IPSec The Wonder Protocol Anurag Vij Microsoft IT.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
Guide to Network Defense and Countermeasures Second Edition
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 IP Security (IPSec) Thomas Lee Chief Technologist –QA
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
K. Salah1 Security Protocols in the Internet IPSec.
Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
Windows IP Security Filters October 23, 2002 Joe Klemencic Fermilab Business Services.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCE 715: Network Systems Security
Network Security Fundamentals Chapter 6: Securing Network Transmission.
Improving Security with Domain Isolation Microsoft IT Implements IP Security (IPsec) Published: June 2004.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
TCP/IP Protocols Contains Five Layers
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec Deployment.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Hands-On Microsoft Windows Server 2003 Networking Chapter 9 IP Security.
Securing Network Communications Using IPSec Chapter Twelve.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
IPSecurity.
SECURING NETWORK TRAFFIC WITH IPSEC
IT443 – Network Security Administration Instructor: Bo Sheng
Introduction to Network Security
Presentation transcript:

IPSec The Wonder Protocol Anurag Vij Microsoft IT

Agenda IPSec – the protocol Network Segmentation using Microsoft

Why? For too long “defense-in-depth” has meant layers of network protection Consider the medieval castle model… The hosts themselves should start participating Achieves more granular security Improves trustworthiness: now we know the machines, too Common problems that are solved SpoofingPrivacy

What is IPsec? What is IPsec? Internet Protocol Security Set of protocols and services Provides various security services for traffic at the IP layer – the network layer These security services include Authentication – we are who we say we are Integrity – the data has not been tampered with Confidentiality – the data cannot be seen by others Anti-replay – the data cannot be replayed post interception Non-repudiation – validating sender of the traffic

What is IPsec? (2) What is IPsec? (2) IPsec is composed of three main protocols Authentication Header (AH) Integrity, anti-replay, non-repudiation Encapsulating Security Payload (ESP) Integrity, anti-replay, non-repudiation, confidentiality Internet Key Exchange (IKE) Cryptographic Infrastructure provides keying and negotiation. IPsec Request for Comment (RFC) 2401

About these “modes” There is no such thing as an “IPsec tunnel”! Types Transport mode Tunnel mode Methods AH (authenticated header) ESP (encapsulated security payload)

IPsec authentication header (AH) in transport mode Orig IP Hdr TCP Hdr Data Data Orig IP Hdr Integrity hash coverage 24 bytes total AH is IP protocol 51 AH Hdr Insert Next Hdr Payload Len RsrvSecParamIndexSeq# Keyed Hash

IPsec encapsulating security payload (ESP) in transport mode Data Usually encrypted Integrity hash coverage ESP Trailer ESP Auth Append Orig IP Hdr TCP Hdr Data ESP Hdr Insert Orig IP Hdr TCP Hdr

IPsec ESP tunnel mode ESP Trailer Data TCP Hdr IP Hdr IP Hdr IPHdr New IP header with source and destination IP address Orig IP Hdr TCP Hdr Data ESP Hdr ESP Auth Usually encrypted Integrity hash coverage

filters filters SA establishment  Internet Key Exchange (IKE) - Identity Protect Mode – defined in RFC 2409  Phase 1 “Main Mode” establishes IKE SA – trusted channel between systems, negotiation establishes encrypted channel, mutual trust, and dynamically generates shared secret key (“master” key)  Phase 2 “Quick Mode” establishes IPsec SAs – for data protection, one SA for each direction identified by packet label (SPI), algorithms and packet formats agreed, generates shared “session” secret keys derived from “master” key NIC TCPIP Application Server or Gateway IPsecDriver IPsecPolicyAgent IKE (ISAKMP) IPsecDriver IPsecPolicyAgent NIC TCPIP App or Service client “IKE Responder” “IKE Initiator” UDP port 500 negotiation 1 IKE SA 1 IKE SA 2 IPsec SAs IP protocol 50/51

Traffic not filtered by IPsec IP broadcast addresses Can’t secure to multiple receivers Multicast addresses From through , same reason RSVP—IP protocol type 46 Allows RSVP to signal quality of service (QOS) requests for application traffic that may then be IPsec protected Kerberos—UDP source or dest port 88 Kerberos is itself a secure protocol, which the IPsec’s IKE negotiation service may use for authentication of other computers in a domain IKE—UDP dest port 500 Required to allow IKE to negotiate parameters for IPsec security

Policy A policy defines all aspects of the communication to be secured by IPsec Tunnel or transport mode Host or network address of IPsec entities Cryptographic algorithms Type of traffic Key lifetimes Action to take Authentication methods

IPsec overview - how IPsec helps Problem How IPsec helps Details Unauthorized system access Authentication, Integrity Defense in depth by isolating trusted from untrusted systems Targeted attacks of high-value servers Authentication, Integrity Locking down servers with IPsec. Examples: HR servers, Outlook® Web Access (OWA), DC replication Eavesdropping Authentication, confidentiality Defense in depth against password or information gathering by untrusted systems Government guideline compliance Authentication, confidentiality Example: “All communications between financial servers must be encrypted.”

Planning for IPsec implementation Determine security requirements What network resources and traffic flows need to be secured How resources and traffic flows should be secured AuthenticationEncryption Block or permit

Planning for IPsec implementation Design IPsec policies Select authentication method Kerberos, preshared key, certificates Select security protocol ESP for confidentiality; AH or ESP (Null) for integrity

Planning for IPsec implementation Design IPsec policies (cont.) Determine traffic flows Network and host addresses Protocols Port addresses

Planning for IPsec implementation Test IPsec functionality and behavior Design an implementation strategy Roll out in phases Use Microsoft IPsec policy features to minimize user impact

IPsec steps before you implement Create an IPsec test network. Select IPsec configuration and troubleshooting tools. IPsec Management snap-in or Netsh.exe IPsec Monitor snap-in, Netsh.exe, Oakley.log files, packet sniffers Add policies and send traffic to verify functionality. Filter configuration Filter weighting Smart filters

Configuring IPsec policy – MMC Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (2) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (3) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n... Configuring IPsec policy – MMC (4)

Authentication methods Configuring IPsec policy – MMC (5) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Authentication methods Configuring IPsec policy – MMC (6) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Authentication methods Configuring IPsec policy – MMC (7) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (8) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (9) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (10) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (11) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (12) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (13) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Configuring IPsec policy – MMC (14) Policy-wide parameters ISAKMP policy Filter 1 Filter n Filter action IPsec policy Authentication methods Tunnel endpoint Connection type IPsec rule 1 Filter list... IPsec rule n... Method 1 Method n...

Implementation scenarios Domain and server isolation Protect corporate assets from unmanaged, rogue and guest PCs Complement to other security mechanisms (firewall, antivirus, IDS) Restrict communication to domain-managed computers

Scenario: IPsec packet filtering Filters for allowed and blocked traffic No actual negotiation of IPsec security associations Overlapping filters – most specific match determines action Does not provide stateful filtering Recommended only on internal isolated networks for specific or limited purposes From IP To IP Protocol Src Port Dest Port Action Any My Internet IP Anyn/an/aBlock Any TCPAny80Permit

Scenario: IPsec packet filtering (2) DMZ* server IPsec packet filtering only Internet Block All, Allow Port 80, 443 (Windows ® 2000, 2003) * Refers to perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

Scenario: Secure server solution Allows IPsec authentication and protection for traffic between specific sets of servers Secures communication in environments that are not secure Complements firewalls by requiring authentication of all traffic

Scenario: Secure server solution (2) Reduces firewall exceptions to IPsec traffic Typical scenarios: Between an OWA server on the Internet and a computer running Exchange Server Between domain controllers for domain replication

Scenario: Domain isolation

Levels of Trusted Assets U1U1 U2U2 U2U2 XX B DHCPDHCP DNSDNS WINSWINS DCDC SecureNet Clients, Servers, Home LAN, Trustworthy Labs (203,000) Untrustworthy Labs (75,000) PocketPC/ Xbox (18,000) MAC (2,000) Boundary Machines (5,000) Infrastructure (500) Internet Servers Business Partners Extranet DTaps (no connectivity to CorpNet) (1,800) External Exclusions Internal Exclusions Microsoft Corporate Network ACL Controlled

Your Feedback is Important! Please Fill Out the feedback form

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.