Securing

1
Chapter 10

• Securing
• Network Protocols

2
Learning Objectives

• Describe the features and benefits of the IP
  Security protocol
• Describe the two modes of operation for IP
  Security
• Transport
• Tunnel
• Describe the IP Security authentication and
  architecture

continued
3
Learning Objectives

• Configure IP Security for transport mode on a
  Windows 2000 server
• Configure IP Security for tunnel mode on a
  Windows 2000 server
• Customize IP Security policies and rules
• Manage and monitor IP Security

4
IPSec Overview

• An extension of the IP protocol that provides
  point-to-point encryption of data begin sent
  between two computers on an IP-based network
• Works at the Network layer
• A framework of open standards developed by the
  IPSec working group of the Internet Engineering
  Task Force (IETF)
• Any Windows 2000 computer may act as an IPSec
  client (initiates the IPSec connection) or an
  IPSec server (receives it)

5
What IPSec Does

• Two basic services
• Authentication
• Encryption and decryption
• Often called an end-to-end security measure

6
Greatest Benefit of IPSec

• Completely transparent to users, applications,
  and protocols above and below the Networking layer

7
Additional Features of IPSec

• Uses the Windows 2000 domain as a trust model
• IPSec policies are assigned centrally through the
  Active Directory Group Policy feature
• All packets are encrypted using time-specific
  information
• Long key lengths and dynamic changes of keying
  are used during ongoing communications

continued
8
Additional Features of IPSec

• Private network users can connect using secure
  end-to-end links with any trusted domain in the
  enterprise
• Remote users and private network users can
  connect using secure end-to-end links based on IP
  addresses

9
Modes of Operation

• Transport mode
• Tunnel mode

10
Transport Mode

• Two computers configured to use IPSec create a
  security association between themselves and carry
  out secure communication

11
Tunnel Mode

• Two communicating computers do not use IPSec
  themselves
• An IPSec connection is created between two
  routers that connect two networks over a transit
  internetwork
• The gateways connecting each clients LAN to the
  transit network create a virtual tunnel that uses
  the IPSec protocol to secure all communication
  that passes through it

12
IPSec Authentication

• Kerberos
• Default authentication system used by Windows
  2000
• An open standard, widely supported by other OSs
• Certificates
• Provided by a certificate authority
• Pre-shared keys
• Passwords entered into each computer
• As long as both computers are configured with the
  same pre-shared key, they trust one another

13
IPSec Architecture

• IPSec components
• IPSec policy agent service
• ISAKMP/Oakley Service
• IPSec driver
• IPSec process

14
IPSec Components

• IPSec policy agent service
• Retrieves computers assigned IPSec policy from
  the Active Directory
• ISAKMP/Oakley Service
• Creates security association between
  communicating computers
• Generates keys used to encrypt/decrypt data sent
  over the IPSec connection

continued
15
IPSec Components

• IPSec driver
• Encrypts and decrypts data using keys prepared by
  the ISAKMP/Oakley Service
• Sends data between computers

16
IPSec Process

• An application on one computer (Host 1) sends
  data to another computer (Host 2)
• Data passes down through networking layers of
  Host 1, where it is fragmented and shaped into
  packets to send over the network
• When the data reaches the networking level and is
  ready for routing by the Internet Protocol, the
  IPSec driver for Host 1 notifies the ISAKMP/
  Oakley Service that an IPSec connection is needed

continued
17
IPSec Process

• ISAKMP/Oakley Services on both computers
  establish a security association and generate a
  shared key
• ISAKMP/Oakley Services on both computers transfer
  the shared key to the IPSec drivers on those
  hosts
• The IPSec driver on Host 1 uses the key to
  encrypt the data and then sends the data to Host 2

continued
18
IPSec Process

• The IPSec driver on Host 2 receives the data and
  uses the shared key to decrypt it
• The IPSec driver passes the data up to the next
  networking layer
• When the data works its way up to the top layer,
  the application on Host 2 receives the data and
  never knows it was encrypted

19
Installing IPSec

• Installed by default on any Windows 2000 computer
• To enable it
• Create an MMC console using the IP Security
  Management snap-in
• Assign policies to be used

20
Configuring IPSec

• Main tasks
• Create a new policy (a set of rules that governs
  a connection)
• Manage the list of filters and filter actions
  available for use in the rules you create for
  policies
• Other tasks
• Check policy integrity
• Restore default policies
• Import/export policies for use in other IPSec
  snap-ins

21
Configuring IPSec
22
Configuring IPSec
23
Creating a New Policy

• A wizard-based process
• Right-click IP Security Policies on Local Machine
  object
• Choose New IP Security Policy from the shortcut
  menu
• Decide whether to enable the default response
  rule for the policy
• Unless you customize the default rule, it is
  probably best not to enable it

24
Creating a New Policy
25
Creating a New Policy

• If you do enable the default rule, the wizard
  asks you to configure an authentication method
  for the rule

26
Creating a New Policy
27
Configuring a Policy

• A policy holds two property pages
• General
• Rules

28
General Properties

• Change name of the policy and the description

29
General Properties

• Advanced button opens Key Exchange Settings
  dialog box
• Control how often the policy requires
  communicating computers to regenerate new keys
• Methods button displays a list of security
  methods used to exchange keys
• Master key Perfect Forward Secrecy option
• Prohibit reuse of keying material or keys

30
General Properties
31
Rules Properties
32
Rules Page Entries

• Check box to left of the rule
• Specifies whether the rule is turned on or off
• Filter List
• Defines connections to which a particular rule
  applies
• Filter Action
• Action taken for any connection that makes the
  match
• Authentication Method
• Tunnel Setting
• Connection Type

33
IP Filter List Properties
34
Filter Action Properties
35
Authentication Methods
36
Tunnel Setting Properties

• Specify whether or not a connection is tunneled
  on a per-rule basis

37
Tunnel Setting Properties

• To construct a tunnel, you need two tunnel rules
  on both ends of the tunnel with appropriate
  filter lists and filter actions
• Configure an outgoing rule with a filter list
  that specifies the other end of the tunnel as the
  tunnel endpoint
• Configure the incoming rule with a filter for
  incoming traffic from any subnet from the remote
  end of the tunnel

38
Connection Type Properties

• Specify the kind of connection to which the rule
  applies
• LANs only
• Remote access connections only
• All network connections (both LAN and remote
  access)

39
Managing Filter Lists and Actions

• Right-click the IP Security Policies on Local
  Machine object
• Choose the Manage IP Filter Lists and Filters
  Actions command from the shortcut menu to open a
  dialog box with two pages
• Manage IP Filter Lists
• To match a connection
• Mange Filter Actions
• To define what happens when a match is made

40
Managing IP Filter Lists

• Used to manage filter lists available to all
  policies
• Filter Properties
• Description page
• Addressing page
• Protocol page

41
Managing IP Filter Lists
42
Addressing Properties

• Specify source and destination addresses you want
  the filter to match
• Mirrored option makes a filter reciprocal

43
Protocol Properties

• Match traffic being sent or received on a
  particular port or protocol

44
Managing Filter Actions

• Defines actions available to policies
• Three actions by default
• Permit the connection
• Request security before allowing the connection
• Require security before allowing the connection

45
Managing Filter Actions

• General page
• Name the action
• Describe the action
• Security Methods page
• Options the action can perform when a connection
  matches a filter list
• Permit the connection with no further
  intervention
• Block the connection altogether
• Negotiate security for the connection

46
Managing Filter Actions

• Negotiate Security controls
• Security Method preference order list
• Accept unsecured communication, but always
  respond using IPSec
• Allow unsecured communication with non
  IPSec-aware computer
• Session key Perfect Forward Secrecy

47
Applying Policies to the Active Directory

• Mostly the same process as applying policies to a
  local computer
• Configure the IPSec snap-in to configure default
  policies for a domain (local or remote trusted)
• Define policies, rules, authentications, filter
  lists, and filter actions
• The difference
• Use the Group Policies snap-in to attach the
  policy to a domain or organizational unit within
  Active Directory

48
Basic Rules of Group Policy Management

• A policy applied at the domain level always
  overrides a policy applied at local computer
  level
• A policy applied to an organizational unit
  overrides policies applied at the domain level
• If hierarchy or organizational units are
  configured, policies applied at lower levels in
  the hierarchy override policies applied at higher
  levels
• If you assign an IPSec policy and then delete the
  Group Policy object that created the policy, the
  policy remains in effect

49
Managing andMonitoring IPSec

• Use the shortcut menu to
• Assign and unassign a policy
• Check Policy Integrity command
• Restore Default Policies command
• Import and Export Policies commands
• Use the IPSec Monitor to
• View the active security associations on local
  and remote computers
• Display configured and active connections and a
  number of IPSec statistics

50
Managing and Monitoring IPSec
51
Chapter Summary

• Overview of benefits, features, and operations of
  IPSec
• Installing IPSec
• Configuring IPSec
• Managing and monitoring IPSec