objectives
DESCRIPTION
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security. Objectives. Describe IP Security issues and how the IPSec protocol addresses them Choose the appropriate IPSec mode for a given situation - PowerPoint PPT PresentationTRANSCRIPT
70-293: MCSE Guide to Planning a Microsoft Windows
Server 2003 Network, Enhanced
Chapter 10: Planning and Managing IP
Security
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 2
Objectives
• Describe IP Security issues and how the IPSec protocol addresses them
• Choose the appropriate IPSec mode for a given situation
• Implement authentication for IPSec• Enable IPSec• Create IPSec policies• Monitor and troubleshoot IPSec
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 3
Why IPSec Is Important
• IPSec provides security for IP-based networks• Authenticate both computers engaged in a conversation
• Use digital signatures to verify that data has not been tampered with while in transit
• Encrypt data while in transit
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 4
How Hackers Work
• IPv4 has no built-in security mechanisms to protect the communication between two hosts
• Hackers can corrupt or eavesdrop on communications• Packet sniffing
• Data replay
• Data modification
• Address spoofing
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 5
Authentication, Encryption, and Digital Signatures
• IPSec authenticates the endpoints of any IP-based conversation using IPSec• Each participant must be known and trusted
• Encryption can be used by IPSec to hide the contents of data packets
• Digital signatures on each packet in a conversation ensure that a packet has not been modified
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 6
Advantages of IPSec
• IPSec exists at the network layer of the TCP/IP architecture so most applications are unaware of it
• IPSec is a valuable addition to a network when data integrity or confidentiality are required
• IPSec is widely used by many vendors • It is a standards protocol
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 7
Disadvantages of IPSec
• Pre-Windows 2000 operating systems from Microsoft do not support the IPSec
• IPSec can significantly slow network communication• Only latest versions of IPSec can be routed through
NAT, which is a serious limitation for remote users• IPSec adds complexity to a network
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 8
Disadvantages of IPSec (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 9
IPSec Modes
• The modes of operation define whether communication is secured between two hosts or two networks, and which IPSec services are used
• When implementing IPSec, you must choose tunnel mode or transport mode
• Must choose AH mode or ESP mode
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 10
AH Mode• Use AH mode when you are concerned about packets
being captured with a packet sniffer and replayed• Authentication Headers (AH) mode enforces
authentication of the two IPSec clients and includes a digital signature on each packet• Authenticates the two endpoints and adds a checksum
• Checksum guarantees that the packet is not modified in transit, including the IP headers
• AH mode does not provide data confidentiality, however; the payload of the packet is unencrypted
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 11
ESP Mode
• Most implementations of IPSec use ESP mode because data encryption is desired
• The ESP mode authenticates the two endpoints, adds a checksum, and encrypts the data in the packet• Authentication performs the same function as in AH mode
• Checksum guarantees that the packet was not modified in transit, excluding the IP headers
• Encryption ensures that unintended recipients cannot read the data in the packet
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 12
Transport Mode
• IPSec in transport mode is used between two hosts• Both endpoints in the communication must support
IPSec• This limits the implementation of IPSec because
many devices, such as printers, rarely offer IPSec support
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 13
Transport Mode (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 14
Transport Mode (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 15
Tunnel Mode
• IPSec in tunnel mode is used between two routers• The two hosts communicating through the routers do not
need to support IPSec
• Authentication takes place between the two routers when using IPSec in tunnel mode • Less secure because a hacker could place an unauthorized
computer on a trusted network
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 16
Tunnel Mode (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 17
Tunnel Mode (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 18
IPSec Authentication
• Endpoints of an IPSec are authenticated• Internet Key Exchange is the process used by two
IPSec computers or routers to negotiate the following security parameters• Method of authentication
• AH or ESP mode
• Transport or tunnel mode
• Encryption and hashing algorithms
• Parameters for key exchange
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 19
IPSec Authentication (continued)
• Security association (SA): when security parameters have been agreed upon
• Three methods Windows Server 2003 uses to authenticate IPSec connections:• Preshared key
• Certificates
• Kerberos
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 20
Preshared Key
• A preshared key is a combination of characters entered at each endpoint of the IPSec connection• Authentication is based on both endpoints knowing the
same secret
• The major advantage is simplicity • The major disadvantage is the movement of the
preshared key when configuring the two devices
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 21
Certificates
• Certificates may be presented for authentication• If the two certificates are part of the same hierarchy,
each IPSec device accepts the certificate of the other• The main disadvantage of using third-party
certificates is cost
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 22
Kerberos• Kerberos is the authentication system used by
Windows 2000/XP/Server 2003 for access to network resources
• Seamless integration with domain security• Not a commonly supported authentication system for
IPSec on non-Microsoft products such as routers
• Not appropriate for Windows computers that are not part of the Active Directory forest
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 23
Enabling IPSec• IPSec is enabled on Windows Server 2003 using
IPSec policies• An IPSec policy must be in place to use IPSec
• The three policies installed by default• Server (Request Security)
• Client (Respond Only)
• Secure Server (Require Security)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 24
Assigning a Default IPSec Policy
• A single server can have many IPSec policies• No policy is used until it is assigned• One policy can be assigned at a time per machine• The Local Security Policy snap-in can assign an
IPSec policy on a single computer• Group Policy can assign an IPSec policy to a group of
computers
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 25
Activity 10-1: Assigning an IPSec Policy
• The purpose of this activity is to assign an IPSec policy to enable encryption of data packet
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 26
Activity 10-2: Verifying an IPSec Security Association
• The purpose of this activity is to verify that the IPSec policy you have enabled is working
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 27
Creating Your Own IPSec Security Policy
• An IPSec rule controls how IPSec is implemented and each rule is composed of:• An IP filter list
• An IPSec filter action
• Authentication methods
• A tunnel endpoint
• A connection type
• An IP filter list is a list of protocols that will be affected by the rule
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 28
Creating Your Own IPSec Security Policy (continued)
• An IPSec filter action is what will be done to the protocols defined in the filter list
• Authentication methods are the protocols that can be used for authentication if IPSec is rule-based
• The tunnel endpoint is the remote host IPSec is being performed with when tunnel mode is used
• The connection type defines the type of connections to which this rule applies
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 29
Activity 10-3: Creating an IPSec Policy
• The purpose of this activity is to create a new IPSec policy that is more flexible than the default policies
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 30
Adding and Creating Rules
• After creating an IPSec policy, edit it to add rules that define how different types of IP traffic are handled
• After selecting an IP filter list, select an action to be performed on the packets that match the IP filter list
• The three filter actions that exist by default are• Permit
• Request security
• Require security
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 31
Activity 10-4: Creating a New IPSec Filter Rule
• The purpose of this activity is to add a new IPSec filter rule that allows ICMP traffic to pass through unmodified
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 32
IPSec Filter Lists
• When a new IP filter list is created• Give it a name
• Have the option of giving it a description
• Add IP filters that make up the list and specify the traffic to which this list applies
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 33
Activity 10-5: Creating an IPSec Filter List
• The purpose of this activity is to create a new IPSec filter list for all FTP traffic
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 34
Filter Actions
• Filter actions define what is done to traffic that matches an IP filter list:• Permit
• Request Security (Optional)
• Require Security
• Filter actions define a number of security parameters, including the type of encryption • In highly secure situations, you may want to modify these
or create your own
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 35
Cryptography Algorithms
• Two algorithms for AH and ESP data integrity• Secure Hash Algorithm (SHA1)
• Message Digest 5 (MD5)
• Two algorithms for ESP data encryption• Data encryption standard (DES)
• Triple data encryption standard (3DES)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 36
Activity 10-6: Creating a Filter Action
• The purpose of this activity is to create a new filter action that enforces encryption
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 37
Activity 10-7: Adding a Customized Filter List and Filter
Action
• The purpose of this activity is to edit your FTP filter and add a rule using the customized filter list and filter action you have created
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 38
Troubleshooting IPSec
• IPSec troubleshooting deals with• General network issues
• IPSec-specific configuration settings
• Group policy settings
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 39
Troubleshooting IPSec (continued)
• Most common IPSec troubleshooting tools/utilities• Ping
• IPSec Security Monitor
• Event Viewer
• Resultant Set of Policy
• Netsh
• Oakley logs
• Network Monitor
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 40
Ping
• Tests network connectivity between two hosts• The default IPSec policies permit ICMP packets and
do not interfere with ping• Does not test IPSec specifically, but can confirm that
two hosts can communicate• If they cannot communicate, they are not able to create an
IPSec SA
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 41
IPSec Security Monitor
• MMC snap-in that allows you to view the status of IPSec SAs
• Can confirm that an SA was negotiated between two hosts
• Can be used to view the configuration of the IPSec policy that is applied
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 42
Event Viewer
• Event Viewer can be used to view the events that the IPSec Policy Agent writes to the event log
• Events show the configuration settings that IPSec is using and events generated during the creation of SAs
• Events are only written to the log if the Audit logon events option is enabled in the local security policy or Group Policy
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 43
Resultant Set of Policy Snap-in
• If you try to distribute and apply IPSec policies through Group Policy, and they are not functioning as you expect, you can use the Resultant Set of Policy (RSoP) snap-in
• Allows you to• View which policies apply
• Simulate the application of new policies to test their results
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 44
Netsh
• The Netsh utility allows you to configure network-related settings: • Bridging
• DHCP
• Diagnostics
• IP configuration
• remote access
• Routing
• WINS
• Remote procedure calls
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 45
Netsh (continued)
• IPSec configuration can also be modified using Netsh• Some IPSec management tasks that can be performed
with Netsh:• Viewing policies
• Adding policies
• Deleting policies
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 46
Oakley Logs
• Oakley logs track the establishment of SAs• This logging is not enabled by default
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 47
Network Monitor
• Network Monitor can be used to view packets that are traveling on the network and to identify IPSec traffic• Cannot view encrypted information inside an IPSec packet
• Useful for determining whether packets are being properly transmitted between computers
• Not useful for troubleshooting application level problems if the traffic is encrypted
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 48
Activity 10-8: Disabling IPSec
• The purpose of this activity is to disable IPSec policies that have been applied
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 49
Summary
• IPv4 has no built-in security mechanisms and uses IPSec to make communication secure
• IPSec AH mode does not perform data encryption, but can authenticate and guarantee data integrity
• IPSec ESP mode can perform data encryption, authentication, and guarantees data integrity for the data portion of the packet, but not the IP headers
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 50
Summary (continued)
• Transport mode is used between two hosts• Tunnel mode is used between two routers• The Windows Server 2003 implementation can
perform authentication using a preshared key, certificates, or Kerberos
• IPSec policies contain rules that control• Authentication• Which traffic is affected and what is done to the affected
traffic• Type of connections affected• Whether this computer is a tunnel endpoint
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 51
Summary (continued)
• Filter actions define what is done to traffic that matches an IP filter list
• SHA1 and MD5 are used for AH and ESP data integrity
• DES and 3DES are used for ESP data encryption• IPSec troubleshooting covers general network issues,
IPSec-specific configuration settings, and group policy settings