510 likes | 605 Vues
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security. Objectives. Describe IP Security issues and how the IPSec protocol addresses them Choose the appropriate IPSec mode for a given situation
E N D
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, EnhancedChapter 10: Planning and Managing IPSecurity
Objectives • Describe IP Security issues and how the IPSec protocol addresses them • Choose the appropriate IPSec mode for a given situation • Implement authentication for IPSec • Enable IPSec • Create IPSec policies • Monitor and troubleshoot IPSec 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Why IPSec Is Important • IPSec provides security for IP-based networks • Authenticate both computers engaged in a conversation • Use digital signatures to verify that data has not been tampered with while in transit • Encrypt data while in transit 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
How Hackers Work • IPv4 has no built-in security mechanisms to protect the communication between two hosts • Hackers can corrupt or eavesdrop on communications • Packet sniffing • Data replay • Data modification • Address spoofing 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Authentication, Encryption, and Digital Signatures • IPSec authenticates the endpoints of any IP-based conversation using IPSec • Each participant must be known and trusted • Encryption can be used by IPSec to hide the contents of data packets • Digital signatures on each packet in a conversation ensure that a packet has not been modified 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Advantages of IPSec • IPSec exists at the network layer of the TCP/IP architecture so most applications are unaware of it • IPSec is a valuable addition to a network when data integrity or confidentiality are required • IPSec is widely used by many vendors • It is a standards protocol 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Disadvantages of IPSec • Pre-Windows 2000 operating systems from Microsoft do not support the IPSec • IPSec can significantly slow network communication • Only latest versions of IPSec can be routed through NAT, which is a serious limitation for remote users • IPSec adds complexity to a network 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Disadvantages of IPSec (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
IPSec Modes • The modes of operation define whether communication is secured between two hosts or two networks, and which IPSec services are used • When implementing IPSec, you must choose tunnel mode or transport mode • Must choose AH mode or ESP mode 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
AH Mode • Use AH mode when you are concerned about packets being captured with a packet sniffer and replayed • Authentication Headers (AH) mode enforces authentication of the two IPSec clients and includes a digital signature on each packet • Authenticates the two endpoints and adds a checksum • Checksum guarantees that the packet is not modified in transit, including the IP headers • AH mode does not provide data confidentiality, however; the payload of the packet is unencrypted 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
ESP Mode • Most implementations of IPSec use ESP mode because data encryption is desired • The ESP mode authenticates the two endpoints, adds a checksum, and encrypts the data in the packet • Authentication performs the same function as in AH mode • Checksum guarantees that the packet was not modified in transit, excluding the IP headers • Encryption ensures that unintended recipients cannot read the data in the packet 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Transport Mode • IPSec in transport mode is used between two hosts • Both endpoints in the communication must support IPSec • This limits the implementation of IPSec because many devices, such as printers, rarely offer IPSec support 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Transport Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Transport Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Tunnel Mode • IPSec in tunnel mode is used between two routers • The two hosts communicating through the routers do not need to support IPSec • Authentication takes place between the two routers when using IPSec in tunnel mode • Less secure because a hacker could place an unauthorized computer on a trusted network 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Tunnel Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Tunnel Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
IPSec Authentication • Endpoints of an IPSec are authenticated • Internet Key Exchange is the process used by two IPSec computers or routers to negotiate the following security parameters • Method of authentication • AH or ESP mode • Transport or tunnel mode • Encryption and hashing algorithms • Parameters for key exchange 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
IPSec Authentication (continued) • Security association (SA): when security parameters have been agreed upon • Three methods Windows Server 2003 uses to authenticate IPSec connections: • Preshared key • Certificates • Kerberos 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Preshared Key • A preshared key is a combination of characters entered at each endpoint of the IPSec connection • Authentication is based on both endpoints knowing the same secret • The major advantage is simplicity • The major disadvantage is the movement of the preshared key when configuring the two devices 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Certificates • Certificates may be presented for authentication • If the two certificates are part of the same hierarchy, each IPSec device accepts the certificate of the other • The main disadvantage of using third-party certificates is cost 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Kerberos • Kerberos is the authentication system used by Windows 2000/XP/Server 2003 for access to network resources • Seamless integration with domain security • Not a commonly supported authentication system for IPSec on non-Microsoft products such as routers • Not appropriate for Windows computers that are not part of the Active Directory forest 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Enabling IPSec • IPSec is enabled on Windows Server 2003 using IPSec policies • An IPSec policy must be in place to use IPSec • The three policies installed by default • Server (Request Security) • Client (Respond Only) • Secure Server (Require Security) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Assigning a Default IPSec Policy • A single server can have many IPSec policies • No policy is used until it is assigned • One policy can be assigned at a time per machine • The Local Security Policy snap-in can assign an IPSec policy on a single computer • Group Policy can assign an IPSec policy to a group of computers 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-1: Assigning an IPSec Policy • The purpose of this activity is to assign an IPSec policy to enable encryption of data packet 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-2: Verifying an IPSec Security Association • The purpose of this activity is to verify that the IPSec policy you have enabled is working 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Creating Your Own IPSec Security Policy • An IPSec rule controls how IPSec is implemented and each rule is composed of: • An IP filter list • An IPSec filter action • Authentication methods • A tunnel endpoint • A connection type • An IP filter list is a list of protocols that will be affected by the rule 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Creating Your Own IPSec Security Policy (continued) • An IPSec filter action is what will be done to the protocols defined in the filter list • Authentication methods are the protocols that can be used for authentication if IPSec is rule-based • The tunnel endpoint is the remote host IPSec is being performed with when tunnel mode is used • The connection type defines the type of connections to which this rule applies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-3: Creating an IPSec Policy • The purpose of this activity is to create a new IPSec policy that is more flexible than the default policies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Adding and Creating Rules • After creating an IPSec policy, edit it to add rules that define how different types of IP traffic are handled • After selecting an IP filter list, select an action to be performed on the packets that match the IP filter list • The three filter actions that exist by default are • Permit • Request security • Require security 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-4: Creating a New IPSec Filter Rule • The purpose of this activity is to add a new IPSec filter rule that allows ICMP traffic to pass through unmodified 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
IPSec Filter Lists • When a new IP filter list is created • Give it a name • Have the option of giving it a description • Add IP filters that make up the list and specify the traffic to which this list applies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-5: Creating an IPSec Filter List • The purpose of this activity is to create a new IPSec filter list for all FTP traffic 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Filter Actions • Filter actions define what is done to traffic that matches an IP filter list: • Permit • Request Security (Optional) • Require Security • Filter actions define a number of security parameters, including the type of encryption • In highly secure situations, you may want to modify these or create your own 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Cryptography Algorithms • Two algorithms for AH and ESP data integrity • Secure Hash Algorithm (SHA1) • Message Digest 5 (MD5) • Two algorithms for ESP data encryption • Data encryption standard (DES) • Triple data encryption standard (3DES) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-6: Creating a Filter Action • The purpose of this activity is to create a new filter action that enforces encryption 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-7: Adding a Customized Filter List and Filter Action • The purpose of this activity is to edit your FTP filter and add a rule using the customized filter list and filter action you have created 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Troubleshooting IPSec • IPSec troubleshooting deals with • General network issues • IPSec-specific configuration settings • Group policy settings 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Troubleshooting IPSec (continued) • Most common IPSec troubleshooting tools/utilities • Ping • IPSec Security Monitor • Event Viewer • Resultant Set of Policy • Netsh • Oakley logs • Network Monitor 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Ping • Tests network connectivity between two hosts • The default IPSec policies permit ICMP packets and do not interfere with ping • Does not test IPSec specifically, but can confirm that two hosts can communicate • If they cannot communicate, they are not able to create an IPSec SA 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
IPSec Security Monitor • MMC snap-in that allows you to view the status of IPSec SAs • Can confirm that an SA was negotiated between two hosts • Can be used to view the configuration of the IPSec policy that is applied 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Event Viewer • Event Viewer can be used to view the events that the IPSec Policy Agent writes to the event log • Events show the configuration settings that IPSec is using and events generated during the creation of SAs • Events are only written to the log if the Audit logon events option is enabled in the local security policy or Group Policy 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Resultant Set of Policy Snap-in • If you try to distribute and apply IPSec policies through Group Policy, and they are not functioning as you expect, you can use the Resultant Set of Policy (RSoP) snap-in • Allows you to • View which policies apply • Simulate the application of new policies to test their results 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Netsh • The Netsh utility allows you to configure network-related settings: • Bridging • DHCP • Diagnostics • IP configuration • remote access • Routing • WINS • Remote procedure calls 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Netsh (continued) • IPSec configuration can also be modified using Netsh • Some IPSec management tasks that can be performed with Netsh: • Viewing policies • Adding policies • Deleting policies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Oakley Logs • Oakley logs track the establishment of SAs • This logging is not enabled by default 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Network Monitor • Network Monitor can be used to view packets that are traveling on the network and to identify IPSec traffic • Cannot view encrypted information inside an IPSec packet • Useful for determining whether packets are being properly transmitted between computers • Not useful for troubleshooting application level problems if the traffic is encrypted 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Activity 10-8: Disabling IPSec • The purpose of this activity is to disable IPSec policies that have been applied 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Summary • IPv4 has no built-in security mechanisms and uses IPSec to make communication secure • IPSec AH mode does not perform data encryption, but can authenticate and guarantee data integrity • IPSec ESP mode can perform data encryption, authentication, and guarantees data integrity for the data portion of the packet, but not the IP headers 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Summary (continued) • Transport mode is used between two hosts • Tunnel mode is used between two routers • The Windows Server 2003 implementation can perform authentication using a preshared key, certificates, or Kerberos • IPSec policies contain rules that control • Authentication • Which traffic is affected and what is done to the affected traffic • Type of connections affected • Whether this computer is a tunnel endpoint 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network