70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Security Data Transmission and Authentication
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Chapter 13 – Network Security
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec Deployment.
Module 5: Designing Security for Internal Networks.
Hands-On Microsoft Windows Server 2003 Networking Chapter 9 IP Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Network Communications Using IPSec Chapter Twelve.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
IPSec Detailed Description and VPN
SECURING NETWORK TRAFFIC WITH IPSEC
Module 8: Securing Network Traffic by Using IPSec and Certificates
Understand Networking Services
Module 8: Securing Network Traffic by Using IPSec and Certificates
Presentation transcript:

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 2 Objectives Describe the IP security issued and how the IPSec protocol addresses them Identify and discuss the features of different types of encryption Choose the appropriate IPSec mode for a given situation Implement authentication for IPSec Enable IPSec

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 3 Objectives (continued) Create IPSec policies Create and manage IP Filter Lists and Filter Actions Monitor and troubleshoot IPSec

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 4 IPSec Overview IPv4 has no built-in security mechanisms to protect communication between two hosts There are a variety of ways hackers can corrupt or eavesdrop on IP-based communications: packet sniffing, data replay, data modification, address spoofing IP Security (IPSec) is a standards track protocol Supported by Internet Engineering Task Force Exists at the Network layer of the TCP/IP architecture

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 5 Authentication Describes the process whereby the identity of the sender or creator is verified IPSec authenticates the endpoints of any IP-based conversation When two partners in a conversation using IPSec are authenticated, IP addresses are no longer used to verify the identity of the partners

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 6 Cryptography Process of encrypting and decrypting messages to ensure they are read only by the intended recipient Ciphertext refers to the encrypted information Encryption can be used by IPSec to hide data packet contents A key is a large number that is difficult to guess and is used in combination with an algorithm to encrypt and decrypt data Symmetrical encryption uses a single key to encrypt and decrypt data

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 7 Cryptography (continued) Asymmetrical encryption uses two separate keys called the public and private key The public key is made available to anyone who wants it The private key is held only by the individual to which it is assigned Hash encryption is one-way encryption and a hash algorithm uses a single key to convert to a hash value

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 8 Digital Signatures Ensures that a message has not been modified while in transit and that it came from the named sender Public and private keys of the sender are used for a digital signature IPSec uses digital signatures on each packet of information to ensure that the packet has not been modified while in transit

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 9 Digital Signatures (continued)

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 10 Using IPSec Widely used by many vendors Current specifications ensure at least a minimal level of compatibility between implementations from different vendors Not supported by pre-Windows 2000 OS Can significantly slow communication on a network Adds complexity to a network

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 11 Using IPSec (continued)

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 12 IPSec Modes Define whether communication is secured between two hosts or two networks and which IPSec services are used Using all modes not practical due to processing power used on routers and hosts Modes include: Tunnel mode Transport mode Authentication headers mode Encapsulating security payload mode

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 13 AH Mode Provides authentication of the two endpoints and adds a checksum to the packet Authentication guarantees that the two endpoints are known and the checksum guarantees that the packet is not modified in transit Payload of the packet is unencrypted Use whenever you are concerned about packets being captured with a packet sniffer and replayed later Less processor intensive than ESP mode

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 14 ESP Mode Provides authentication of the two endpoints which guarantees that the two endpoints are known Adds a checksum to each packet Encrypts the data in the packet Most implementations of IPSec use ESP mode because data encryption is desired

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 15 Transport Mode Used between two hosts Both communication ends must support IPSec

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 16 Transport Mode (continued)

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 17 Transport Mode (continued)

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 18 Tunnel Mode Used between two routers Two hosts communicating through the routers do not need to support IPSec Computers taking part in the conversation are not authenticated

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 19 Tunnel Mode (continued)

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 20 Tunnel Mode (continued)

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 21 IPSec Authentication Both endpoints of communication are authenticated Authentication is for the devices and not the users logged into the devices Internet Key Exchange is the process used by two IPSec hosts to negotiate their security parameters When security parameters have been agreed upon, this is referred to as security association Three methods Windows Server 2003 can use to authenticate IPSec connections are: Preshared key, Certificates, and Kerberos

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 22 Preshared Key A combination of characters entered at each endpoint of the IPSec connection Major advantage is simplicity Major disadvantage is movement of preshared key when configuring the two devices

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 23 Certificates May be presented for authentication A file that follows the X.509 standard created by ITU-T and contains information about a user or computer, as well as a public key Issued by trusted organizations on the Internet called certification authorities Certificate must be validated using the digital signature of the certification authority Main disadvantage is cost

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 24 Kerberos Authentication system used by Windows 2000/XP/2003 for access to network resources Uses a security boundary called a realm In Active Directory, a domain is equivalent to a Kerberos realm Main benefit is seamless integration with domain security Not a commonly supported authentication system for IPSec on non-Microsoft products; not for Windows computers not part of Active Directory forest

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 25 Enabling IPSec IPSec is enabled on Windows Server 2003 using IPSec policies Policies can be configured manually on each server or distributed through Group Policy IPSec policies define the circumstances under which IP traffic is tunneled using IPSec, permitted without IPSec, or blocked Three policies installed by default: Server, Client, and Secure Server

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 26 Assigning IPSec Policies No policy is used until it is assigned Only one policy can be assigned at a time per machine Assignment does not take effect immediately IPSec Policy Agent must be restarted for the change to take effect

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 27 Creating an IPSec Policy You can create your own IPSec policies tailored to your environment Each policy is composed of IPSec rules where each rule is composed of an IP filter list, an IPSec filter action, authentication methods, a tunnel endpoint, and a connection type The default response rule is used when filters from other rules do not apply The Active Directory default option is generally used for internal client computers and servers

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 28 Creating Rules You must edit an IPSec policy to add the rules that define how different types of IP traffic are handled The Default Response rule is the only rule that may exist by default Steps in Wizard mode include: Choose tunnel or transport mode Choose network type Specify IP filter Specify filter actions

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 29 IPSec Filter Lists Two default IPSec filter lists of all IP traffic and all ICMP traffic do not allow much control over which traffic uses IPSec Not all traffic needs to be encrypted You can choose whether or not to use the IP Filter Wizard

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 30 Filter Actions Define what is done to traffic that matches an IP filter list Three default actions are available: Permit Request Security Require Security Use the IP Security Filter Action Wizard to create a new filter action Each filter action requires at least one security method

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 31 Cryptography Algorithms IPSec offers both data integrity and encryption Two algorithms for AH and ESP data integrity: Secure Hashing Algorithm Message Digest 5 Two algorithms for ESP data encryption: Data Encryption Standard Triple Data Encryption Standard

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 32 Troubleshooting IPSec Most common IPSec troubleshooting tools are: Ping IPSec Security Monitor Event Viewer Resultant Set of Policy Netsh Oakley logs Network Monitor

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 33 Ping Used to test network connectivity between two hosts Used to confirm that two hosts can communicate Does not test IPSec specifically

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 34 IPSec Security Monitor MMC snap-in that allows you to view the status of IPSec SAs Used to confirm that an SA was negotiated between two hosts

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 35 Event Viewer IPSec Policy Agent automatically writes events to the security log Enable Audit logon events option if needed Can modify the system registry to allow additional information from the IPSec Policy Agent to be written to the system log Change the appropriate registry key to the value seven

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 36 Resultant Set of Policy Applying Group Policies can be complex RSoP snap-in allows you to view which policies apply and to simulate the application of new policies to test their results

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 37 Netsh Allows you to configure a number of network related settings Useful when batch scripts are used to remotely make changes on clients and servers Configuration categories include: Bridging DHCP Diagnostics IP configuration Remote access Routing WINS Remote procedure calls

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 38 Oakley Logs Track the establishment of SAs Not enabled by default Enabled with command “netsh ipsec dynamic set config ikelogging 1”

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 39 Network Monitor Used to view packets traveling on the network and to identify IPSec traffic Cannot view encrypted information inside of an IPSec packet Useful for determining whether packets are being properly transmitted between computers Not useful for application-level problems if the traffic is encrypted

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 40 Summary IPv4 has no built in security mechanisms and uses IPSec as an add-on protocol IPSec: Operates at the Network layer Is not supported by pre-Windows 2000 operating systems Cannot be used with NAT Uses authentication, cryptography, and digital signatures to provide secure IP communication Various tools can used to troubleshoot IPSec

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 41 Summary (continued) Cryptography uses algorithms and keys to encrypt and decrypt information A digital signature does not ensure the confidentiality of the information, only its integrity and authentication IPSec ESP mode has the ability to perform data encryption and authentication Transport mode is used between two hosts; tunnel mode is used between two routers

70-291: MCSE Guide to Managing a Microsoft Windows Server Network 42 Summary (continued) The Windows Server 2003 implementation can perform authentication using a preshared key, certificates, or Kerberos Filter lists define the packets affected by a rule Filter actions define what is done to the traffic that matches the filter list Two algorithms used for data integrity are SHA1 and MD5 Two algorithms used for data encryption are DES and 3DES