MCSE 05 Implementing of A Network Infrastructure 08 Theory

Implementing IPSec in a Windows 2003 Network
ADVANTAGE PRO Chennais Premier Networking Training Center

Introduction to IPSec Uses and Planning Windows 2003 IPSec components Implementation and best practices of IPSec Troubleshooting and references What will not be covered in this discussion
Introduction to IPSec The history of IPSec

Security properties of communications
The need for IPSec
Benefits of IPSec
Windows 2003 IPSec design goals

Introduction to IPSec
History

IPSec original work in 1992 by IEEE Originally a new feature for IP version 6 Adapted for IP version 4 RFCRFC-based; currently in draft form Windows 2003 IPSec jointly developed with Cisco Systems, Inc. and Microsoft
Security Properties

NonNon-repudiation AntiAnti-replay Integrity Confidentiality
The Need for IPSec (part 1)
Eavesdropping Data modification Identity spoofing (IP address spoofing) PasswordPassword-based attacks

The Need for IPSec (part 2)

Compromised Key attack Sniffer attack Application layer attack Denial of service attacks Man-in-theMan-in-the-middle attacks
Benefits of IPSec

Provides end-to-end protection end-toProvides defense against attacks internal to the network Transparent to applications
Transparent to users
Can be configured to specific users and groups
Protects against attacks previously mentioned
Windows 2003 Design Goals
To protect IP packets
To provide a defense against network attacks
Uses of IPSec

IPSec as a protocol
Authentication Headers (AH)
Encapsulated Security Payload (ESP)
Internet Key Exchange (IKE)

1.
ISAKMP
2. Oakley

Cryptographic algorithms
Uses of IPSec
IPSec as a Protocol
IPSec is a protocol not a service Two protocols with unique headers on each IP packet
1. 2.

Authentication Headers (AH) Encapsulated Security Payload (ESP)
RFC 2401
Uses of IPSec
Authentication Headers

Provides the following Security Properties

1. 2. 3.
Authentication Integrity AntiAnti-replay

Does not encrypt the data Data is readable but cannot be altered

Both the IP header and data are signed Uses the HMAC algorithms RFC 2402
Uses of IPSec
Encapsulated Security Payload

Provides the following Security properties

1. 2. 3.
Authentication Integrity AntiAnti-replay
4. Confidentiality

Can be used with Authentication Headers IP header is not signed unless it is tunneled Data is signed Uses DES and 3DES algorithms RFC 2406
Uses of IPSec
IKE

Internet Key Exchange Made up of ISAKMP and Oakley Standard method for building Security Associations and Key Exchange Resolution
Uses of IPSec
ISAKMP

Internet Security Association Key Management Protocol Used to build a Security Association (SA) ISAKMP provides SA negotiation RFC 2408
Uses of IPSec
Oakley

Oakley Key Determination Protocol Oakley is second part to Build SA Provides Key Exchange Service RFC 2412 Two modes
1.
Main mode New key generation material and new encryption key
2.
Quick mode Already have key generation material and need new encryption key
Uses of IPSec
Cryptographic Algorithms

IPSec as a protocol AH - HMAC-MD5 or HMAC-SHA HMACHMACESP - DES (40 bit), DES-CBC, 3DES DESDH Diffie-Hellman group for key material DiffieIPSec cryptographic related RFCs: 2085, 2104, 2403, 2404, 2405, 2407, 2410, 2451
Planning for IPSec

In This Section We Will Cover

When to use IPSec When to use AH When to use ESP When to use AH and ESP When to not use IPSec Authentication methods
Planning for IPSec

When to Use AH

When a secure connection is needed Must establish authentication of source Data itself is not sensitive Risk of packet capturing compromising data is low
Planning for IPSec

When to Use ESP

When the data itself must be protected

1. 2. 3.
Financial information Proprietary information Sensitive information
Use only when data protection is justified

Planning for IPSec

When to Use AH and ESP

When a secure connection is needed Must establish authentication of source When the data itself must be protected When security of the network offsets the performance of the additional processing
Limit implementation to select hosts

Planning for IPSec

When Not to Use IPSec

Only use if there is a security need SNMP Security gateways

Input filters Output filters

DHCP, WINS, and DNS Servers Domain controllers DownDown-level clients

Planning for IPSec

Authentication Methods

Supported IPSec authentication methods

1. 2. 3. 4.
Kerberos version 5.0 Public Key Certificate Authorities Microsoft Certificate Server PrePre-shared Key
Windows 2003 IPSec Components

IPSec Policy Agent service Security Associations Key protection IPSec driver


IPSec Policy Agent Service (part 1)

Main Tasks

Retrieve the IP Security policy Deliver policy to IPSec driver and ISAKMP Periodically poll for new policies Update or replace IPSec/ISAKMP policies Check for local IP address changes and update the IP filters

IPSec Policy Agent Service (part 2)

Policy Storage
1.
With AD stored in Active Director
2. Without AD 3. Group Policy HKEY_LOCAL_MACHINE\SYSTEM\ HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\PolicyAgent\ CurrentControlSet\Services\PolicyAgent\ Policy\ Policy\Cache

Local Policy HKEY_LOCAL_MACHINE\SYSTEM\ HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\PolicyAgent\ CurrentControlSet\Services\PolicyAgent\ Policy\ Policy\Local
Polling

Security Associations (part 1)

Mutually agreed upon key, protocol, and security parameter interface that define the Security level between sender and receiver
Phase I SA ISAKMP SA
1. 2. 3.
Policy negotiation DH exchange Authentication


Security Associations (part 2)
Phase II SA IPSec Driver SA
1. 2. 3.
Policy negotiation Session key material refresh or exchange SAs and keys passed to IPSec driver
SA lifetimes

Key Protection

Key lifetimes Perfect Forward Secrecy (PFS)

1. 2.
Phase I - master key PFS Phase II - session key PFS

IPSec Driver
Responsible for
1. 2. 3.
Stores existing filters and policy Ids Checks each IP packet for match to policy filter Requests SA negotiations from ISAKMP for new connections
4. Stores existing Sas 5. Implementing IPSec policy as defined in Sas 6. Tracks key time length and number of bytes transformed to request new keys 7. Updates SA changes and deletes expired SAs
Implementation of IPSec

Policies and Policy Inheritance Rules IP packet filtering Filter actions Connection types Authentication
Policies

IP Security Management snap-in snapPredefined policies

Client (respond only) Server (request security) Server (require security)
Policy inheritance

Determine how and when a policy is used Provide customization of policy based on source, destination, and specific IP traffic
Rules are made up of five components:

1. 2. 3. 4. 5.
Connection type Authentication methods IP filter list Filter action Tunnel settings
IP Packet Filtering

Determines what packet types the security policy will apply to

Set for both incoming and outgoing traffic Contains the following parameters
1. 2. 3.
The source and destination address of the IP packet The protocol being uses to transport packet Source and destination port of the protocol
Filter Actions

Defaults

Permit Block Negotiate security

Custom Accept unsecured - respond with IPSec Allow unsecured with non-IPSec-aware computer non-IPSecADVANTAGE PRO Chennais Premier Networking Training Center
Connection Types
Rule properties - Connection Type tab

All network connections Local area network Remote access
Authentication Methods

Kerberos Certificates

Trusted certificate authority Microsoft Certificate Server
Preshared key
Best Practices for IPSec


Evaluate network data Determine network data flow Design a network security plan Configure and test in lab before deploying IP filter lists Things to consider (SNMP, DNS DHCP,WINS, DCs, and performance)

Evaluating Network Data

What types of data travel the network

Financial data HR data Legal data Proprietary Classified

Risk of this information being compromised
Some data will require different protection

Determining Network Data Flow

Once the type of data is determined
Where is the data stored
How does it route through the network
What hosts access the data
While gathering information, also look at

Network speed Bandwidth
This will assist in optimization issues later

Designing a Network Security Plan

Evaluate your risk of attacks
Other security measures employed
Communications Scenario
Level of security needed
Strive for a well balanced deployment of security measures

IP Filter Lists
Filter Lists

Try to use general filters Set up filters for logical network segments Filter display order versus filter applied order
Filter Actions
Rogue
computers
ESP
and custom security methods and known-key attacks known-
RAS

Special Services

SNMP Security gateways DHCP, DNS, WINS Domain controllers DownDown-level clients

IPSec one part of a security foundation Designed for intranet not perimeter Security is a balance of

Perimeter security User access control Physical security
IPSec is endpoint to endpoint

Troubleshooting IPSec

System/Security logs and routes Ping and IPSec monitor Network monitor Policy Agent Log files Knowledge Base
Event Viewer System/Security Logs and Routes
System Event log Security Event log
Default Routes

Multiple routes of 0.0.0.0 or lowest metric
PING and IPSec Monitor Commands

Ping IPSec Monitor Ipsecmon.exe

Is IPSec enabled on host Displays current SAs on host Displays whether the SAs are hard or soft
Troubleshooting IPSec Network Monitor

Windows 2000 Network Monitor can view AH and ESP packets

AH IP packet 51 ESP IP packet 50 ESP packet data is not visible ISAKMP/Oakley UDP port 500
Policy Agent

Services Policy Agent Service

Start, stop, and restart Policy Agent Clears out old Sas Refreshes policies from Active Directory Allows the restarting of the IPSec driver
Policy Agent log file

Ipsecpa.log
Broken links in Policy Agent
Policy Agent check
Log Oakley log Files
HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\ HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\ PolicyAgent\ PolicyAgent\Oakley
Add REG_DWORD : Debug
Value: 1
Network Address Translation (NAT)
Introduction

With network address translation (NAT) in Windows 2003, you can configure your network to share a single connection to the Internet.
Fewer Internet valid IP addresses are needed.
Improved security because clients are not directly on the Internet.

Introduction (2)

Internet Connection Sharing (ICS) is included with Windows 2003 Professional and higher.
Network address translation (NAT) is included with Windows 2000 Server and higher.
This presentation focuses on network address translation.

Components

NAT consists of the following three components:

Translation
Addressing
Name Resolution
Components: Translation

NAT translates the IP addresses and TCP/UDP port numbers of packets that are forwarded between the private network and the Internet.
The packets sent out of NAT have a source IP address of the NAT machine.
Therefore, external machines are never aware that NAT is being used.
Components: Addressing

The addressing component is a simplified DHCP server called the DHCP allocator.
Either the DHCP allocator or an existing DHCP server can be used.
Components: Name Resolution

The name resolution component of NAT is the DNS Proxy.
Either the DNS proxy or an existing DNS server can be used.
NAT Configuration

NAT is configured in the Routing and Remote Access service snapsnapin

The snap-in snap-
IP routing
RightRight-click General and click New Routing Protocol
Select Network Address Translation (NAT) and then click OK

NAT Configuration (2)

After NAT is installed, it is necessary to specify a public and a private interface.

RightRight-click Network Address Translation (NAT) Choose New Interface Select the external interface and then click OK
Specify this interface as the public interface and enable Translate TCP/UDP Headers (recommended)
Repeat the process for the internal interface and specify this as the private interface
Client Configuration

Clients behind NAT:

Configured as DHCP client (discussion with DHCP allocator)
Configured as DHCP client (discussion with DHCP server)
Statically configured clients Chennais Premier Networking Training Center ADVANTAGE PRO
Static Mapping: Special Ports

Special Ports:

This allows the administrator to specify certain types of traffic to be sent to a specific internal machine
Example: Web server behind NAT
Create a special port for incoming TCP port 80 traffic destined to the ADVANTAGE Web server Networking Training Center internal PRO Chennais Premier
Static Mapping: Address Pool

Address Pool:

NAT also gives us the functionality to create a one-to-one one-tomapping between external IP address and internal IP address
Add external IP address to Address Pool list
Click Reservations and specify the external and internal IP addresses
Also enable AllowADVANTAGE PRO Chennais Premier address incoming sessions to this Networking Training Center
NAT Editors

NAT performs TCP port and UDP port translation, in addition to IP address translation
If an application stores IP address or port information within its own header (like FTP PORT command), a NAT editor is needed
Two editors that Windows 2000 includes are FTP and PPTP
Any service that encrypts these headers wont work (like IPSec)
Outgoing PPTP Client Through NAT

a
10.0.0.2
Internet
PPTP server
NAT
b
10.0.0.3
10.0.0.1
204.x.1.10
10.0.0.4

a
10.0.0.2
Internet
10.0.0.4, port 1025 mapped to 204..x.1.10, port 2000 NAT
PPTP server
Request received and accepted. During configuration, PPTP server assigns 192.10.10.2 to cs VPN.
b
10.0.0.3
10.0.0.1
204.x.1.10
Connection request from c forwarded to <PPTP server> source 204.x.1.10, port 2000.
10.0.0.4
Connection request to port 1723 from c to <PPTP server> source 10.0.0.4, port 1025.
Tunnel established

a
10.0.0.2
Encapsulation removed by PPTP server.
Internet
PPTP server
NAT
b
10.0.0.3
10.0.0.1
204.x.1.10
Original packet not touched, source 192.10.10.2. Encapsulated packet s IP address translated. Source 204.x.1.10, destination PPTP server.
Original packet not touched, source 192.10.10.2.
10.0.0.4
Original packet has app data, TCP, UDP, etc., source 192.10.10.2.
PPP and GRE headers added. Encapsulated packet has source 10.0.0.4, destination ADVANTAGE PRO Chennais Premier Networking Training Center PPTP server.
ALL THE BEST

MCSE 05 Implementing of A Network Infrastructure 08 Theory

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MCSE 05 Implementing of A Network Infrastructure 08 Theory

Uploaded by

Copyright:

Available Formats

Implementing IPSec in a Windows 2003 Network

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

Introduction to IPSec The history of IPSec

Security properties of communications

The need for IPSec

Windows 2003 IPSec design goals

NonNon-repudiation AntiAnti-replay Integrity Confidentiality

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

Can be configured to specific users and groups

Protects against attacks previously mentioned

ADVANTAGE PRO Chennais Premier Networking Training Center

To provide a defense against network attacks

ADVANTAGE PRO Chennais Premier Networking Training Center

Authentication Headers (AH)

Encapsulated Security Payload (ESP)

ADVANTAGE PRO Chennais Premier Networking Training Center

Internet Key Exchange (IKE)

ADVANTAGE PRO Chennais Premier Networking Training Center

Authentication Headers (AH) Encapsulated Security Payload (ESP)

ADVANTAGE PRO Chennais Premier Networking Training Center

Provides the following Security Properties

Authentication Integrity AntiAnti-replay

ADVANTAGE PRO Chennais Premier Networking Training Center

Provides the following Security properties

Authentication Integrity AntiAnti-replay

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

ADVANTAGE PRO Chennais Premier Networking Training Center

Planning for IPSec

Planning for IPSec

ADVANTAGE PRO Chennais Premier Networking Training Center

Planning for IPSec

When the data itself must be protected

Financial information Proprietary information Sensitive information

Use only when data protection is justified

Planning for IPSec

Limit implementation to select hosts

Planning for IPSec

Only use if there is a security need SNMP Security gateways

Input filters Output filters

DHCP, WINS, and DNS Servers Domain controllers DownDown-level clients

Planning for IPSec

Supported IPSec authentication methods

ADVANTAGE PRO Chennais Premier Networking Training Center

Windows 2003 IPSec Components

ADVANTAGE PRO Chennais Premier Networking Training Center

Windows 2003 IPSec Components

Windows 2003 IPSec Components

With AD stored in Active Director

2. Without AD 3. Group Policy HKEY_LOCAL_MACHINE\SYSTEM\ HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\PolicyAgent\ CurrentControlSet\Services\PolicyAgent\ Policy\ Policy\Cache

Local Policy HKEY_LOCAL_MACHINE\SYSTEM\ HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\PolicyAgent\ CurrentControlSet\Services\PolicyAgent\ Policy\ Policy\Local

ADVANTAGE PRO Chennais Premier Networking Training Center

Windows 2003 IPSec Components

Policy negotiation DH exchange Authentication

Windows 2003 IPSec Components

ADVANTAGE PRO Chennais Premier Networking Training Center

Windows 2003 IPSec Components

Key lifetimes Perfect Forward Secrecy (PFS)