Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Network Communications Using IPSec Chapter Twelve.

Published byGiles Norris Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Network Communications Using IPSec Chapter Twelve."— Presentation transcript:

1 Securing Network Communications Using IPSec Chapter Twelve

2 Exam Objectives in this Chapter:  Implement secure access between private networks. Create and implement an IPSec policy.  Configure network protocol security. Configure protocol security in a heterogeneous client computer environment. Configure protocol security by using IPSec policies.  Configure security for data transmission. Configure IPSec policy settings.

3 Exam Objectives in this Chapter: cont.  Plan for network protocol security. Specify the required ports and protocols for specified services. Plan an IPSec policy for secure network communications.  Plan security for data transmission. Secure data transmission between client computers to meet security requirements. Secure data transmission by using IPSec.  Troubleshoot security for data transmission. Tools might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in.

4 Lessons in this Chapter:  Securing Internetwork Communications  Planning an IPSec Implementation  Deploying IPSec  Troubleshooting Data Transmission Security

5 Before You Begin  This chapter assumes a basic understanding of TCP/IP communications, as described in Chapter 2, “Planning a TCP/IP Network Infrastructure.”  To perform the practice exercises in this chapter, you must have installed and configured Windows Server 2003 using the procedure described in “About This Book.”

6 Securing Internetwork Communications  Packet Filtering Packet filtering is a method for regulating the TCP/IP traffic that is permitted to reach a computer or a network, based on criteria such as IP addresses, protocols, and port numbers.

7 Understanding Ports and Protocols  In the packet header of each TCP/IP protocol at each layer of the OSI reference model, identifiers specify which protocol at the next layer should receive the packet.

8 Well-Known Port Numbers ApplicationAbbreviationProtocolPort Number File Transfer Protocol (Control)ftp-controlTCP21 File Transfer Protocol (Default Data)ftp-default dataTCP20 Telnet Simple MailtelnetTCP23 Transfer ProtocolsmtpTCP25 Domain Name Service DynamicdomainTCP/UDP53 Host Configuration Protocol (Server) Dhcps bootps UDP67 Bootstrap Protocol Server (nondynamic) Dynamic Host Configuration Protocol (Client) Bootstrap Protocol Client (nondynamic) dhcpc bootpc UDP68 World Wide Web HTTPhttpTCP80 Post Office Protocol - Version 3pop3TCP110 Simple Network Management ProtocolsnmpUDP161 Simple Network Management Protocol TrapsnmptrapUDP162

9 Exam Tip  Be sure to familiarize yourself with the well-known port numbers assigned to the most commonly used services in Windows Server 2003, as listed in Table 12-1.

10 Separate firewall products Two Advantages: First, by separating the routing and filtering functions on different systems, you are less likely to experience degraded network performance. Second, firewalls are likely to have more advanced packet filtering capabilities, such as preset filter configurations designed to protect against specific types of attacks

11 Packet Filtering Criteria  Creating packet filters is a matter of selecting the specific criteria you want the system to examine and specifying the values that you want to allow or deny passage.  The criteria most commonly used in packet filtering are: Port numbers Protocol identifiers IP addresses Hardware addresses

12 Spoofing  Once an attacker finds out the IP addresses that the filter allows access to the network, it is simple to impersonate another computer by using its IP address.

13 Relationship to the OSI model Physical Data-Link Network Transport Session Presentation Application Port Numbers Protocol Identifiers IP Addresses Hardware Addresses

14 Windows Server 2003 Packet Filtering TCP/IP Packet Filtering  Using TCP/IP Packet Filtering  Using Routing and Remote Access Service Packet Filtering Notice the limitations on page 12-8

15 Using Routing and Remote Access Service Packet Filtering  Creating filters based on the IP addresses, protocols, and port numbers of a packet’s source or destination  Creating filters for ICMP messages, specified by the message type and code values  Creating multiple filters of the same type Windows Server 2003 RRAS includes a packet filtering mechanism that is more capable than that of the TCP/IP client, but you can only use it when you have configured Windows Server 2003 to function as a router

16 Practice:  Creating Packet Filters in Routing and Remote Access Service Exercise 1: Examining the Default Routing and Remote Access Exercise 2: Creating New Packet Filters  Page 12-10

17 Planning an IPSec Implementation  You can store your files in encrypted form using the Encrypting File System (EFS), for example, or an individual application might be able to protect files with a password, but when you access the file over the network or send it to someone else, your computer always decrypts it first.

18 Evaluating Threats  There are many ways that unauthorized personnel can use this captured data against you: Compromising keys Spoofing Modifying data Attacking applications

19 Introducing IPSec  IPSec encrypts the information in IP datagrams by encapsulating it, so that even if the packets are captured, none of the data inside can be read.  Because IPSec operates at the network layer, as an extension to the IP protocol, it provides end-to-end encryption, meaning that the source computer encrypts the data, and it is not decrypted until it reaches its final destination

20 Other Protocols  Secure Sockets Layer (SSL), an application layer protocols that can encrypt only specific types of traffic.

21 IPSec Functions page 12-17  Key generation use a technique called the Diffie–Hellman algorithm to compute identical encryption keys.  Cryptographic checksums Uses its cryptographic keys to calculate a checksum for the data in each packet, called a hash message authentication code (HMAC), then transmits it with the data. IPSec supports two hash functions:  HMAC in combination with Message Digest 5 (MD5) and HMAC in combination with Secure Hash Algorithm-1 (SHA1.)  HMAC-SHA1 is the more secure function, partly due to SHA1’s longer key length (SHA1 uses a 160-bit key as opposed to the 128-bit key used by MD5).

22 IPSec Functions  Mutual authentication They must authenticate each other to establish a trust relationship IPSec can use Kerberos, digital certificates, or a preshared key for authentication.  Replay prevention IPSec prevents packet replays from being effective by assigning a sequence number to each packet. An IPSec system will not accept a packet that has an incorrect sequence number.  IP packet filtering

23 IPSec Protocols  IP Authentication Header When a computer uses AH to protect its transmissions, the system inserts an AH header into the IP datagram, immediately after the IP header and before the datagram’s payload. Application Data Transport Layer Protocol Header Signed IPSec AH header IP header

24 IPSec Protocols Next Header Payload Length Reserved Security Parameters Index Sequence Number Authentication Data Next HeaderPayload LengthReserved Security Parameters Index Sequence Number AH Header Format

25 IPSec Protocols  IP Encapsulating Security Payload The IP Encapsulating Security Payload (ESP) protocol is the one that actually encrypts the data in an IP datagram, preventing intruders from reading the information in packets they capture from the network. Encrypted with ESP header IPSec ESP Authentication Signed by ESP Auth trailer IPSec ESP Trailer Application Data Transport Layer Protocol header IPSec ESP header IP header

26 IPSec Protocols Security Parameters Index Payload Data Pad Length Next Header IP header IPSec AH header Encrypted with ESP header IPSec ESP header Transport Layer Protocol Header Application Data IPSec ESP Trailer IPSec ESP Authentication

27 Transport Mode and Tunnel Mode  IPSec can operate in two modes: Transport mode  you use transport mode, in which the two end systems must support IPSec Tunnel mode.  Tunnel mode is designed to provide security for wide area network (WAN) connections, and particularly virtual private network (VPN) connections, which use the Internet as a communications medium.

28 The tunnel mode communications Tunnel Endpoints Transit Internet work Header Tunneled Packet Transit Internet work Tunnel Packet

29 The tunnel mode communications  Five steps on page 12-22  The original datagram, inside the new datagram, remains unchanged. The IPSec headers are part of the outer datagram, which exists only to get the inner datagram from one router to the other. Encrypted with ESP header IPSec ESP Authentication Signed by ESP Auth trailer IPSec ESP Trailer Application Data Transport Layer Protocol Header Original IP Header IPSec ESP Header IP Header

30 Deploying IPSec  IPSec is based on standards published by the Internet Engineering Task Force (IETF); so all IPSec implementations conforming to those standards should be compatible.

31 IPSec Components  There are several components: IPSec Policy Agent Internet Key Exchange (IKE) IKE communication process  The IKE communication process proceeds in two stages. first stage  The first stage, called the Phase 1 SA, includes the negotiation of which encryption algorithm, hashing algorithm, and authentication method the systems will use. second stage  The second stage consists of the establishment of two Phase 2 SAs, one in each direction. IPSec Driver

32 Planning an IPSec Deployment  In actual deployment, you must consider just what network traffic you need to protect and how much protection you want to provide.  IPSec is resource intensive in two different ways. First, the addition of AH and ESP headers to each packet increases the amount of traffic on your network. Second, calculating hashes and encrypting data both require large amounts of processor time.

33 Working with IPSec Policies  IPSec policies flow down through the Active Directory hierarchy just like other group policy settings. When you apply an IPSec policy to a domain, for example, all the computers in the domain inherit that policy.

34 Using the Default IPSec Policies Client (Respond Only) Secure Server (Require Security) Server (Request Security)

35 Modifying IPSec Policies  Rules  IP filter lists  Filter actions

36 Modifying IPSec Policies  Rules  IP filter lists  Filter actions

37 Modifying IPSec Policies  Rules  IP filter lists  Filter actions

38 Exam Tip  Be sure you are familiar with the components of an IPSec policy and with the functions of each component.

39 Practice:  Creating an IPSec Policy Exercise 1: Creating an MMC Console and Viewing the Default Policies  Page 12-30 Exercise 2: Creating a New IPSec Policy  Page 12-31

40 Troubleshooting Data Transmission Security  Troubleshooting Policy Mismatches Incompatible IPSec policies. It is also possible for two computers to be configured to use IPSec for a particular type of traffic, but have incompatible filter action settings, such as different authentication methods or encryption algorithms  Examine the Security logs in the Event Viewer console.

41 Troubleshooting Data Transmission Security Using the IP Security Monitor Snap-in  If you have IPSec policies deployed by Group Policy Objects at different levels of the Active Directory tree, the IPSec policy that is closest to the computer object is the one that takes effect.

42 Troubleshooting Data Transmission Security Using the Resultant Set of Policy Snap-in  You can use RSoP to view all the effective group policy settings for a computer or user, including the IPSec policies

43 Exam Tip  Be sure you understand the differences between the IP Security Monitor snap-in and the Resultant Set of Policy snap-in, and know when it is preferable to use each one.

44 Examining IPSec Traffic  Windows Server 2003 Network Monitor includes parsers for IKE, AH, and ESP traffic.  However, you cannot use Network Monitor to examine packet information that has been encrypted using ESP.

45 Practice:  Using Resultant Set of Policy Exercise 1: Creating a Resultant Set of Policy Console  Page 12-39 Exercise 2: Performing an RSoP Scan Exercise 3: Creating a Domain IPSec Policy  Page 12-40

46 Summary  Case Scenario Exercise Page 12-43  Troubleshooting Lab Page 12-44  Exam Highlights Key Points Key Terms  Page 12-45

Download ppt "Securing Network Communications Using IPSec Chapter Twelve."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Similar presentations

Ads by Google