Mahmmoud A. Mahdi
Internet Protocol Protocol Security (IPSec):
Protects networks by securing IP packets through encryption and through the enforcement enforcement of trusted communication.
You can manage IPSec through:
Local Security Policy.
Group Policy.
Command-line tools.
Configure IPSec.
IP Security (IPSec) is a means to protect network data by ensuring its authenticity, authenticity, its confidentiality.
IPSec is Essentially a way to provide security for data sent between two computers on an IP network. IPSec Protects data between two IP addresses by providing the following services: Data Authentication:
1.
Data origin authentication
▪
▪
You can configure IPSec to ensure that each packet you receive from a trusted party in fact originates from that party and is not spoofed.
Data integrity
▪
▪
You can use IPSec to ensure that data is not altered in transit.
Anti-replay protection
▪
▪
You can configure IPSec to verify that each packet received is unique and not duplicated.
Encryption
2. ▪
You can use IPSec to encrypt network data so that the data is unreadable if captured in transit.
In Windows Server 2008 and Windows Vista, IPSec is enforced either by: 1. IPSec Policies ▪
By default attempt negotiate both authentication and encryption services.
2. Connection security rules ▪
By default attempt to negotiate only authentication services.
Define how a computer or group of computers computers handle IPSec communications Assign an IPSec Policy
To an individual computer ▪
by using Local Security Policy
To a group of o f computers com puters ▪
by using Group Policy.
IPSec Policies in GPO
Every IPSec Policy is composed of one or more IPSec Policy rules that determine when and how IP traffic should be protected. Each Policy rule, in turn, is associated with one IP filter list and filter action. IP filter lists contain a set of one or more IP filters that capture IP traffic for an IPSec Policy. IP filters define a source or destination address, address range, computer name, TCP/UDP port, or server type (DNS, WINS, DHCP, DHCP, default default gateway). gateway).
IPSec Policies, rules, filters, and filter actions
Does every IPSec Policy rule have an IP filter f ilter list? 2. In terms of its function within an IPSec Policy, Policy, what does a filter action do? Quick Check Answer: 1.
1. Yes, even if the list has only one IP filter. 2. A filter action determines whether the traffic
captured by an IP filter in a given policy rule is permitted, blocked, encrypted, or authenticated.
Used to configure IPSec settings for connections between computers. computers.
Like Like IPSec Policies ▪
Connection security rules evaluate evaluate network traffic and then block, allow, or negotiate security for messages based on the criteria you establish.
Unlike IPSec Policies ▪
Connection security rules do not include filters or filter actions.
The filtering capabilities in connection security rules are not as powerful as those of IPSec Policies. Connection security rules:
Do not apply to types of IP traffic, such as IP traffic that passes over port 23
Apply to all IP traffic originating from or destined for certain IP addresses, subnets, or servers on the network.
A Connection Security Rule
First: authenticates the computers defined in the rule before before they begin communication. Then: it secures the information sent between these two authenticated computers. ▪
If you have configured a Connection Security Rule that requires security for a given connection and the two computers in question cannot authenticate each other, other, the connection is blocked.
By default, connection security rules provide only data authentication authentication security (data origin authentication, authentication, data integrity, and anti-replay security). Configure connection security rules for any computer in the Windows Firewall Firewall with Advanced Security (WFAS) console or the WFAS node in Server Manager.
Defining connection security rules in Group Policy
Exporting connection security rules:
By using the Export Policy and Import Policy functions in the WFAS WFAS console, you can create one set of connection security rules and export them to other computers computers or GPOs. GP Os.
After two computer negotiate an IPSec connection The data sent between those computers is secured in what is known as a Security Association (SA).
Security for an SA is provided by the two IPSec protocols These protocols provide data integrity, and anti-replay protection for the entire IP packet in an SA. Authentication Header (AH) 1.
▪
Provides data origin authentication, data integrity, integrity, and anti-replay protection for the entire IP packet.
Encapsulating Security Payload (ESP).
2. ▪
Provides data encryption, data origin authentication, data integrity, integrity, and antianti replay protection for the ESP payload.
To secure data within any SA, you can use:
AH alone. ESP alone. AH and ESP together togeth er..
You need to know the basic difference between AH and ESP for the 70-642 exam. If you need encryption, use u se ESP if you just need to authenticate the data origin or verify data integrity, use AH.
To establish SAs dynamically between IPSec peers, the Internet Key Exchange (IKE) protocol is used. To ensure successful and secure communication
IKE performs a two-phase negotiation operation, each with its own SAs. ▪
Phase 1: main mode negotiation. ▪
▪
Used to secure the second IKE negotiation phase.
Phase 2: quick mode negotiation. ▪
Used to protect application traffic.
The steps for establishing establishing an IPSec connection: 1. Set up a main mode SA. 2. Agree upon the terms of communication and
encryption algorithm. 3. Create a quick mode SA. 4. Send data.
IPSec by default operates in transport mode
1.
Used to provide end-to-end security between computers. Used in most IPSec-based VPNs, for which the Layer Two Two Tunneling Protocol (L2TP)protocol is used to tunnel the IPSec connection through the Public network.
When a particular VPN gatewa gateway y is not compatible with L2TP/IPSec VPNs, use IPSec in tunnel mode instead.
2.
With tunnel mode, an entire IP packet is protected and then encapsulated with an additional, unprotected IP header.
IPSec requires a shared authentication mechanism between communicating computers. Three methods to authenticate the hosts communicating through IPSec: 1. Kerberos 2. Certifications 3. Preshared key
1.
Kerberos Kerberos (Active Directory)
2.
The easiest way to configure authentication for IPSec is to implement IPSec within a single Active Directory forest. forest. When the two IPSec endpoints can be authenticated by Active Directory, the security foundation for IPSec requires no configuration beyond joining the hosts to the domain.
Certificates
If you need to implement IPSec in a production environment environment (Kerberos not available). available). Each host must obtain and install a computer certificate from a public or private certification authority (CA)
3.
Preshared Key
Is a password shared by peers and used both to encrypt and decrypt data. Preshared keys do not provide the same level of authentication that certificates and Kerberos do. Preshared keys keys for IPSec are stored in plaintext plai ntext on each computer or in Active Directory, which reduces the security of this solution. It is recommended that you use preshared keys only in nonproduction environments such as test networks.
You need to understand IPSec authentication authentication mechanism for the 70-642 exam. Remember that Kerberos authentication is preferable in an Active Directory environment. Outside of an Active Directory environment, environment, a certificate infrastructure is your best option.
In Group Policy, three IPSec Policies are predefined. You can configure an IPSec Policy for a domain or OU by assigning any one of the following predefined policies:
Client (Respond Only) ▪
Server (Request Security) ▪
Assign this policy to a computer through a GPO, that computer will never initiate a request to establish an IPSec communications channel with another computer Assign this policy to a computers for which encryption is preferred but not required.
Secure Server (Require Security) ▪
Assign this policy to intranet servers that require secure communications.
To assign an IPSec Policy within a GPO
Select the IP Security Policies node.
Right-click the chosen policy in the Details pane.
Choose Assign from the shortcut menu.
You can assign only one IPSec Policy to a computer at a time.
If Group Policy assigns an IPSec Policy to a computer, computer, the computer ignores any IPSec Policy assigned in its Local Security Policy.
Know the three predefined IPSec Policies.
1. 2.
Open Local Security Policy or a GPO. In the console tree below Security Settings
Right-click the IP Security Policies node.
Choose Create IP Security Securi ty Policy. Policy. 4. Configure the policy through its properties. properties. 5. Add rules to the policy by Clicking the Add button in the Rules tab in the Properties dialog box for the policy. policy. 6. This procedure launches the Create IP Security Rule Wizard. 3.
To create and configure rules, use the Create IP Security Rule Wizard Wizard. The five main pages of the Create IP Security Rule Wizard 1. Tunnel Endpoint page: Configure this page only when you want to use IPSec in tunnel mode. ▪
2. Network Type page: Use this page if you want to limit the rule to either the local area network or remote access connections. ▪
3. IP Filter List page: ▪
▪
In Group Policy, two IP filter lists are predefined IPSec Policy Rules. ▪
All ICMP Traffic.
▪
All IP Traffic.
To create a new IP filter list, click the Add button on the IP Filter List page.
What is ICMP traffic?
ICMP (Internet Control Message Protocol) is a messaging feature of IP that allows Ping and Tracert to function. ICMP traffic typically refers to Ping and Tracert traffic.
To create a new IP filter to add to the new IP filter list you are creating, click the Add button in the IP Filter List dialog box. In turn launches the IP Filter Wizard
Define IP traffic according source and destination. Create a “mirrored” filter. Matches the source and destination with the exact opposite addresses. ▪
For example: you can easily configure a filter that captures POP3 traffic sent to and from the local address. To configure your filter as a mirrored filter, leave the Mirrored check box selected on the first page of the IP Filter Wizard.
Filter Action page:
4. ▪
In Group Policy, the following three IP filters are predefined for the IPSec Policy rules: ▪
▪
▪
▪
▪
through Permit: this filter action permits the IP packets to pass through unsecured. Request Security (Optional): this filter action permits the IP packets to pass through unsecured but requests that clients negotiate security (preferable encryption). Require Security: this filter action triggers the local computer to request secure communications communications from the client source of the IP packets. If security methods (including encryption) cannot be established, the local computer will stop communicating communicating with that client.
To create a new filter action, click the Add button on the Filter Action page of the Security Rule Wizard. This procedure launches the Filter Action Wizard.
5. Authentication Method page ▪
By default, IPSec rules rely on Active Directory service and the Kerberos protocol to authenticate clients.
1.
Browse to & expand Computer Configuration\Policies\Windows Setting\Security Setting\ Windows Firewall With Advanced Security\Windows Firewall With Advanced Security-LDAP://address.
Select and right-click the connection security rules node. 2. From the shortcut menu, Choose New Rule. 3. This procedure, which launches the New Connection Security Rule Wizard. 1.
Rule Type page:
1.
Allows you to create any of five rule types, these five rule types are the following: a) Isolation rule: A general rule used to authenticate all traffic for select network profiles. ▪
The three profiles defined are Domain, Private, and Public.
You can use an Isolation rule to configure “domain isolation”. This term simply means that you can use connection security rules to block traffic from computers originating from outside the local Active Directory domain.
b) Authentication Exemption rule: ▪
Used to exempt exempt specific computers or a group or range of IP addresses (computers) from being required to authenticate themselves.
c) Server-To-Server rule: ▪
Allows you to authenticate the communications between IP addresses or sets of addresses, including specific computers and subnets.
d) Tunnel rule: ▪
Used to configure IPSec tunnel tunn el mode for VPN gateways. gateways.
e) Custom rule: ▪
Used to create a rule that requires special settings or a combination of features features from the various rule types.
Endpoints page
2.
Used to specify the remote computers with which you want to negotiate an IPSec connection.
Requirements page
3.
Used to specify whether authenticated communication exemption for the specified endpoints.
Authentication Authentication Method page
4.
Allows you to specify the method by which computer endpoints are authenticated. The first option is Default.
Profile page
5.
Allows you to limit the local network location types to which the rule will apply. apply. The profiles you can enable for the rule are Domain, Private, and Public.
Name page
6.
Allows you to name the new Connection Security Rule and (Optionally) to provide a description.
In the WFAS node of a GPO or in the WFAS console. To access these settings: 1. Open the properties of the Windows Firewall
With Advanced Security node. 2. In the properties dialog box that opens, click the
IPSec Settings tab.
Clicking the Customize button button opens the Customize Customize IPSec Settings dialog box. Set new default parameters for
key negotiation (exchange).
Data production.
Authentication method.
Example:
To configure data encryption for connection security rules 1.
Select Advanced in Data Protection area.
2.
Click Customize
▪
opens the Customiz Cu stomize e Data Protection Settings dialog box.
3.
Select the Require Require Encryption For All Connection security rules that use these Settings check box.
4.
Click OK.
Contact Me:
[email protected] q
[email protected]
