objectives

51
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security

Upload: barclay-sykes

Post on 02-Jan-2016

22 views

Category:

Documents


0 download

DESCRIPTION

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security. Objectives. Describe IP Security issues and how the IPSec protocol addresses them Choose the appropriate IPSec mode for a given situation - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows

Server 2003 Network, Enhanced

Chapter 10: Planning and Managing IP

Security

Page 2: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 2

Objectives

• Describe IP Security issues and how the IPSec protocol addresses them

• Choose the appropriate IPSec mode for a given situation

• Implement authentication for IPSec• Enable IPSec• Create IPSec policies• Monitor and troubleshoot IPSec

Page 3: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 3

Why IPSec Is Important

• IPSec provides security for IP-based networks• Authenticate both computers engaged in a conversation

• Use digital signatures to verify that data has not been tampered with while in transit

• Encrypt data while in transit

Page 4: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 4

How Hackers Work

• IPv4 has no built-in security mechanisms to protect the communication between two hosts

• Hackers can corrupt or eavesdrop on communications• Packet sniffing

• Data replay

• Data modification

• Address spoofing

Page 5: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 5

Authentication, Encryption, and Digital Signatures

• IPSec authenticates the endpoints of any IP-based conversation using IPSec• Each participant must be known and trusted

• Encryption can be used by IPSec to hide the contents of data packets

• Digital signatures on each packet in a conversation ensure that a packet has not been modified

Page 6: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 6

Advantages of IPSec

• IPSec exists at the network layer of the TCP/IP architecture so most applications are unaware of it

• IPSec is a valuable addition to a network when data integrity or confidentiality are required

• IPSec is widely used by many vendors • It is a standards protocol

Page 7: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 7

Disadvantages of IPSec

• Pre-Windows 2000 operating systems from Microsoft do not support the IPSec

• IPSec can significantly slow network communication• Only latest versions of IPSec can be routed through

NAT, which is a serious limitation for remote users• IPSec adds complexity to a network

Page 8: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 8

Disadvantages of IPSec (continued)

Page 9: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 9

IPSec Modes

• The modes of operation define whether communication is secured between two hosts or two networks, and which IPSec services are used

• When implementing IPSec, you must choose tunnel mode or transport mode

• Must choose AH mode or ESP mode

Page 10: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 10

AH Mode• Use AH mode when you are concerned about packets

being captured with a packet sniffer and replayed• Authentication Headers (AH) mode enforces

authentication of the two IPSec clients and includes a digital signature on each packet• Authenticates the two endpoints and adds a checksum

• Checksum guarantees that the packet is not modified in transit, including the IP headers

• AH mode does not provide data confidentiality, however; the payload of the packet is unencrypted

Page 11: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 11

ESP Mode

• Most implementations of IPSec use ESP mode because data encryption is desired

• The ESP mode authenticates the two endpoints, adds a checksum, and encrypts the data in the packet• Authentication performs the same function as in AH mode

• Checksum guarantees that the packet was not modified in transit, excluding the IP headers

• Encryption ensures that unintended recipients cannot read the data in the packet

Page 12: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 12

Transport Mode

• IPSec in transport mode is used between two hosts• Both endpoints in the communication must support

IPSec• This limits the implementation of IPSec because

many devices, such as printers, rarely offer IPSec support

Page 13: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 13

Transport Mode (continued)

Page 14: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 14

Transport Mode (continued)

Page 15: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 15

Tunnel Mode

• IPSec in tunnel mode is used between two routers• The two hosts communicating through the routers do not

need to support IPSec

• Authentication takes place between the two routers when using IPSec in tunnel mode • Less secure because a hacker could place an unauthorized

computer on a trusted network

Page 16: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 16

Tunnel Mode (continued)

Page 17: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 17

Tunnel Mode (continued)

Page 18: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 18

IPSec Authentication

• Endpoints of an IPSec are authenticated• Internet Key Exchange is the process used by two

IPSec computers or routers to negotiate the following security parameters• Method of authentication

• AH or ESP mode

• Transport or tunnel mode

• Encryption and hashing algorithms

• Parameters for key exchange

Page 19: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 19

IPSec Authentication (continued)

• Security association (SA): when security parameters have been agreed upon

• Three methods Windows Server 2003 uses to authenticate IPSec connections:• Preshared key

• Certificates

• Kerberos

Page 20: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 20

Preshared Key

• A preshared key is a combination of characters entered at each endpoint of the IPSec connection• Authentication is based on both endpoints knowing the

same secret

• The major advantage is simplicity • The major disadvantage is the movement of the

preshared key when configuring the two devices

Page 21: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 21

Certificates

• Certificates may be presented for authentication• If the two certificates are part of the same hierarchy,

each IPSec device accepts the certificate of the other• The main disadvantage of using third-party

certificates is cost

Page 22: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 22

Kerberos• Kerberos is the authentication system used by

Windows 2000/XP/Server 2003 for access to network resources

• Seamless integration with domain security• Not a commonly supported authentication system for

IPSec on non-Microsoft products such as routers

• Not appropriate for Windows computers that are not part of the Active Directory forest

Page 23: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 23

Enabling IPSec• IPSec is enabled on Windows Server 2003 using

IPSec policies• An IPSec policy must be in place to use IPSec

• The three policies installed by default• Server (Request Security)

• Client (Respond Only)

• Secure Server (Require Security)

Page 24: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 24

Assigning a Default IPSec Policy

• A single server can have many IPSec policies• No policy is used until it is assigned• One policy can be assigned at a time per machine• The Local Security Policy snap-in can assign an

IPSec policy on a single computer• Group Policy can assign an IPSec policy to a group of

computers

Page 25: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 25

Activity 10-1: Assigning an IPSec Policy

• The purpose of this activity is to assign an IPSec policy to enable encryption of data packet

Page 26: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 26

Activity 10-2: Verifying an IPSec Security Association

• The purpose of this activity is to verify that the IPSec policy you have enabled is working

Page 27: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 27

Creating Your Own IPSec Security Policy

• An IPSec rule controls how IPSec is implemented and each rule is composed of:• An IP filter list

• An IPSec filter action

• Authentication methods

• A tunnel endpoint

• A connection type

• An IP filter list is a list of protocols that will be affected by the rule

Page 28: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 28

Creating Your Own IPSec Security Policy (continued)

• An IPSec filter action is what will be done to the protocols defined in the filter list

• Authentication methods are the protocols that can be used for authentication if IPSec is rule-based

• The tunnel endpoint is the remote host IPSec is being performed with when tunnel mode is used

• The connection type defines the type of connections to which this rule applies

Page 29: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 29

Activity 10-3: Creating an IPSec Policy

• The purpose of this activity is to create a new IPSec policy that is more flexible than the default policies

Page 30: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 30

Adding and Creating Rules

• After creating an IPSec policy, edit it to add rules that define how different types of IP traffic are handled

• After selecting an IP filter list, select an action to be performed on the packets that match the IP filter list

• The three filter actions that exist by default are• Permit

• Request security

• Require security

Page 31: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 31

Activity 10-4: Creating a New IPSec Filter Rule

• The purpose of this activity is to add a new IPSec filter rule that allows ICMP traffic to pass through unmodified

Page 32: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 32

IPSec Filter Lists

• When a new IP filter list is created• Give it a name

• Have the option of giving it a description

• Add IP filters that make up the list and specify the traffic to which this list applies

Page 33: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 33

Activity 10-5: Creating an IPSec Filter List

• The purpose of this activity is to create a new IPSec filter list for all FTP traffic

Page 34: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 34

Filter Actions

• Filter actions define what is done to traffic that matches an IP filter list:• Permit

• Request Security (Optional)

• Require Security

• Filter actions define a number of security parameters, including the type of encryption • In highly secure situations, you may want to modify these

or create your own

Page 35: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 35

Cryptography Algorithms

• Two algorithms for AH and ESP data integrity• Secure Hash Algorithm (SHA1)

• Message Digest 5 (MD5)

• Two algorithms for ESP data encryption• Data encryption standard (DES)

• Triple data encryption standard (3DES)

Page 36: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 36

Activity 10-6: Creating a Filter Action

• The purpose of this activity is to create a new filter action that enforces encryption

Page 37: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 37

Activity 10-7: Adding a Customized Filter List and Filter

Action

• The purpose of this activity is to edit your FTP filter and add a rule using the customized filter list and filter action you have created

Page 38: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 38

Troubleshooting IPSec

• IPSec troubleshooting deals with• General network issues

• IPSec-specific configuration settings

• Group policy settings

Page 39: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 39

Troubleshooting IPSec (continued)

• Most common IPSec troubleshooting tools/utilities• Ping

• IPSec Security Monitor

• Event Viewer

• Resultant Set of Policy

• Netsh

• Oakley logs

• Network Monitor

Page 40: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 40

Ping

• Tests network connectivity between two hosts• The default IPSec policies permit ICMP packets and

do not interfere with ping• Does not test IPSec specifically, but can confirm that

two hosts can communicate• If they cannot communicate, they are not able to create an

IPSec SA

Page 41: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 41

IPSec Security Monitor

• MMC snap-in that allows you to view the status of IPSec SAs

• Can confirm that an SA was negotiated between two hosts

• Can be used to view the configuration of the IPSec policy that is applied

Page 42: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 42

Event Viewer

• Event Viewer can be used to view the events that the IPSec Policy Agent writes to the event log

• Events show the configuration settings that IPSec is using and events generated during the creation of SAs

• Events are only written to the log if the Audit logon events option is enabled in the local security policy or Group Policy

Page 43: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 43

Resultant Set of Policy Snap-in

• If you try to distribute and apply IPSec policies through Group Policy, and they are not functioning as you expect, you can use the Resultant Set of Policy (RSoP) snap-in

• Allows you to• View which policies apply

• Simulate the application of new policies to test their results

Page 44: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 44

Netsh

• The Netsh utility allows you to configure network-related settings: • Bridging

• DHCP

• Diagnostics

• IP configuration

• remote access

• Routing

• WINS

• Remote procedure calls

Page 45: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 45

Netsh (continued)

• IPSec configuration can also be modified using Netsh• Some IPSec management tasks that can be performed

with Netsh:• Viewing policies

• Adding policies

• Deleting policies

Page 46: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 46

Oakley Logs

• Oakley logs track the establishment of SAs• This logging is not enabled by default

Page 47: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 47

Network Monitor

• Network Monitor can be used to view packets that are traveling on the network and to identify IPSec traffic• Cannot view encrypted information inside an IPSec packet

• Useful for determining whether packets are being properly transmitted between computers

• Not useful for troubleshooting application level problems if the traffic is encrypted

Page 48: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 48

Activity 10-8: Disabling IPSec

• The purpose of this activity is to disable IPSec policies that have been applied

Page 49: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 49

Summary

• IPv4 has no built-in security mechanisms and uses IPSec to make communication secure

• IPSec AH mode does not perform data encryption, but can authenticate and guarantee data integrity

• IPSec ESP mode can perform data encryption, authentication, and guarantees data integrity for the data portion of the packet, but not the IP headers

Page 50: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 50

Summary (continued)

• Transport mode is used between two hosts• Tunnel mode is used between two routers• The Windows Server 2003 implementation can

perform authentication using a preshared key, certificates, or Kerberos

• IPSec policies contain rules that control• Authentication• Which traffic is affected and what is done to the affected

traffic• Type of connections affected• Whether this computer is a tunnel endpoint

Page 51: Objectives

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 51

Summary (continued)

• Filter actions define what is done to traffic that matches an IP filter list

• SHA1 and MD5 are used for AH and ESP data integrity

• DES and 3DES are used for ESP data encryption• IPSec troubleshooting covers general network issues,

IPSec-specific configuration settings, and group policy settings