Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Published byNelson Atkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement."— Presentation transcript:

1 Module 9: Configuring IPsec

2 Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

3 Lesson 1: Overview of IPsec Benefits of IPsec Recommended Uses of IPsec Tools Used to Configure IPsec What Are Connection Security Rules? Demonstration: Configuring General IPsec Settings

4 Benefits of IPsec IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network IPsec has two goals: to protect IP packets and to defend against network attacks Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other IPsec secures network traffic by using encryption and data signing An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

5 Recommended Uses of IPsec Recommended uses of IPsec include: Authenticating and encrypting host-to-host traffic Authenticating and encrypting traffic to servers L2TP/IPsec for VPN connections Site-to-site tunneling Enforcing logical networks

6 Tools Used to Configure IPsec To configure IPsec, you can use: Windows Firewall with Advanced Security MMC (used for Windows Server 2008 and Windows Vista) IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions) Netsh command-line tool

7 What Are Connection Security Rules? Connection security rules involve: Authenticating two computers before they begin communications Securing information being sent between two computers Using key exchange, authentication, data integrity, and data encryption (optionally) How firewall rules and connection rules are related: Firewall rules allow traffic through, but do not secure that traffic Connection security rules can secure the traffic, but creating a connection security rule does not allow traffic through the firewall

8 Demonstration: Configuring General IPsec Settings In this demonstration, you will see how to configure General IPsec settings in Windows Firewall with Advanced Security

9 Lesson 2: Configuring Connection Security Rules Choosing a Connection Security Rule Type What Are Endpoints? Choosing Authentication Requirements Authentication Methods Determining a Usage Profile Demonstration: Configuring a Connection Security Rule

10 Choosing a Connection Security Rule Type Rule TypeDescription Isolation Restricts connections based on authentication criteria that you define Authentication Exemption Exempts specific computers, or a group or range of IP addresses, from being required to authenticate Grants access to those infrastructure computers with which this computer must communicate before authentication occurs Server-to-Server Authenticates two specific computers, two groups of computers, two subnets, or a specific computer and a group of computers or subnet Tunnel Provides secure communications between two peer computers through tunnel endpoints (VPN or L2TP IPsec tunnels) CustomEnables you to create a rule with special settings

11 What Are Endpoints? Encrypted IP Packet ESP TRLR ESP Auth ESP HDR New IP HDR Data ESP Tunnel Mode ESP Transport Mode Encrypted Data ESP TRLR ESP Auth ESP HDR IP HDR Data

12 Choosing Authentication Requirements OptionDescription Request Authentication for inbound and outbound connections Ask that all inbound/outbound traffic be authenticated, but allow the connection if authentication fails Require authentication for inbound connections and request authentication for outbound connections Require inbound be authenticated or it will be blocked Outbound can be authenticated but will be allowed if authentication fails Require authentication for inbound and outbound connections Require that all inbound/outbound traffic be authenticated or the traffic will be blocked

13 Authentication Methods MethodKey Points Default Use the authentication method configured on the IPsec Settings tab Computer and User (Kerberos V5) You can request or require both the user and computer authenticate before communications can continue; domain membership required Computer (Kerberos V5) Request or require the computer to authenticate using Kerberos V5 Domain membership required User (Kerberos V5) Request or require the user to authenticate using Kerberos V5; domain membership required Computer certificate Request or require a valid computer certificate, requires at least one CA Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPsec NAP Advanced Configure any available method; you can specify methods for First and Second Authentication

14 Determining a Usage Profile Windows supports three network types, and programs can use these locations to automatically apply the appropriate configuration options: Domain: selected when the computer is a domain member Private: networks trusted by the user (home or small office network) Public: default for newly detected networks, usually the most restrictive settings are assigned because of the security risks present on public networks Security Settings can change dynamically with the network location type The network location type is most useful on portable computers which are likely to move from network to network

15 Demonstration: Configuring a Connection Security Rule In this demonstration, you will see how to configure a Connection Security rule

16 Lesson 3: Configuring IPsec NAP Enforcement IPsec Enforcement for Logical Networks IPsec NAP Enforcement Processes Requirements to Deploy IPsec NAP Enforcement

17 IPsec Enforcement for Logical Networks SHAs NAP agent NAP ECs Restricted Network Boundary Network Secure Network Non-NAP capable client Non-compliant NAP client NAP enforcement servers Remediation servers Compliant NAP client Secure servers NPS servers HRA VPN 802.1X DHCP NPS proxy SHAs NAP agent NAP ECs NAP administration server Network policies NAP health policies Connection request policies SHVs Certificate services E-mail servers NAP policy servers

18 IPsec NAP Enforcement includes: Policy validation NAP enforcement Network restriction Remediation Ongoing monitoring of compliance IPsec NAP Enforcement Processes Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

19 Requirements to Deploy IPsec NAP Enforcement Requirements for deploying IPsec NAP Enforcement: Active Directory Active Directory Certificate Services Network Policy Server Health Registration Authority

20 Lab: Configuring IPsec NAP Enforcement Exercise 1: Preparing the Network Environment for IPsec NAP Enforcement Exercise 2: Configuring and Testing IPsec NAP Enforcement Logon information Virtual machines NYC-DC1, NYC-CL1, NYC-CL2 User nameAdministrator Password Pa$$w0rd Estimated time: 60 minutes

21 Lab Review What would the implication be if you installed the Certificate Server as an Enterprise CA, as opposed to a Standalone CA, and you have workgroup computers that need to be NAP compliant? Under what circumstances would Authentication Exemption be useful in a Connection Security Rule?

22 Module Review and Takeaways Review Questions Common Misconceptions About IPsec IPsec Benefits Tools

Download ppt "Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement."

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Security Data Transmission and Authentication

Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Module 13: Configuring Availability of Network Resources and Content.

Module 13: Configuring Availability of Network Resources and Content.

Similar presentations

Ads by Google