Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

Published byHomer Kelly Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications."— Presentation transcript:

1 Module 8: Planning and Troubleshooting IPSec

2 Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications

3 Lesson: Understanding Default Policy Rules Multimedia: Overview of IPSec Rules for an IPSec Connection Default IPSec Policies Client (Respond Only) Default Policy Rules Server (Request Security) Default Policy Rules Secure Server (Require Security) Default Policy Rules

4 Multimedia: Overview of IPSec The objective of this presentation is to explain that IPSec is a framework of open standards for ensuring secure, private communication over Internet Protocol networks You will learn how to:  Identify the processes for data encryption, decryption, or signing  Explain the functionality of the IPSec policy agents and drivers  Define the functionality of the ISAKMP service  Explain how the IPSec policy triggers the encryption of data between two computers

5 Rules for an IPSec Connection RuleDescription IP filter list Specifies which network traffic will be secured, by using inbound and outbound filters Filter action Specifies how traffic matching the filter will be handled (dropped, encrypted, and so on) Authentication methods Specifies how two computers will authenticate themselves to each other (Kerberos, preshared key, or X509 certificates) Tunnel endpoint Allows you to specify a tunnel endpoint for IPSec tunnels Connection type Allows the rule to be applied to LAN traffic, WAN traffic, or both

6 Default IPSec Policies IPSec uses polices and rules to secure network traffic Rules are composed of:  The type of traffic to match  What to do when traffic matches  An authentication method  Either tunnel or transport mode  The connection type (LAN or WAN) Default polices include:  Client (Respond Only)  Server (Request Security)  Secure Server (Require Security) IPSec uses polices and rules to secure network traffic Rules are composed of:  The type of traffic to match  What to do when traffic matches  An authentication method  Either tunnel or transport mode  The connection type (LAN or WAN) Default polices include:  Client (Respond Only)  Server (Request Security)  Secure Server (Require Security)

7 Client (Respond Only) Default Policy Rules This policy has the following settings: First rule (default response rule) IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All First rule (default response rule) IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All This policy enables the computer on which it is active to respond to requests for secured communications USE

8 Server (Request Security) Default Policy Rules This policy has the following settings: This policy allows the entire communication to be unsecured if the other computer is not IPSec–enabled USE First rule IP Filter List: All IP Traffic Filter Action: Request Security (Optional) Authentication: Kerberos Tunnel Setting: None Connection Type: All First rule IP Filter List: All IP Traffic Filter Action: Request Security (Optional) Authentication: Kerberos Tunnel Setting: None Connection Type: All Second rule IP Filter List: All ICMP Traffic Filter Action: Permit Authentication: N/A Tunnel Setting: None Connection Type: All Second rule IP Filter List: All ICMP Traffic Filter Action: Permit Authentication: N/A Tunnel Setting: None Connection Type: All Third rule IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All Third rule IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All

9 Secure Server (Require Security) Default Policy Rules This policy has the following settings: All outbound communication to be secured, allowing only the initial inbound communication request to be unsecured USE First rule IP Filter List: All IP Traffic Filter Action: Require Security Authentication: Kerberos Tunnel Setting: None Connection Type: All First rule IP Filter List: All IP Traffic Filter Action: Require Security Authentication: Kerberos Tunnel Setting: None Connection Type: All Second rule IP Filter List: All ICMP Traffic Filter Action: Permit Authentication: None Tunnel Setting: None Connection Type: All Second rule IP Filter List: All ICMP Traffic Filter Action: Permit Authentication: None Tunnel Setting: None Connection Type: All Third rule IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All Third rule IP Filter List: Filter Action: Default Response Authentication: Kerberos Tunnel Setting: None Connection Type: All

10 Practice: Using Policy-Based Management In this practice, you will discuss the policy- based management of IPSec

11 Lesson: Planning an IPSec Deployment Determining the IPSec Policy Deployment Method Determining the Authentication Method to Use Determining IPSec Policy Needs Best Practices for Planning IPSec Guidelines for Planning an IPSec Deployment Using Active Directory Guidelines for Planning an IPSec Deployment Using Local Policies

12 Determining the IPSec Policy Deployment Method In a heterogeneous environment Active Directory Using Local Policies Using Active Directory

13 Determining the Authentication Method to Use Authentication method Use Kerberos V5 security protocol Clients and servers running Windows 2000 (and later versions) that are part of an Active Directory domain Public key certificate Internet access Remote access to corporate resources External business partners Computers that do not run the Kerberos V5 security protocol Preshared secret key When both computers must manually configure IPSec

14 Determining IPSec Policy Needs Identify enterprise needs  Evaluate potential threats to determine if IPSec can mitigate them  Identify rules and settings for your policy Create a new policy or modify an existing policy

15 Best Practices for Planning IPSec Best practices Evaluate the type of information being sent over your network Determine where your information is stored Evaluate your vulnerability to network attacks Design and document an enterprise-wide network security plan Test the IPSec policies in your security plan

16 Guidelines for Planning an IPSec Deployment Using Active Directory Evaluate Active Directory–based Group Policy for deployment Identify groups of computers that require security Determine where to assign Group Policy Object Evaluate security threats Determine if IPSec can mitigate threats Define the IPSec Policy

17 Guidelines for Planning an IPSec Deployment Using Local Policies Determine if local Group Policy is the best method for deployment Identify groups of computers that require security Determine if certificate infrastructure is in place Evaluate security threats Determine if IPSec can mitigate threats Determine how policies will be deployed

18 Practice: Planning an IPSec Deployment In this practice, you will determine the feasibility of a proposed IPSec deployment plan

19 Lesson: Troubleshooting IPSec Communications IPSec Troubleshooting Tools Viewing Key Exchange Information Using Event Viewer Verifying That a Policy Is Applied Using RSoP

20 IPSec Troubleshooting Tools Tool Uses IPSec Monitor snap-in Search for all matches for filters of a specific traffic type IP Security Policy Management snap-in Create, modify, and activate IPSec policies Active Directory Users and Computers and Group Policy Troubleshoot policy precedence issues Determine which policies are available, assigned, or applied Resultant Set of Policy (RSoP) Determine which policies are assigned, but not applied to clients Event Viewer View IPSec policy-related events Oakley log View details of the SA establishment process

21 Viewing Key Exchange Information Using Event Viewer Use Event Viewer to: Verify that security auditing is enabled View IPSec–related events in Event Viewer Verify that security auditing is enabled View IPSec–related events in Event Viewer

22 Verifying That a Policy Is Applied Using RSoP Using RSoP Logging mode queries  View all IPSec policies that are assigned to a specific client Planning mode queries  View all IPSec policies that are assigned to members of a Group Policy container

23 Practice: Troubleshooting IPSec Communications In this practice, you will troubleshoot an IPSec communication issue

24 Lab A: Troubleshooting IPSec Exercise 1: Planning IPSec for a LAN/WAN Environment Exercise 2: Troubleshooting an IPSec Infrastructure

Download ppt "Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications."

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Security Data Transmission and Authentication

Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Securing Windows Servers Using Group Policy Objects

Securing Windows Servers Using Group Policy Objects

Similar presentations

Ads by Google