Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

Published byGervase Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec."— Presentation transcript:

1 70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec

2 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 2 Objectives Describe the IP security issued and how the IPSec protocol addresses them Identify and discuss the features of different types of encryption Choose the appropriate IPSec mode for a given situation Implement authentication for IPSec Enable IPSec

3 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 3 Objectives (continued) Create IPSec policies Create and manage IP Filter Lists and Filter Actions Monitor and troubleshoot IPSec

4 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 4 IPSec Overview IPv4 has no built-in security mechanisms to protect communication between two hosts There are a variety of ways hackers can corrupt or eavesdrop on IP-based communications: packet sniffing, data replay, data modification, address spoofing IP Security (IPSec) is a standards track protocol Supported by Internet Engineering Task Force Exists at the Network layer of the TCP/IP architecture

5 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 5 Authentication Describes the process whereby the identity of the sender or creator is verified IPSec authenticates the endpoints of any IP-based conversation When two partners in a conversation using IPSec are authenticated, IP addresses are no longer used to verify the identity of the partners

6 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 6 Cryptography Process of encrypting and decrypting messages to ensure they are read only by the intended recipient Ciphertext refers to the encrypted information Encryption can be used by IPSec to hide data packet contents A key is a large number that is difficult to guess and is used in combination with an algorithm to encrypt and decrypt data Symmetrical encryption uses a single key to encrypt and decrypt data

7 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 7 Cryptography (continued) Asymmetrical encryption uses two separate keys called the public and private key The public key is made available to anyone who wants it The private key is held only by the individual to which it is assigned Hash encryption is one-way encryption and a hash algorithm uses a single key to convert to a hash value

8 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 8 Digital Signatures Ensures that a message has not been modified while in transit and that it came from the named sender Public and private keys of the sender are used for a digital signature IPSec uses digital signatures on each packet of information to ensure that the packet has not been modified while in transit

9 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 9 Digital Signatures (continued)

10 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 10 Using IPSec Widely used by many vendors Current specifications ensure at least a minimal level of compatibility between implementations from different vendors Not supported by pre-Windows 2000 OS Can significantly slow communication on a network Adds complexity to a network

11 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 11 Using IPSec (continued)

12 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 12 IPSec Modes Define whether communication is secured between two hosts or two networks and which IPSec services are used Using all modes not practical due to processing power used on routers and hosts Modes include: Tunnel mode Transport mode Authentication headers mode Encapsulating security payload mode

13 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 13 AH Mode Provides authentication of the two endpoints and adds a checksum to the packet Authentication guarantees that the two endpoints are known and the checksum guarantees that the packet is not modified in transit Payload of the packet is unencrypted Use whenever you are concerned about packets being captured with a packet sniffer and replayed later Less processor intensive than ESP mode

14 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 14 ESP Mode Provides authentication of the two endpoints which guarantees that the two endpoints are known Adds a checksum to each packet Encrypts the data in the packet Most implementations of IPSec use ESP mode because data encryption is desired

15 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 15 Transport Mode Used between two hosts Both communication ends must support IPSec

16 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 16 Transport Mode (continued)

17 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 17 Transport Mode (continued)

18 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 18 Tunnel Mode Used between two routers Two hosts communicating through the routers do not need to support IPSec Computers taking part in the conversation are not authenticated

19 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 19 Tunnel Mode (continued)

20 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 20 Tunnel Mode (continued)

21 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 21 IPSec Authentication Both endpoints of communication are authenticated Authentication is for the devices and not the users logged into the devices Internet Key Exchange is the process used by two IPSec hosts to negotiate their security parameters When security parameters have been agreed upon, this is referred to as security association Three methods Windows Server 2003 can use to authenticate IPSec connections are: Preshared key, Certificates, and Kerberos

22 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 22 Preshared Key A combination of characters entered at each endpoint of the IPSec connection Major advantage is simplicity Major disadvantage is movement of preshared key when configuring the two devices

23 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 23 Certificates May be presented for authentication A file that follows the X.509 standard created by ITU-T and contains information about a user or computer, as well as a public key Issued by trusted organizations on the Internet called certification authorities Certificate must be validated using the digital signature of the certification authority Main disadvantage is cost

24 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 24 Kerberos Authentication system used by Windows 2000/XP/2003 for access to network resources Uses a security boundary called a realm In Active Directory, a domain is equivalent to a Kerberos realm Main benefit is seamless integration with domain security Not a commonly supported authentication system for IPSec on non-Microsoft products; not for Windows computers not part of Active Directory forest

25 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 25 Enabling IPSec IPSec is enabled on Windows Server 2003 using IPSec policies Policies can be configured manually on each server or distributed through Group Policy IPSec policies define the circumstances under which IP traffic is tunneled using IPSec, permitted without IPSec, or blocked Three policies installed by default: Server, Client, and Secure Server

26 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 26 Assigning IPSec Policies No policy is used until it is assigned Only one policy can be assigned at a time per machine Assignment does not take effect immediately IPSec Policy Agent must be restarted for the change to take effect

27 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 27 Creating an IPSec Policy You can create your own IPSec policies tailored to your environment Each policy is composed of IPSec rules where each rule is composed of an IP filter list, an IPSec filter action, authentication methods, a tunnel endpoint, and a connection type The default response rule is used when filters from other rules do not apply The Active Directory default option is generally used for internal client computers and servers

28 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 28 Creating Rules You must edit an IPSec policy to add the rules that define how different types of IP traffic are handled The Default Response rule is the only rule that may exist by default Steps in Wizard mode include: Choose tunnel or transport mode Choose network type Specify IP filter Specify filter actions

29 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 29 IPSec Filter Lists Two default IPSec filter lists of all IP traffic and all ICMP traffic do not allow much control over which traffic uses IPSec Not all traffic needs to be encrypted You can choose whether or not to use the IP Filter Wizard

30 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 30 Filter Actions Define what is done to traffic that matches an IP filter list Three default actions are available: Permit Request Security Require Security Use the IP Security Filter Action Wizard to create a new filter action Each filter action requires at least one security method

31 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 31 Cryptography Algorithms IPSec offers both data integrity and encryption Two algorithms for AH and ESP data integrity: Secure Hashing Algorithm Message Digest 5 Two algorithms for ESP data encryption: Data Encryption Standard Triple Data Encryption Standard

32 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 32 Troubleshooting IPSec Most common IPSec troubleshooting tools are: Ping IPSec Security Monitor Event Viewer Resultant Set of Policy Netsh Oakley logs Network Monitor

33 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 33 Ping Used to test network connectivity between two hosts Used to confirm that two hosts can communicate Does not test IPSec specifically

34 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 34 IPSec Security Monitor MMC snap-in that allows you to view the status of IPSec SAs Used to confirm that an SA was negotiated between two hosts

35 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 35 Event Viewer IPSec Policy Agent automatically writes events to the security log Enable Audit logon events option if needed Can modify the system registry to allow additional information from the IPSec Policy Agent to be written to the system log Change the appropriate registry key to the value seven

36 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 36 Resultant Set of Policy Applying Group Policies can be complex RSoP snap-in allows you to view which policies apply and to simulate the application of new policies to test their results

37 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 37 Netsh Allows you to configure a number of network related settings Useful when batch scripts are used to remotely make changes on clients and servers Configuration categories include: Bridging DHCP Diagnostics IP configuration Remote access Routing WINS Remote procedure calls

38 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 38 Oakley Logs Track the establishment of SAs Not enabled by default Enabled with command “netsh ipsec dynamic set config ikelogging 1”

39 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 39 Network Monitor Used to view packets traveling on the network and to identify IPSec traffic Cannot view encrypted information inside of an IPSec packet Useful for determining whether packets are being properly transmitted between computers Not useful for application-level problems if the traffic is encrypted

40 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 40 Summary IPv4 has no built in security mechanisms and uses IPSec as an add-on protocol IPSec: Operates at the Network layer Is not supported by pre-Windows 2000 operating systems Cannot be used with NAT Uses authentication, cryptography, and digital signatures to provide secure IP communication Various tools can used to troubleshoot IPSec

41 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 41 Summary (continued) Cryptography uses algorithms and keys to encrypt and decrypt information A digital signature does not ensure the confidentiality of the information, only its integrity and authentication IPSec ESP mode has the ability to perform data encryption and authentication Transport mode is used between two hosts; tunnel mode is used between two routers

42 70-291: MCSE Guide to Managing a Microsoft Windows Server Network 42 Summary (continued) The Windows Server 2003 implementation can perform authentication using a preshared key, certificates, or Kerberos Filter lists define the packets affected by a rule Filter actions define what is done to the traffic that matches the filter list Two algorithms used for data integrity are SHA1 and MD5 Two algorithms used for data encryption are DES and 3DES

Download ppt "70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 7: Troubleshoot Security Settings and Local Security.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.

Similar presentations

Ads by Google