Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

Published byEthel Fowler Modified over 8 years ago

Similar presentations

Presentation on theme: "IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear."— Presentation transcript:

1 IT:Network:Apps

2  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear text

3  Security challenge for IT professionals is to ensure the traffic is: ◦ Safe from data modification while in transit. ◦ Safe from viewing. ◦ Safe from being accessed by unauthenticated parties.  These issues are known as data integrity, data confidentiality, and data origin authentication

4  Traditionally messages between WS and SRV are clear text  IP Security plays with encryption ◦ AH – Authentication Header  Who sent this? When was it sent? ◦ ESP – Encapsulating Security Payload  Who sent this? When was it sent? What did it look like?  Encrypts the data (not the IP header)  AH and ESP sort of do same thing… ESP is probably better ◦ NAT still works, etc

5  Ipsec supports network level data origin authentication, data integrity, data confidentiality and data replay ( hacker submitting previously captured packet )  Ipsec for Windows Server uses industry standard encryption.

6  Open Industry Standard: Ipsec provides an open industry-standard alternative to proprietary IP-based security technologies.  Transparency: Ipsec exists below the transport layer, making it transparent to applications and users, meaning there is no need to change network applications.  Authentication: strong authentication services prevent the acceptance of data through the use of falsely claimed identities  Confidentiality: confidentiality services prevent unauthorized access to sensitive data as it passes between parties  Data origin authentication and integrity—Data origin authentication and integrity is provided by a hashed message authentication code (HMAC) value, which is included in every packet.  Dynamic rekeying—Dynamic rekeying during ongoing communications eliminates manual reconfiguration of secret keys and helps protect against secret key determination.  Secure links end to end—IPSec for Windows Server provides secure links end-to-end for private network users within the same domain or across any trusted domain in the enterprise.  Centralized management—Network administrators use IPSec policies to provide appropriate levels of security, based on user, work group, or other criteria. Centralized management reduces administrative overhead costs.  Flexibility—The flexibility of IPSec for Windows Server allows policies to apply enterprise-wide or to a single workstation.

7  IPSec, as defined by the IETF, uses an Authentication Header (AH) and an Encapsulating Security Payload (ESP).  IPSec for Windows Server builds upon the IETF model by mixing public-key and secret-key cryptography and by providing automatic key management for maximized security and high-speed throughput

8  Security protocols perform various services for secure network communications. Windows Server uses the following security protocols: ◦ Internet Key Exchange ◦ Authentication Header ◦ Encapsulating Security Protocol

9  Before IP packets can be transmitted from one computer to another, a security association (SA) must be established.  An SA is a set of parameters that defines the services and mechanisms, such as keys, necessary to protect communications for a security protocol.  An SA must exist between the two communicating parties using IPSec.

10  Authentication Header (AH) provides data integrity, data origin authentication, and anti- replay for the entire IP packet.  Data confidentiality is not a property of AH.  AH uses an HMAC algorithm (such as HMAC- MD5 or HMAC-SHA1) to compute a keyed message hash for each IP packet.

11  Encapsulating Security Payload (ESP) provides data integrity, data origin authentication, anti-replay, and data confidentiality for the ESP payload.  ESP does not protect the IP header.  ESP uses the DES-CBC or 3DES-CBC algorithms to provide data confidentiality, in addition to HMAC-MD5 or HMAC-SHA1 for data integrity and data origin authentication.

12  To establish security, a network administrator goes through the following process: ◦ Evaluating information sent over the network and the Internet ◦ Creating communication scenarios ◦ Determining security levels required for each scenario ◦ Building security policies using the IP Security Policies snap-in  Supports 2 modes ◦ Transport Mode: only the payload of a packet is encrypted, while the header remains unencrypted ◦ Tunnel Mode: Both the packet header and payload are encrypted

13  An IPSec policy consists of: ◦ General IPSec policy settings  Settings that apply regardless of which rules are configured. These settings determine the name of the policy, its description, key exchange settings, and key exchange methods. ◦ Rules  One or more IPSec rules that determine which types of traffic IPSec must examine, how traffic is treated, how to authenticate an IPSec peer, and other settings.

14  Filter list ◦ A single filter list is selected that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied.  Filter action ◦ A single filter action is selected that includes the type of action required (permit, block, or secure) for packets that match the filter list. For the secure filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPSec settings. Each security method determines the security protocol (such as AH or ESP), the specific cryptographic algorithms, and session key regeneration settings used.  Authentication methods ◦ One or more authentication methods are configured (in order of preference) and used for authentication of IPSec peers during main mode negotiations. The available authentication methods are the Kerberos V5 protocol (used in Active Directory environments), use of a certificate issued from a specified certification authority, or a preshared key.

15 Example Code to Permit Outgoing HTTP Requests netsh ipsec static add filterlist name="Outgoing HTTP Filters" netsh ipsec static add filter filterlist="Outgoing HTTP Filters" protocol=TCP srcaddr=me srcport=0 dstaddr=any dstport=80 mirrored=yes netsh ipsec static add filter filterlist="Outgoing HTTP Filters" protocol=TCP srcaddr=me srcport=0 dstaddr=any dstport=443 mirrored=yes netsh ipsec static add rule name="Outgoing HTTP Traffic" policy="Web Server Policy" filterlist="Outgoing HTTP Filters" kerberos=no filteraction=Permit

16 Example Code to Block All Incoming Traffic netsh ipsec static add filterlist name="All Network Traffic" netsh ipsec static add filter filterlist="All Network Traffic" protocol=any srcaddr=any dstaddr=any srcport=0 dstport=0 netsh ipsec static add rule name="Default Block Rule" policy="Web Server Policy" filterlist="All Network Traffic" kerberos=no filteraction=Block

17  Security Policy – IP Security Policies ◦ Domain ◦ Domain Controller ◦ Local  Client – will try clear text but will use IPSec if asked to  Server – will try IPSec but will accept clear text if need to  Secure Server – will use IPSec or won’t talk

Download ppt "IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Similar presentations

Ads by Google