1 / 51

Comprehensive Guide to Planning and Managing IPSec in Microsoft Windows Server 2003

This chapter from the MCSE Guide focuses on planning and managing Internet Protocol Security (IPSec) within a Windows Server 2003 environment. It details the importance of IPSec for enhancing network security through authentication and encryption. Learn to address various IPSec issues, choose the right mode for specific situations (tunnel or transport mode), and implement security policies. The chapter also covers common vulnerabilities in IPv4 and emphasizes the advantages and disadvantages of using IPSec for secure communications.

barclay-sykes
Télécharger la présentation

Comprehensive Guide to Planning and Managing IPSec in Microsoft Windows Server 2003

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, EnhancedChapter 10: Planning and Managing IPSecurity

  2. Objectives • Describe IP Security issues and how the IPSec protocol addresses them • Choose the appropriate IPSec mode for a given situation • Implement authentication for IPSec • Enable IPSec • Create IPSec policies • Monitor and troubleshoot IPSec 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  3. Why IPSec Is Important • IPSec provides security for IP-based networks • Authenticate both computers engaged in a conversation • Use digital signatures to verify that data has not been tampered with while in transit • Encrypt data while in transit 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  4. How Hackers Work • IPv4 has no built-in security mechanisms to protect the communication between two hosts • Hackers can corrupt or eavesdrop on communications • Packet sniffing • Data replay • Data modification • Address spoofing 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  5. Authentication, Encryption, and Digital Signatures • IPSec authenticates the endpoints of any IP-based conversation using IPSec • Each participant must be known and trusted • Encryption can be used by IPSec to hide the contents of data packets • Digital signatures on each packet in a conversation ensure that a packet has not been modified 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  6. Advantages of IPSec • IPSec exists at the network layer of the TCP/IP architecture so most applications are unaware of it • IPSec is a valuable addition to a network when data integrity or confidentiality are required • IPSec is widely used by many vendors • It is a standards protocol 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  7. Disadvantages of IPSec • Pre-Windows 2000 operating systems from Microsoft do not support the IPSec • IPSec can significantly slow network communication • Only latest versions of IPSec can be routed through NAT, which is a serious limitation for remote users • IPSec adds complexity to a network 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  8. Disadvantages of IPSec (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  9. IPSec Modes • The modes of operation define whether communication is secured between two hosts or two networks, and which IPSec services are used • When implementing IPSec, you must choose tunnel mode or transport mode • Must choose AH mode or ESP mode 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  10. AH Mode • Use AH mode when you are concerned about packets being captured with a packet sniffer and replayed • Authentication Headers (AH) mode enforces authentication of the two IPSec clients and includes a digital signature on each packet • Authenticates the two endpoints and adds a checksum • Checksum guarantees that the packet is not modified in transit, including the IP headers • AH mode does not provide data confidentiality, however; the payload of the packet is unencrypted 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  11. ESP Mode • Most implementations of IPSec use ESP mode because data encryption is desired • The ESP mode authenticates the two endpoints, adds a checksum, and encrypts the data in the packet • Authentication performs the same function as in AH mode • Checksum guarantees that the packet was not modified in transit, excluding the IP headers • Encryption ensures that unintended recipients cannot read the data in the packet 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  12. Transport Mode • IPSec in transport mode is used between two hosts • Both endpoints in the communication must support IPSec • This limits the implementation of IPSec because many devices, such as printers, rarely offer IPSec support 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  13. Transport Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  14. Transport Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  15. Tunnel Mode • IPSec in tunnel mode is used between two routers • The two hosts communicating through the routers do not need to support IPSec • Authentication takes place between the two routers when using IPSec in tunnel mode • Less secure because a hacker could place an unauthorized computer on a trusted network 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  16. Tunnel Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  17. Tunnel Mode (continued) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  18. IPSec Authentication • Endpoints of an IPSec are authenticated • Internet Key Exchange is the process used by two IPSec computers or routers to negotiate the following security parameters • Method of authentication • AH or ESP mode • Transport or tunnel mode • Encryption and hashing algorithms • Parameters for key exchange 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  19. IPSec Authentication (continued) • Security association (SA): when security parameters have been agreed upon • Three methods Windows Server 2003 uses to authenticate IPSec connections: • Preshared key • Certificates • Kerberos 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  20. Preshared Key • A preshared key is a combination of characters entered at each endpoint of the IPSec connection • Authentication is based on both endpoints knowing the same secret • The major advantage is simplicity • The major disadvantage is the movement of the preshared key when configuring the two devices 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  21. Certificates • Certificates may be presented for authentication • If the two certificates are part of the same hierarchy, each IPSec device accepts the certificate of the other • The main disadvantage of using third-party certificates is cost 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  22. Kerberos • Kerberos is the authentication system used by Windows 2000/XP/Server 2003 for access to network resources • Seamless integration with domain security • Not a commonly supported authentication system for IPSec on non-Microsoft products such as routers • Not appropriate for Windows computers that are not part of the Active Directory forest 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  23. Enabling IPSec • IPSec is enabled on Windows Server 2003 using IPSec policies • An IPSec policy must be in place to use IPSec • The three policies installed by default • Server (Request Security) • Client (Respond Only) • Secure Server (Require Security) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  24. Assigning a Default IPSec Policy • A single server can have many IPSec policies • No policy is used until it is assigned • One policy can be assigned at a time per machine • The Local Security Policy snap-in can assign an IPSec policy on a single computer • Group Policy can assign an IPSec policy to a group of computers 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  25. Activity 10-1: Assigning an IPSec Policy • The purpose of this activity is to assign an IPSec policy to enable encryption of data packet 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  26. Activity 10-2: Verifying an IPSec Security Association • The purpose of this activity is to verify that the IPSec policy you have enabled is working 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  27. Creating Your Own IPSec Security Policy • An IPSec rule controls how IPSec is implemented and each rule is composed of: • An IP filter list • An IPSec filter action • Authentication methods • A tunnel endpoint • A connection type • An IP filter list is a list of protocols that will be affected by the rule 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  28. Creating Your Own IPSec Security Policy (continued) • An IPSec filter action is what will be done to the protocols defined in the filter list • Authentication methods are the protocols that can be used for authentication if IPSec is rule-based • The tunnel endpoint is the remote host IPSec is being performed with when tunnel mode is used • The connection type defines the type of connections to which this rule applies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  29. Activity 10-3: Creating an IPSec Policy • The purpose of this activity is to create a new IPSec policy that is more flexible than the default policies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  30. Adding and Creating Rules • After creating an IPSec policy, edit it to add rules that define how different types of IP traffic are handled • After selecting an IP filter list, select an action to be performed on the packets that match the IP filter list • The three filter actions that exist by default are • Permit • Request security • Require security 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  31. Activity 10-4: Creating a New IPSec Filter Rule • The purpose of this activity is to add a new IPSec filter rule that allows ICMP traffic to pass through unmodified 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  32. IPSec Filter Lists • When a new IP filter list is created • Give it a name • Have the option of giving it a description • Add IP filters that make up the list and specify the traffic to which this list applies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  33. Activity 10-5: Creating an IPSec Filter List • The purpose of this activity is to create a new IPSec filter list for all FTP traffic 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  34. Filter Actions • Filter actions define what is done to traffic that matches an IP filter list: • Permit • Request Security (Optional) • Require Security • Filter actions define a number of security parameters, including the type of encryption • In highly secure situations, you may want to modify these or create your own 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  35. Cryptography Algorithms • Two algorithms for AH and ESP data integrity • Secure Hash Algorithm (SHA1) • Message Digest 5 (MD5) • Two algorithms for ESP data encryption • Data encryption standard (DES) • Triple data encryption standard (3DES) 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  36. Activity 10-6: Creating a Filter Action • The purpose of this activity is to create a new filter action that enforces encryption 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  37. Activity 10-7: Adding a Customized Filter List and Filter Action • The purpose of this activity is to edit your FTP filter and add a rule using the customized filter list and filter action you have created 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  38. Troubleshooting IPSec • IPSec troubleshooting deals with • General network issues • IPSec-specific configuration settings • Group policy settings 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  39. Troubleshooting IPSec (continued) • Most common IPSec troubleshooting tools/utilities • Ping • IPSec Security Monitor • Event Viewer • Resultant Set of Policy • Netsh • Oakley logs • Network Monitor 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  40. Ping • Tests network connectivity between two hosts • The default IPSec policies permit ICMP packets and do not interfere with ping • Does not test IPSec specifically, but can confirm that two hosts can communicate • If they cannot communicate, they are not able to create an IPSec SA 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  41. IPSec Security Monitor • MMC snap-in that allows you to view the status of IPSec SAs • Can confirm that an SA was negotiated between two hosts • Can be used to view the configuration of the IPSec policy that is applied 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  42. Event Viewer • Event Viewer can be used to view the events that the IPSec Policy Agent writes to the event log • Events show the configuration settings that IPSec is using and events generated during the creation of SAs • Events are only written to the log if the Audit logon events option is enabled in the local security policy or Group Policy 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  43. Resultant Set of Policy Snap-in • If you try to distribute and apply IPSec policies through Group Policy, and they are not functioning as you expect, you can use the Resultant Set of Policy (RSoP) snap-in • Allows you to • View which policies apply • Simulate the application of new policies to test their results 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  44. Netsh • The Netsh utility allows you to configure network-related settings: • Bridging • DHCP • Diagnostics • IP configuration • remote access • Routing • WINS • Remote procedure calls 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  45. Netsh (continued) • IPSec configuration can also be modified using Netsh • Some IPSec management tasks that can be performed with Netsh: • Viewing policies • Adding policies • Deleting policies 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  46. Oakley Logs • Oakley logs track the establishment of SAs • This logging is not enabled by default 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  47. Network Monitor • Network Monitor can be used to view packets that are traveling on the network and to identify IPSec traffic • Cannot view encrypted information inside an IPSec packet • Useful for determining whether packets are being properly transmitted between computers • Not useful for troubleshooting application level problems if the traffic is encrypted 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  48. Activity 10-8: Disabling IPSec • The purpose of this activity is to disable IPSec policies that have been applied 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  49. Summary • IPv4 has no built-in security mechanisms and uses IPSec to make communication secure • IPSec AH mode does not perform data encryption, but can authenticate and guarantee data integrity • IPSec ESP mode can perform data encryption, authentication, and guarantees data integrity for the data portion of the packet, but not the IP headers 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

  50. Summary (continued) • Transport mode is used between two hosts • Tunnel mode is used between two routers • The Windows Server 2003 implementation can perform authentication using a preshared key, certificates, or Kerberos • IPSec policies contain rules that control • Authentication • Which traffic is affected and what is done to the affected traffic • Type of connections affected • Whether this computer is a tunnel endpoint 70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network

More Related