70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network2 Objectives Describe IP Security issues and how the IPSec protocol addresses them Choose the appropriate IPSec mode for a given situation Implement authentication for IPSec Enable IPSec Create IPSec policies Monitor and troubleshoot IPSec

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network3 Why IPSec Is Important IPSec provides security for IP-based networks Authenticate both computers engaged in a conversation Use digital signatures to verify that data has not been tampered with while in transit Encrypt data while in transit

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network4 How Hackers Work IPv4 has no built-in security mechanisms to protect the communication between two hosts Hackers can corrupt or eavesdrop on communications Packet sniffing Data replay Data modification Address spoofing

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network5 Authentication, Encryption, and Digital Signatures IPSec authenticates the endpoints of any IP-based conversation using IPSec Each participant must be known and trusted Encryption can be used by IPSec to hide the contents of data packets Digital signatures on each packet in a conversation ensure that a packet has not been modified

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network6 Advantages of IPSec IPSec exists at the network layer of the TCP/IP architecture so most applications are unaware of it IPSec is a valuable addition to a network when data integrity or confidentiality are required IPSec is widely used by many vendors It is a standards protocol

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network7 Disadvantages of IPSec Pre-Windows 2000 operating systems from Microsoft do not support the IPSec IPSec can significantly slow network communication Only latest versions of IPSec can be routed through NAT, which is a serious limitation for remote users IPSec adds complexity to a network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network8 Disadvantages of IPSec (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network9 IPSec Modes The modes of operation define whether communication is secured between two hosts or two networks, and which IPSec services are used When implementing IPSec, you must choose tunnel mode or transport mode Must choose AH mode or ESP mode

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network10 AH Mode Use AH mode when you are concerned about packets being captured with a packet sniffer and replayed Authentication Headers (AH) mode enforces authentication of the two IPSec clients and includes a digital signature on each packet Authenticates the two endpoints and adds a checksum Checksum guarantees that the packet is not modified in transit, including the IP headers AH mode does not provide data confidentiality, however; the payload of the packet is unencrypted

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network11 ESP Mode Most implementations of IPSec use ESP mode because data encryption is desired The ESP mode authenticates the two endpoints, adds a checksum, and encrypts the data in the packet Authentication performs the same function as in AH mode Checksum guarantees that the packet was not modified in transit, excluding the IP headers Encryption ensures that unintended recipients cannot read the data in the packet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network12 Transport Mode IPSec in transport mode is used between two hosts Both endpoints in the communication must support IPSec This limits the implementation of IPSec because many devices, such as printers, rarely offer IPSec support

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network13 Transport Mode (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network14 Transport Mode (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network15 Tunnel Mode IPSec in tunnel mode is used between two routers The two hosts communicating through the routers do not need to support IPSec Authentication takes place between the two routers when using IPSec in tunnel mode Less secure because a hacker could place an unauthorized computer on a trusted network

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network16 Tunnel Mode (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network17 Tunnel Mode (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network18 IPSec Authentication Endpoints of an IPSec are authenticated Internet Key Exchange is the process used by two IPSec computers or routers to negotiate the following security parameters Method of authentication AH or ESP mode Transport or tunnel mode Encryption and hashing algorithms Parameters for key exchange

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network19 IPSec Authentication (continued) Security association (SA): when security parameters have been agreed upon Three methods Windows Server 2003 uses to authenticate IPSec connections: Preshared key Certificates Kerberos

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network20 Preshared Key A preshared key is a combination of characters entered at each endpoint of the IPSec connection Authentication is based on both endpoints knowing the same secret The major advantage is simplicity The major disadvantage is the movement of the preshared key when configuring the two devices

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network21 Certificates Certificates may be presented for authentication If the two certificates are part of the same hierarchy, each IPSec device accepts the certificate of the other The main disadvantage of using third-party certificates is cost

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network22 Kerberos Kerberos is the authentication system used by Windows 2000/XP/Server 2003 for access to network resources Seamless integration with domain security Not a commonly supported authentication system for IPSec on non-Microsoft products such as routers Not appropriate for Windows computers that are not part of the Active Directory forest

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network23 Enabling IPSec IPSec is enabled on Windows Server 2003 using IPSec policies An IPSec policy must be in place to use IPSec The three policies installed by default Server (Request Security) Client (Respond Only) Secure Server (Require Security)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network24 Assigning a Default IPSec Policy A single server can have many IPSec policies No policy is used until it is assigned One policy can be assigned at a time per machine The Local Security Policy snap-in can assign an IPSec policy on a single computer Group Policy can assign an IPSec policy to a group of computers

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network25 Activity 10-1: Assigning an IPSec Policy The purpose of this activity is to assign an IPSec policy to enable encryption of data packet

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network26 Activity 10-2: Verifying an IPSec Security Association The purpose of this activity is to verify that the IPSec policy you have enabled is working

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network27 Creating Your Own IPSec Security Policy An IPSec rule controls how IPSec is implemented and each rule is composed of: An IP filter list An IPSec filter action Authentication methods A tunnel endpoint A connection type An IP filter list is a list of protocols that will be affected by the rule

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network28 Creating Your Own IPSec Security Policy (continued) An IPSec filter action is what will be done to the protocols defined in the filter list Authentication methods are the protocols that can be used for authentication if IPSec is rule-based The tunnel endpoint is the remote host IPSec is being performed with when tunnel mode is used The connection type defines the type of connections to which this rule applies

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network29 Activity 10-3: Creating an IPSec Policy The purpose of this activity is to create a new IPSec policy that is more flexible than the default policies

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network30 Adding and Creating Rules After creating an IPSec policy, edit it to add rules that define how different types of IP traffic are handled After selecting an IP filter list, select an action to be performed on the packets that match the IP filter list The three filter actions that exist by default are Permit Request security Require security

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network31 Activity 10-4: Creating a New IPSec Filter Rule The purpose of this activity is to add a new IPSec filter rule that allows ICMP traffic to pass through unmodified

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network32 IPSec Filter Lists When a new IP filter list is created Give it a name Have the option of giving it a description Add IP filters that make up the list and specify the traffic to which this list applies

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network33 Activity 10-5: Creating an IPSec Filter List The purpose of this activity is to create a new IPSec filter list for all FTP traffic

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network34 Filter Actions Filter actions define what is done to traffic that matches an IP filter list: Permit Request Security (Optional) Require Security Filter actions define a number of security parameters, including the type of encryption In highly secure situations, you may want to modify these or create your own

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network35 Cryptography Algorithms Two algorithms for AH and ESP data integrity Secure Hash Algorithm (SHA1) Message Digest 5 (MD5) Two algorithms for ESP data encryption Data encryption standard (DES) Triple data encryption standard (3DES)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network36 Activity 10-6: Creating a Filter Action The purpose of this activity is to create a new filter action that enforces encryption

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network37 Activity 10-7: Adding a Customized Filter List and Filter Action The purpose of this activity is to edit your FTP filter and add a rule using the customized filter list and filter action you have created

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network38 Troubleshooting IPSec IPSec troubleshooting deals with General network issues IPSec-specific configuration settings Group policy settings

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network39 Troubleshooting IPSec (continued) Most common IPSec troubleshooting tools/utilities Ping IPSec Security Monitor Event Viewer Resultant Set of Policy Netsh Oakley logs Network Monitor

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network40 Ping Tests network connectivity between two hosts The default IPSec policies permit ICMP packets and do not interfere with ping Does not test IPSec specifically, but can confirm that two hosts can communicate If they cannot communicate, they are not able to create an IPSec SA

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network41 IPSec Security Monitor MMC snap-in that allows you to view the status of IPSec SAs Can confirm that an SA was negotiated between two hosts Can be used to view the configuration of the IPSec policy that is applied

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network42 Event Viewer Event Viewer can be used to view the events that the IPSec Policy Agent writes to the event log Events show the configuration settings that IPSec is using and events generated during the creation of SAs Events are only written to the log if the Audit logon events option is enabled in the local security policy or Group Policy

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network43 Resultant Set of Policy Snap-in If you try to distribute and apply IPSec policies through Group Policy, and they are not functioning as you expect, you can use the Resultant Set of Policy (RSoP) snap-in Allows you to View which policies apply Simulate the application of new policies to test their results

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network44 Netsh The Netsh utility allows you to configure network- related settings: Bridging DHCP Diagnostics IP configuration remote access Routing WINS Remote procedure calls

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network45 Netsh (continued) IPSec configuration can also be modified using Netsh Some IPSec management tasks that can be performed with Netsh: Viewing policies Adding policies Deleting policies

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network46 Oakley Logs Oakley logs track the establishment of SAs This logging is not enabled by default

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network47 Network Monitor Network Monitor can be used to view packets that are traveling on the network and to identify IPSec traffic Cannot view encrypted information inside an IPSec packet Useful for determining whether packets are being properly transmitted between computers Not useful for troubleshooting application level problems if the traffic is encrypted

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network48 Activity 10-8: Disabling IPSec The purpose of this activity is to disable IPSec policies that have been applied

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network49 Summary IPv4 has no built-in security mechanisms and uses IPSec to make communication secure IPSec AH mode does not perform data encryption, but can authenticate and guarantee data integrity IPSec ESP mode can perform data encryption, authentication, and guarantees data integrity for the data portion of the packet, but not the IP headers

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network50 Summary (continued) Transport mode is used between two hosts Tunnel mode is used between two routers The Windows Server 2003 implementation can perform authentication using a preshared key, certificates, or Kerberos IPSec policies contain rules that control Authentication Which traffic is affected and what is done to the affected traffic Type of connections affected Whether this computer is a tunnel endpoint

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network51 Summary (continued) Filter actions define what is done to traffic that matches an IP filter list SHA1 and MD5 are used for AH and ESP data integrity DES and 3DES are used for ESP data encryption IPSec troubleshooting covers general network issues, IPSec-specific configuration settings, and group policy settings