Lesson 8: IPSec

Protecting Network Traffic with IPSec

Mahmmoud A. Mahdi

Protecting Network Traffic with IPSec

Internet Protocol Security (IPSec): Protects networks by securing IP packets through

encryption and through the enforcement of trusted communication.

You can manage IPSec through: Local Security Policy. Group Policy. Command-line tools.

Exam objectives

Configure IPSec.

Configuring IPSec

IP Security (IPSec) is a means to protect network data by ensuring its authenticity, its confidentiality.

What Is IPSec?

IPSec is Essentially a way to provide security for data sent between two computers on an IP network.

IPSec Protects data between two IP addresses by providing the following services:1. Data Authentication:▪ Data origin authentication▪ You can configure IPSec to ensure that each packet you receive from a trusted party in fact

originates from that party and is not spoofed.

▪ Data integrity▪ You can use IPSec to ensure that data is not altered in transit.

▪ Anti-replay protection▪ You can configure IPSec to verify that each packet received is unique and not duplicated.

2. Encryption▪ You can use IPSec to encrypt network data so that the data is unreadable if

captured in transit.

What Is IPSec?

In Windows Server 2008 and Windows Vista, IPSec is enforced either by:

1. IPSec Policies▪ By default attempt negotiate both authentication and

encryption services.

2. Connection security rules▪ By default attempt to negotiate only authentication

services.

1. IPSec Policies

Define how a computer or group of computers handle IPSec communications

Assign an IPSec Policy To an individual computer ▪ by using Local Security Policy

To a group of computers ▪ by using Group Policy.

IPSec Policies in GPO

IPSec Policies

Every IPSec Policy is composed of one or more IPSec Policy rules that determine when and how IP traffic should be protected.

Each Policy rule, in turn, is associated with one IP filter list and filter action.

IP filter lists contain a set of one or more IP filters that capture IP traffic for an IPSec Policy.

IP filters define a source or destination address, address range, computer name, TCP/UDP port, or server type (DNS, WINS, DHCP, default gateway).

IPSec Policy Example

IPSec Policies, rules, filters, and filter actions

Quick Check

1. Does every IPSec Policy rule have an IP filter list?

2. In terms of its function within an IPSec Policy, what does a filter action do?

Quick Check Answer:1. Yes, even if the list has only one IP filter.2. A filter action determines whether the traffic

captured by an IP filter in a given policy rule is permitted, blocked, encrypted, or authenticated.

2. Connection Security Rules

Used to configure IPSec settings for connections between computers. Like IPSec Policies▪ Connection security rules evaluate network traffic and

then block, allow, or negotiate security for messages based on the criteria you establish.

Unlike IPSec Policies▪ Connection security rules do not include filters or filter

actions.


The filtering capabilities in connection security rules are not as powerful as those of IPSec Policies.

Connection security rules: Do not apply to types of IP traffic, such as IP traffic

that passes over port 23 Apply to all IP traffic originating from or destined

for certain IP addresses, subnets, or servers on the network.


A Connection Security Rule First: authenticates the computers defined in the rule before they begin

communication. Then: it secures the information sent between these two authenticated

computers.▪ If you have configured a Connection Security Rule that requires security for a

given connection and the two computers in question cannot authenticate each other, the connection is blocked.

By default, connection security rules provide only data authentication security (data origin authentication, data integrity, and anti-replay security).

Configure connection security rules for any computer in the Windows Firewall with Advanced Security (WFAS) console or the WFAS node in Server Manager.

Defining connection security rules in Group Policy

Note

Exporting connection security rules: By using the Export Policy and Import Policy

functions in the WFAS console, you can create one set of connection security rules and export them to other computers or GPOs.

Security Associations

After two computer negotiate an IPSec connection The data sent between those computers is secured in what is known as a Security

Association (SA). Security for an SA is provided by the two IPSec protocols

These protocols provide data integrity, and anti-replay protection for the entire IP packet in an SA.

1. Authentication Header (AH)▪ Provides data origin authentication, data integrity, and anti-replay protection for the

entire IP packet.

2. Encapsulating Security Payload (ESP).▪ Provides data encryption, data origin authentication, data integrity, and anti-replay

protection for the ESP payload. To secure data within any SA, you can use:

AH alone. ESP alone. AH and ESP together.

Exam Tip

You need to know the basic difference between AH and ESP for the 70-642 exam.

If you need encryption, use ESP if you just need to authenticate the data origin or verify data integrity, use AH.

How IPSec Connections Are Established

To establish SAs dynamically between IPSec peers, the Internet Key Exchange (IKE) protocol is used.

To ensure successful and secure communication IKE performs a two-phase negotiation operation,

each with its own SAs.▪ Phase 1: main mode negotiation.▪ Used to secure the second IKE negotiation phase.

▪ Phase 2: quick mode negotiation.▪ Used to protect application traffic.

How IPSec Connections Are Established

The steps for establishing an IPSec connection:1. Set up a main mode SA.2. Agree upon the terms of communication and

encryption algorithm.3. Create a quick mode SA.4. Send data.

Using IPSec in Tunnel Mode

1. IPSec by default operates in transport mode Used to provide end-to-end security between computers. Used in most IPSec-based VPNs, for which the Layer Two

Tunneling Protocol (L2TP)protocol is used to tunnel the IPSec connection through the Public network.

2. When a particular VPN gateway is not compatible with L2TP/IPSec VPNs, use IPSec in tunnel mode instead.

With tunnel mode, an entire IP packet is protected and then encapsulated with an additional, unprotected IP header.

Authentication Methods for IPSec

IPSec requires a shared authentication mechanism between communicating computers.

Three methods to authenticate the hosts communicating through IPSec:1. Kerberos2. Certifications3. Preshared key


1. Kerberos (Active Directory) The easiest way to configure authentication for IPSec is to

implement IPSec within a single Active Directory forest. When the two IPSec endpoints can be authenticated by

Active Directory, the security foundation for IPSec requires no configuration beyond joining the hosts to the domain.

2. Certificates If you need to implement IPSec in a production

environment (Kerberos not available). Each host must obtain and install a computer certificate

from a public or private certification authority (CA)


3. Preshared Key Is a password shared by peers and used both to

encrypt and decrypt data. Preshared keys do not provide the same level of

authentication that certificates and Kerberos do. Preshared keys for IPSec are stored in plaintext on

each computer or in Active Directory, which reduces the security of this solution.

It is recommended that you use preshared keys only in nonproduction environments such as test networks.

Exam Tip

You need to understand IPSec authentication mechanism for the 70-642 exam.

Remember that Kerberos authentication is preferable in an Active Directory environment.

Outside of an Active Directory environment, a certificate infrastructure is your best option.

Assigning a Predefined IPSec Policy

In Group Policy, three IPSec Policies are predefined. You can configure an IPSec Policy for a domain or OU by

assigning any one of the following predefined policies: Client (Respond Only)▪ Assign this policy to a computer through a GPO, that computer will

never initiate a request to establish an IPSec communications channel with another computer

Server (Request Security)▪ Assign this policy to a computers for which encryption is preferred but

not required. Secure Server (Require Security)▪ Assign this policy to intranet servers that require secure

communications.

Assigning a Predefined IPSec Policy

To assign an IPSec Policy within a GPO Select the IP Security Policies node. Right-click the chosen policy in the Details pane. Choose Assign from the shortcut menu.

You can assign only one IPSec Policy to a computer at a time. If Group Policy assigns an IPSec Policy to a computer, the

computer ignores any IPSec Policy assigned in its Local Security Policy.

Assigning an IPSec Policy in a GPO

Exam Tip

Know the three predefined IPSec Policies.

Creating a New IPSec Policy

1. Open Local Security Policy or a GPO.2. In the console tree below Security Settings

Right-click the IP Security Policies node.3. Choose Create IP Security Policy.4. Configure the policy through its properties.5. Add rules to the policy by Clicking the Add

button in the Rules tab in the Properties dialog box for the policy.

6. This procedure launches the Create IP Security Rule Wizard.

Creating a new IPSec Policy in a GPO

Launching the Create IP Security Rule Wizard

Using the Create IP Security Rule Wizard

To create and configure rules, use the Create IP Security Rule Wizard.

The five main pages of the Create IP Security Rule Wizard1. Tunnel Endpoint page:▪ Configure this page only when you want to use IPSec in

tunnel mode.

2. Network Type page:▪ Use this page if you want to limit the rule to either the

local area network or remote access connections.


3. IP Filter List page:▪ In Group Policy, two IP filter lists are predefined IPSec

Policy Rules.▪ All ICMP Traffic.▪ All IP Traffic.

▪ To create a new IP filter list, click the Add button on the IP Filter List page.

Note

What is ICMP traffic? ICMP (Internet Control Message Protocol) is a

messaging feature of IP that allows Ping and Tracert to function.

ICMP traffic typically refers to Ping and Tracert traffic.

Creating a new IP filter list to attach to an IPSec Policy rule

Creating a new IP filter

To create a new IP filter to add to the new IP filter list you are creating, click the Add button in the IP Filter List dialog box.

In turn launches the IP Filter Wizard Define IP traffic according source and destination. Create a “mirrored” filter. Matches the source and destination with the exact opposite

addresses.▪ For example: you can easily configure a filter that captures POP3

traffic sent to and from the local address. To configure your filter as a mirrored filter, leave the Mirrored check box selected on the first page of the IP Filter Wizard.

Creating a new IP filter to add to an IP filter list

Creating a mirrored IP filter


4. Filter Action page:▪ In Group Policy, the following three IP filters are predefined for

the IPSec Policy rules:▪ Permit: this filter action permits the IP packets to pass through unsecured.▪ Request Security (Optional): this filter action permits the IP packets to

pass through unsecured but requests that clients negotiate security (preferable encryption).

▪ Require Security: this filter action triggers the local computer to request secure communications from the client source of the IP packets. If security methods (including encryption) cannot be established, the local computer will stop communicating with that client.

▪ To create a new filter action, click the Add button on the Filter Action page of the Security Rule Wizard.

▪ This procedure launches the Filter Action Wizard.

Creating a new Filter Action


5. Authentication Method page▪ By default, IPSec rules rely on Active Directory service

and the Kerberos protocol to authenticate clients.

Specifying an authentication method for a new IPSec Policy rule

Managing IP Filter Lists and Filter Actions

Creating and Configuring a Connection Security Rule

1. Browse to & expand Computer Configuration\Policies\Windows Setting\Security Setting\ Windows Firewall With Advanced Security\Windows Firewall With Advanced Security-LDAP://address.

2. Select and right-click the connection security rules node.

3. From the shortcut menu, Choose New Rule.4. This procedure, which launches the New

Connection Security Rule Wizard.

Creating a new Connection Security Rule

Choosing a Connection Security Rule type

Using the New Connection Security Rule Wizard

1. Rule Type page: Allows you to create any of five rule types, these

five rule types are the following:a) Isolation rule: A general rule used to authenticate all

traffic for select network profiles.▪ The three profiles defined are Domain, Private, and Public.

Exam Tip

You can use an Isolation rule to configure “domain isolation”. This term simply means that you can use connection security rules to block traffic from computers originating from outside the local Active Directory domain.


b) Authentication Exemption rule:▪ Used to exempt specific computers or a group or range of IP

addresses (computers) from being required to authenticate themselves.

c) Server-To-Server rule:▪ Allows you to authenticate the communications between IP

addresses or sets of addresses, including specific computers and subnets.

d) Tunnel rule:▪ Used to configure IPSec tunnel mode for VPN gateways.

e) Custom rule:▪ Used to create a rule that requires special settings or a

combination of features from the various rule types.


2. Endpoints page Used to specify the remote computers with which you

want to negotiate an IPSec connection.3. Requirements page

Used to specify whether authenticated communication exemption for the specified endpoints.

4. Authentication Method page Allows you to specify the method by which computer

endpoints are authenticated. The first option is Default.


5. Profile page Allows you to limit the local network location

types to which the rule will apply. The profiles you can enable for the rule are Domain, Private, and Public.

6. Name page Allows you to name the new Connection Security

Rule and (Optionally) to provide a description.

Configuring IPSec Settings for Connection Security Rules

In the WFAS node of a GPO or in the WFAS console.

To access these settings:1. Open the properties of the Windows Firewall

With Advanced Security node.2. In the properties dialog box that opens, click the

IPSec Settings tab.

Opening Windows Firewall properties

Configuring IPSec Settings

IPSec defaults

Clicking the Customize button opens the Customize IPSec Settings dialog box.

Set new default parameters for key negotiation (exchange). Data production. Authentication method.

Setting IPSec default

Configuring IPSec Settings for Connection Security Rules

Example: To configure data encryption for connection

security rules1. Select Advanced in Data Protection area.2. Click Customize▪ opens the Customize Data Protection Settings dialog box.

3. Select the Require Encryption For All Connection security rules that use these Settings check box.

4. Click OK.

Requiring encryption for connection security rules

Any Question?Contact Me: [email protected]

Lesson 8: IPSec

Documents

Transcript of Lesson 8: IPSec