Professional Documents
Culture Documents
Introduction to IPSec Uses and Planning Windows 2003 IPSec components Implementation and best practices of IPSec Troubleshooting and references What will not be covered in this discussion
Benefits of IPSec
Introduction to IPSec
History
IPSec original work in 1992 by IEEE Originally a new feature for IP version 6 Adapted for IP version 4 RFCRFC-based; currently in draft form Windows 2003 IPSec jointly developed with Cisco Systems, Inc. and Microsoft
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSec
Security Properties
Introduction to IPSec
The Need for IPSec (part 1)
Eavesdropping Data modification Identity spoofing (IP address spoofing) PasswordPassword-based attacks
Introduction to IPSec
The Need for IPSec (part 2)
Compromised Key attack Sniffer attack Application layer attack Denial of service attacks Man-in-theMan-in-the-middle attacks
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSec
Benefits of IPSec
Provides end-to-end protection end-toProvides defense against attacks internal to the network Transparent to applications
Transparent to users
Introduction to IPSec
Windows 2003 Design Goals
To protect IP packets
Uses of IPSec
IPSec as a protocol
ISAKMP
2. Oakley
Cryptographic algorithms
Uses of IPSec
IPSec as a Protocol
IPSec is a protocol not a service Two protocols with unique headers on each IP packet
1. 2.
RFC 2401
Uses of IPSec
Authentication Headers
Does not encrypt the data Data is readable but cannot be altered
ADVANTAGE PRO Chennais Premier Networking Training Center
Both the IP header and data are signed Uses the HMAC algorithms RFC 2402
Uses of IPSec
Encapsulated Security Payload
4. Confidentiality
Can be used with Authentication Headers IP header is not signed unless it is tunneled Data is signed Uses DES and 3DES algorithms RFC 2406
Uses of IPSec
IKE
Internet Key Exchange Made up of ISAKMP and Oakley Standard method for building Security Associations and Key Exchange Resolution
Uses of IPSec
ISAKMP
Internet Security Association Key Management Protocol Used to build a Security Association (SA) ISAKMP provides SA negotiation RFC 2408
Uses of IPSec
Oakley
Oakley Key Determination Protocol Oakley is second part to Build SA Provides Key Exchange Service RFC 2412 Two modes
1.
Main mode New key generation material and new encryption key
2.
Quick mode Already have key generation material and need new encryption key
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSec
Cryptographic Algorithms
IPSec as a protocol AH - HMAC-MD5 or HMAC-SHA HMACHMACESP - DES (40 bit), DES-CBC, 3DES DESDH Diffie-Hellman group for key material DiffieIPSec cryptographic related RFCs: 2085, 2104, 2403, 2404, 2405, 2407, 2410, 2451
ADVANTAGE PRO Chennais Premier Networking Training Center
When to use IPSec When to use AH When to use ESP When to use AH and ESP When to not use IPSec Authentication methods
ADVANTAGE PRO Chennais Premier Networking Training Center
When a secure connection is needed Must establish authentication of source Data itself is not sensitive Risk of packet capturing compromising data is low
When a secure connection is needed Must establish authentication of source When the data itself must be protected When security of the network offsets the performance of the additional processing
Kerberos version 5.0 Public Key Certificate Authorities Microsoft Certificate Server PrePre-shared Key
Main Tasks
Retrieve the IP Security policy Deliver policy to IPSec driver and ISAKMP Periodically poll for new policies Update or replace IPSec/ISAKMP policies Check for local IP address changes and update the IP filters
ADVANTAGE PRO Chennais Premier Networking Training Center
Policy Storage
1.
Polling
Mutually agreed upon key, protocol, and security parameter interface that define the Security level between sender and receiver
Phase I SA ISAKMP SA
1. 2. 3.
Policy negotiation Session key material refresh or exchange SAs and keys passed to IPSec driver
SA lifetimes
Responsible for
1. 2. 3.
Stores existing filters and policy Ids Checks each IP packet for match to policy filter Requests SA negotiations from ISAKMP for new connections
4. Stores existing Sas 5. Implementing IPSec policy as defined in Sas 6. Tracks key time length and number of bytes transformed to request new keys 7. Updates SA changes and deletes expired SAs
Implementation of IPSec
In This Section We Will Cover
Policies and Policy Inheritance Rules IP packet filtering Filter actions Connection types Authentication
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSec
Policies
Policy inheritance
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSec
Determine how and when a policy is used Provide customization of policy based on source, destination, and specific IP traffic
Connection type Authentication methods IP filter list Filter action Tunnel settings
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSec
IP Packet Filtering
Set for both incoming and outgoing traffic Contains the following parameters
1. 2. 3.
The source and destination address of the IP packet The protocol being uses to transport packet Source and destination port of the protocol
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSec
Filter Actions
Defaults
Custom Accept unsecured - respond with IPSec Allow unsecured with non-IPSec-aware computer non-IPSecADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSec
Connection Types
Implementation of IPSec
Authentication Methods
Kerberos Certificates
Preshared key
Evaluate network data Determine network data flow Design a network security plan Configure and test in lab before deploying IP filter lists Things to consider (SNMP, DNS DHCP,WINS, DCs, and performance)
ADVANTAGE PRO Chennais Premier Networking Training Center
Communications Scenario
Filter Lists
Try to use general filters Set up filters for logical network segments Filter display order versus filter applied order
Filter Actions
Rogue
computers
ESP
RAS
SNMP Security gateways DHCP, DNS, WINS Domain controllers DownDown-level clients
IPSec one part of a security foundation Designed for intranet not perimeter Security is a balance of
Troubleshooting IPSec
System/Security logs and routes Ping and IPSec monitor Network monitor Policy Agent Log files Knowledge Base
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSec
Event Viewer System/Security Logs and Routes
Default Routes
Troubleshooting IPSec
PING and IPSec Monitor Commands
Is IPSec enabled on host Displays current SAs on host Displays whether the SAs are hard or soft
AH IP packet 51 ESP IP packet 50 ESP packet data is not visible ISAKMP/Oakley UDP port 500
Troubleshooting IPSec
Policy Agent
Start, stop, and restart Policy Agent Clears out old Sas Refreshes policies from Active Directory Allows the restarting of the IPSec driver
Ipsecpa.log
Troubleshooting IPSec
Log Oakley log Files
Value: 1
Introduction
With network address translation (NAT) in Windows 2003, you can configure your network to share a single connection to the Internet.
Introduction (2)
Internet Connection Sharing (ICS) is included with Windows 2003 Professional and higher.
Network address translation (NAT) is included with Windows 2000 Server and higher.
Components
Translation
Addressing
Name Resolution
Components: Translation
NAT translates the IP addresses and TCP/UDP port numbers of packets that are forwarded between the private network and the Internet.
The packets sent out of NAT have a source IP address of the NAT machine.
Therefore, external machines are never aware that NAT is being used.
ADVANTAGE PRO Chennais Premier Networking Training Center
Components: Addressing
The addressing component is a simplified DHCP server called the DHCP allocator.
NAT Configuration
IP routing
RightRight-click Network Address Translation (NAT) Choose New Interface Select the external interface and then click OK
Specify this interface as the public interface and enable Translate TCP/UDP Headers (recommended)
Repeat the process for the internal interface and specify this as the private interface
Client Configuration
Statically configured clients Chennais Premier Networking Training Center ADVANTAGE PRO
Special Ports:
This allows the administrator to specify certain types of traffic to be sent to a specific internal machine
Create a special port for incoming TCP port 80 traffic destined to the ADVANTAGE Web server Networking Training Center internal PRO Chennais Premier
Address Pool:
NAT also gives us the functionality to create a one-to-one one-tomapping between external IP address and internal IP address
Also enable AllowADVANTAGE PRO Chennais Premier address incoming sessions to this Networking Training Center
NAT Editors
NAT performs TCP port and UDP port translation, in addition to IP address translation
If an application stores IP address or port information within its own header (like FTP PORT command), a NAT editor is needed
Two editors that Windows 2000 includes are FTP and PPTP
Any service that encrypts these headers wont work (like IPSec)
ADVANTAGE PRO Chennais Premier Networking Training Center
Internet
PPTP server
NAT
b
10.0.0.3
10.0.0.1
204.x.1.10
10.0.0.4
Internet
10.0.0.4, port 1025 mapped to 204..x.1.10, port 2000 NAT
PPTP server
Request received and accepted. During configuration, PPTP server assigns 192.10.10.2 to cs VPN.
b
10.0.0.3
10.0.0.1
204.x.1.10
Connection request from c forwarded to <PPTP server> source 204.x.1.10, port 2000.
10.0.0.4
Connection request to port 1723 from c to <PPTP server> source 10.0.0.4, port 1025.
Tunnel established
Internet
PPTP server
NAT
b
10.0.0.3
10.0.0.1
204.x.1.10
Original packet not touched, source 192.10.10.2. Encapsulated packet s IP address translated. Source 204.x.1.10, destination PPTP server.
10.0.0.4
Original packet has app data, TCP, UDP, etc., source 192.10.10.2.
PPP and GRE headers added. Encapsulated packet has source 10.0.0.4, destination ADVANTAGE PRO Chennais Premier Networking Training Center PPTP server.