
Active Directory, the security foundation for IPSec requires no configuration beyond joining the hosts to the domain.
2. Certificates If you need to implement IPSec in a production
environment (Kerberos not available). Each host must obtain and install a computer certificate
from a public or private certification authority (CA)
Authentication Methods for IPSec
3. Preshared Key Is a password shared by peers and used both to
encrypt and decrypt data. Preshared keys do not provide the same level of
authentication that certificates and Kerberos do. Preshared keys for IPSec are stored in plaintext on
each computer or in Active Directory, which reduces the security of this solution.
It is recommended that you use preshared keys only in nonproduction environments such as test networks.
Exam Tip
You need to understand IPSec authentication mechanism for the 70-642 exam.
Remember that Kerberos authentication is preferable in an Active Directory environment.
Outside of an Active Directory environment, a certificate infrastructure is your best option.
Assigning a Predefined IPSec Policy
In Group Policy, three IPSec Policies are predefined. You can configure an IPSec Policy for a domain or OU by
assigning any one of the following predefined policies: Client (Respond Only)▪ Assign this policy to a computer through a GPO, that computer will
never initiate a request to establish an IPSec communications channel with another computer
Server (Request Security)▪ Assign this policy to a computers for which encryption is preferred but
not required. Secure Server (Require Security)▪ Assign this policy to intranet servers that require secure
communications.
Assigning a Predefined IPSec Policy
To assign an IPSec Policy within a GPO Select the IP Security Policies node. Right-click the chosen policy in the Details pane. Choose Assign from the shortcut menu.
You can assign only one IPSec Policy to a computer at a time. If Group Policy assigns an IPSec Policy to a computer, the
computer ignores any IPSec Policy assigned in its Local Security Policy.
Assigning an IPSec Policy in a GPO
Exam Tip
Know the three predefined IPSec Policies.
Creating a New IPSec Policy
1. Open Local Security Policy or a GPO.2. In the console tree below Security Settings
Right-click the IP Security Policies node.3. Choose Create IP Security Policy.4. Configure the policy through its properties.5. Add rules to the policy by Clicking the Add
button in the Rules tab in the Properties dialog box for the policy.
6. This procedure launches the Create IP Security Rule Wizard.
Creating a new IPSec Policy in a GPO
Launching the Create IP Security Rule Wizard
Using the Create IP Security Rule Wizard
To create and configure rules, use the Create IP Security Rule Wizard.
The five main pages of the Create IP Security Rule Wizard1. Tunnel Endpoint page:▪ Configure this page only when you want to use IPSec in
tunnel mode.
2. Network Type page:▪ Use this page if you want to limit the rule to either the
local area network or remote access connections.
Using the Create IP Security Rule Wizard
3. IP Filter List page:▪ In Group Policy, two IP filter lists are predefined IPSec
Policy Rules.▪ All ICMP Traffic.▪ All IP Traffic.
▪ To create a new IP filter list, click the Add button on the IP Filter List page.
Note
What is ICMP traffic? ICMP (Internet Control Message Protocol) is a
messaging feature of IP that allows Ping and Tracert to function.
ICMP traffic typically refers to Ping and Tracert traffic.
Creating a new IP filter list to attach to an IPSec Policy rule
Creating a new IP filter
To create a new IP filter to add to the new IP filter list you are creating, click the Add button in the IP Filter List dialog box.
In turn launches the IP Filter Wizard Define IP traffic according source and destination. Create a “mirrored” filter. Matches the source and destination with the exact opposite
addresses.▪ For example: you can easily configure a filter that captures POP3
traffic sent to and from the local address. To configure your filter as a mirrored filter, leave the Mirrored check box selected on the first page of the IP Filter Wizard.
Creating a new IP filter to add to an IP filter list
Creating a mirrored IP filter
Using the Create IP Security Rule Wizard
4. Filter Action page:▪ In Group Policy, the following three IP filters are predefined for
the IPSec Policy rules:▪ Permit: this filter action permits the IP packets to pass through unsecured.▪ Request Security (Optional): this filter action permits the IP packets to
pass through unsecured but requests that clients negotiate security (preferable encryption).
▪ Require Security: this filter action triggers the local computer to request secure communications from the client source of the IP packets. If security methods (including encryption) cannot be established, the local computer will stop communicating with that client.
▪ To create a new filter action, click the Add button on the Filter Action page of the Security Rule Wizard.
▪ This procedure launches the Filter Action Wizard.
Creating a new Filter Action
Using the Create IP Security Rule Wizard
5. Authentication Method page▪ By default, IPSec rules rely on Active Directory service
and the Kerberos protocol to authenticate clients.
Specifying an authentication method for a new IPSec Policy rule
Managing IP Filter Lists and Filter Actions
Creating and Configuring a Connection Security Rule
1. Browse to & expand Computer Configuration\Policies\Windows Setting\Security Setting\ Windows Firewall With Advanced Security\Windows Firewall With Advanced Security-LDAP://address.
2. Select and right-click the connection security rules node.
3. From the shortcut menu, Choose New Rule.4. This procedure, which launches the New
Connection Security Rule Wizard.
Creating a new Connection Security Rule
Choosing a Connection Security Rule type
Using the New Connection Security Rule Wizard
1. Rule Type page: Allows you to create any of five rule types, these
five rule types are the following:a) Isolation rule: A general rule used to authenticate all
traffic for select network profiles.▪ The three profiles defined are Domain, Private, and Public.
Exam Tip
You can use an Isolation rule to configure “domain isolation”. This term simply means that you can use connection security rules to block traffic from computers originating from outside the local Active Directory domain.
Using the New Connection Security Rule Wizard
b) Authentication Exemption rule:▪ Used to exempt specific computers or a group or range of IP
addresses (computers) from being required to authenticate themselves.
c) Server-To-Server rule:▪ Allows you to authenticate the communications between IP
addresses or sets of addresses, including specific computers and subnets.
d) Tunnel rule:▪ Used to configure IPSec tunnel mode for VPN gateways.
e) Custom rule:▪ Used to create a rule that requires special settings or a
combination of features from the various rule types.
Using the New Connection Security Rule Wizard
2. Endpoints page Used to specify the remote computers with which you
want to negotiate an IPSec connection.3. Requirements page
Used to specify whether authenticated communication exemption for the specified endpoints.
4. Authentication Method page Allows you to specify the method by which computer
endpoints are authenticated. The first option is Default.
Using the New Connection Security Rule Wizard
5. Profile page Allows you to limit the local network location
types to which the rule will apply. The profiles you can enable for the rule are Domain, Private, and Public.
6. Name page Allows you to name the new Connection Security
Rule and (Optionally) to provide a description.
Configuring IPSec Settings for Connection Security Rules
In the WFAS node of a GPO or in the WFAS console.
To access these settings:1. Open the properties of the Windows Firewall
With Advanced Security node.2. In the properties dialog box that opens, click the
IPSec Settings tab.
Opening Windows Firewall properties
Configuring IPSec Settings
IPSec defaults
Clicking the Customize button opens the Customize IPSec Settings dialog box.
Set new default parameters for key negotiation (exchange). Data production. Authentication method.
Setting IPSec default
Configuring IPSec Settings for Connection Security Rules
Example: To configure data encryption for connection
security rules1. Select Advanced in Data Protection area.2. Click Customize▪ opens the Customize Data Protection Settings dialog box.
3. Select the Require Encryption For All Connection security rules that use these Settings check box.
4. Click OK.
Requiring encryption for connection security rules
Any Question?Contact Me: [email protected]