IPSec: Internet Protocol Security in Windows 2000 - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

IPSec: Internet Protocol Security in Windows 2000

Description:

TTL, TOS and other 'mutable' fields excluded. Diagram of AH Packet (Tunnel Mode) ... TTL, TOS and other 'mutable' fields excluded. Encapsulation Security Payload (ESP) ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 34
Provided by: seankru
Category:

less

Transcript and Presenter's Notes

Title: IPSec: Internet Protocol Security in Windows 2000


1
IPSec Internet Protocol Security in Windows 2000
  • Sean Krulewitch
  • University Information Technology Security Office
  • Office of the Vice President for Information
    Technology

2
Agenda
  • IPSec Overview
  • Using IPSec to encrypt/authenticate network
    packets
  • Using IPSec as a basic packet filtering firewall
  • Windows 2000 IPSec components
  • Configuration of IPSec
  • IPSec Tools
  • Demo IPSec Offload
  • QA

3
IPSec Overview
  • What is IPSec
  • Why is IPSec necessary
  • How is IPSec Implemented
  • Packet filtering with IPSec

4
What is IPSec?
  • The purpose of IPSec is to protect data as it is
    traveling between two nodes (i.e., computers) on
    the network. It protects the data through
    encryption, and digital signatures, thereby
    preventing the data from being modified and/or
    interpreted by anyone who might happen to
    intercept it on the network.

5
Key concepts of IPSec
  • IETF set of standards for securing Internet
    traffic (RFC 2401, RFC 2402, RFC 2406, RFC 2409,
    and more!)
  • Suite of protocols for authentication (of data
    origin), integrity, encryption and encapsulation
    of TCP/IP packets.
  • IPSec lives at the Network layer and can protect
    both the payload as well as the header of the
    packet. Provides encryption on a per packet
    basis.
  • Provides true end-to-end security between hosts.
  • Services and applications do not need to be IPSec
    aware. i.e., no code changes are necessary.
    IPSec is transparent to applications and users.

6
Why is IPSec necessary?
  • IP Protocols are not secure!
  • Original protocols were never designed with
    strong security, rather they were designed to
    withstand network interruptions.
  • Prevent snooping or sniffing of data on the wire.
  • Prevent replay of packets.
  • Prevent data from being modified or changed in
    transit.
  • Ensure that the origin and nature of traffic is
    trusted and within security policy (i.e.,
    anti-spoofing)
  • Thwart denial of service (DoS) and
    Man-in-the-middle attacks.

7
How is IPSec Implemented?
  • IPSec is a collection of protocols.
  • Internet Key Exchange (IKE) RFC 2409
  • Internet Security Association Key Management
    Protocol (ISAKMP) RFC 2408
  • Oakley Key determination protocol RFC 2412
  • Authentication Header (AH) RFC 2402
  • Encapsulation Security Payload (ESP) RFC 2406

8
Internet Key Exchange (IKE)
  • A hybrid protocol that is used to negotiate
    Security Associations and provide the necessary
    key material in a protected manner.
  • Security Association A set of keys and policies
    used to manage an instance of protected
    communication.
  • Negotiations occur in two phases and each phase
    produces a different SA. For now remember that a
    Phase I negotiation will occur as the initial
    negotiation between two peers and Phase II
    negotiations will follow as needed from the
    initial Phase I negotiation.
  • UDP port 500

9
Authentication Header (AH)
  • Used when the packet needs to be authenticated
    and signed, but the data itself is not sensitive.
  • Low overhead about 24 bytes added to the
    packet.
  • IP Protocol 51

10
Diagram of AH Packet(Transport Mode)
TTL, TOS and other mutable fields excluded.
11
Diagram of AH Packet(Tunnel Mode)
Original IP Header
TCP Header
Data
Hash protects entire packet

Original IP Header
TCP Header
AH IPSec Header
Data
New IP Header
TTL, TOS and other mutable fields excluded.
12
Encapsulation Security Payload (ESP)
  • Used when the packet must be authenticated,
    signed AND encrypted.
  • Higher overhead about 32-36 bytes added to the
    packet.
  • Processor intensive. Consider IPSec offload
    cards for high bandwidth systems that require
    IPSec.
  • IP Protocol 50

13
Diagram of ESP Packet(Transport Mode)
Original IP Header
TCP Header
Data
14
Diagram of ESP Packet(Tunnel Mode)
Original IP Header
TCP Header
Data
Original IP Header
TCP Header
ESP Header
Data
ESP Trailer
ESP Auth
New IP Header
Encrypted
Integrity Hash
15
Packet Filtering with IPSec
  • Although mainly designed for encryption and
    authentication, the IPSec standard provides for a
    very capable static packet filtering mechanism.
  • Hosts on the internal network with live IP
    addresses can be protected from outside attacks.
  • Key ports to block TCP/UDP 137 UDP 138 TCP
    139 TCP/UDP 445, etc.

16
Windows 2000 IPSec components
  • IPSec Policy Agent polls policies from the
    directory service for use with the IPSec driver
    and negotiations of security associations (SA)
  • IPSec Driver responsible for monitoring,
    filtering and securing packets
  • ISAKMP/Oakley Security Association negotiator
    Manages security negotiations between nodes and
    exchanges keys for use with crypto/hashing
    functions
  • IPSec Policy Objects and SA database
  • Security Association API provides a programming
    interface between above components
  • Management tools for logging, troubleshooting and
    creating IPSec policies, events and metrics

17
Enabling IPSec
18
IP Security Policy Management
19
Creating IPSec Policy Objects
20
IPSec Negotiations
Rules Tab Phase II
General Tab Phase I
Main or Aggressive Mode
Quick Mode
21
Main Mode Phase I
Note PFS offers better security but results in
a slower key refresh.
Use minutes rather than sessions and tune to
100MB per key.
Mutual authentication of peers and initial key
exchange occur in Phase I
22
Key Exchange Security Methods
  • For high security always use
  • PFS
  • 3DES
  • SHA1
  • DH Medium(2)

23
IP Security Rules
A single IPSec policy can have many rules.
A rule can have a single active IP Filter list
24
Filter Lists
A filter list can be made up of many individual
filters or selectors.
25
Filter Actions
When a selector is triggered, the packet can be
passed, blocked, or secured.
26
Quick Mode Phase II
If the packet is being secured, then a Phase II
SA is negotiated. In Phase II, the peers
negotiate the type of encryption/signing theyll
support as well as a session key to protect
future communications.
27
Windows 2000 IPSec Tools
  • IP Security Management MMC Snap-in
  • Network Monitor Window 2000 version updated to
    parse IPSec packets
  • netdiag.exe Network Connectivity Tester
  • ipsecpol.exe IPSEC Policy Configuration Tool
  • ipsecmon.exe
  • netsh.exe

28
Netdiag.exe Network Connectivity Tester
Output of netdiag /testipsec /v Netdiag
/testipsec /debug gives reports more detail.
29
ipsecpol.exe IPSEC Policy Configuration Tool
30
IPSECMON.EXE
31
NETSH.EXE
32
Demo
33
Q A
Write a Comment
User Comments (0)
About PowerShow.com