Security Data Transmission and Authentication Lesson 9
Skills Matrix Technology SkillObjective DomainObjective # Securing Network Traffic with IPSec Configure IPsec1.4 Configuring Network Authentication Configure network authentication 3.3 Configuring the Windows Firewall Configure firewall settings3.5
Security Network Traffic with IPSec Whether you have a public presence on the Internet or maintain a private network, securing your data is a core requirement. Much attention is placed on perimeter security and preventing attacks from outside the network. Much less attention is focused on attacks within the network, where an attack is more likely to occur. A solid security strategy employs many layers of coordinated security.
Security Network Traffic with IPSec The IP Security (IPSec) suite of protocols was introduced to provide a series of cryptographic algorithms that can be used to provide security for all TCP/IP hosts at the Internet layer, regardless of the actual application that is sending or receiving data. With IPSec, a single security standard can be used across multiple heterogeneous networks, and individual applications need not be modified to use it.
Security Network Traffic with IPSec IPSec has two principle goals: – To protect the contents of IP packets. – To provide a defense against network attacks through packet filtering and the enforcement of trusted communication.
Security Network Traffic with IPSec IPSec has a number of features that can significantly reduce or prevent the following attacks: – Packet sniffing. – Data modification. – Identity spoofing. – Man-in-the-middle attacks. – Denial of service attacks (DoS).
IPSec IPSec is an architectural framework that provides cryptographic security services for IP packets. IPSec is an end-to-end security technology. Each computer handles security at its respective end with the assumption that the medium over which the communication takes place is not secure.
IPSec IPSec has many security features designed to meet the goals of protection IP packets and defend against attacks through filtering and trusted communication. Automatic security association. IP packet filtering. Network layer security. Peer authentication. Data origin Authentication. Data Integrity. Data confidentiality. Anti-Replay. Key management.
IPSec Modes You can configure IPSec to use one of two modes: transport mode or tunnel mode: – Transport mode — Use transport mode when you require packet filtering and when you require end-to-end security. Both hosts must support IPSec using the same authentication protocols and must have compatible IPSec filters. – Tunnel mode — Use tunnel mode for site-to-site communications that cross the Internet (or other public networks). Tunnel mode provides gateway-to-gateway protection.
IPSec Protocols The IPSec protocol suite provides security using a combination of individual protocols, including the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol. These protocols work independently or in tandem, depending on the need for confidentiality and authentication.
Authentication Header (AH) The Authentication Header (AH) protocol provides authentication, integrity, and antireplay for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means that it does not encrypt the data. – The data is readable, but protected from modification. AH uses keyed hash algorithms to sign the packet for integrity.
Encapsulating Security Payload (ESP) The Encapsulating Security Payload (ESP) protocol provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload. ESP in transport mode does not sign the entire packet; only the IP payload (not the IP header) is protected. ESP can be used alone or in combination with AH.
Encryption and Integrity Algorithms in Windows Server 2008 IPSec
Security Association A security association (SA) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. The SA contains the information needed to determine how the traffic is to be secured (the security services and protection mechanisms) and with which secret keys (cryptographic keys). Two types of SAs are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA.
ISAKMP SA The ISAKMP SA, also known as the main mode SA, is used to protect IPSec security negotiations. The ISAKMP SA is created by negotiating the cipher suite (a collection of cryptographic algorithms used to encrypt data) used for protecting future ISAKMP traffic, exchanging key generation material, and then identifying and authenticating each IPSec peer.
Internet Key Exchange (IKE) The Internet Key Exchange (IKE) is a standard that defines a mechanism to establish SAs. IKE combines ISAKMP and the Oakley Key Determination Protocol, a protocol that is to generate secret key material. The Diffie-Hellman key exchange algorithm allows two peers to determine a secret key by exchanging unencrypted values over a public network. A malicious user who intercepts the key exchange packets can view the numbers, but cannot perform the same calculation as the negotiating peers in order to derive the shared secret key.
Dynamic Rekeying Windows Server 2008 IPSec also supports dynamic rekeying, which is the determination of new keying material through a new Diffie-Hellman exchange on a regular basis. Dynamic rekeying is based on an elapsed time, 480 minutes or 8 hours by default, or the number of data sessions created with the same set of keying material.
IPSec Policies IPSec policies are the security rules that define the desired security level, hashing algorithm, encryption algorithm, and key length. These rules also define the addresses, protocols, DNS names, subnets, or connection types to which these security settings will apply. IPSec policies can be configured to meet the security requirements of a user, group, application, domain, site, or for an entire enterprise network. Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in.
IPSec Policies IPSec policies are hierarchical in nature, and are organized as follows: – Each IPSec policy consists of one or more IP Security Rules. – Each IP Security Rule includes a single IP Security Action that is applied to one or more IP Filter Lists. – Each IP Filter List contains one or more IP Filters. Only one IPSec policy can be active on any one computer at a given time. – If you wish to assign a new IPSec policy to a particular computer, you must first un-assign the existing IPSec policy.
Windows Firewall with IPSec Policies The driving factor behind combining administration of the Windows Firewall with IPSec policies is to streamline network administration on a Windows Server 2008 computer. – In Windows Server 2003, it was possible to configure duplicate or even contradictory settings between IPSec and the Windows Firewall.
IPSec Default Settings
Connection Security Rules Windows Server 2008 comes with four pre- configured Connection Security Rule templates: – Isolation rule. – Authentication exemption rule. – Server-to-Server rule. – Tunnel rule.
IPSec Policy Agent The purpose of the IPSec Policy Agent is to retrieve information about IPSec policies and to pass this information to other IPSec components that require it in order to perform security functions. The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008 operating system, appearing as IPSec Services in the list of system services in the Services console.
IPSec Driver The IPSec driver receives the active IP filter list from the IPSec Policy Agent. The IPSec driver then checks for a match of every inbound and outbound packet against the filters in the list. The IPSec driver stores all current quick mode SAs in a database. The IPSec driver uses the SPI field to match the correct SA with the correct packet. When an outbound IP packet matches the IP filter list with an action to negotiate security, the IPSec driver queues the packet, and then the IKE process begins negotiating security with the destination IP address of that packet.
Deploying IPSec IPSec policies can be deployed using local policies, Active Directory, or both.
Deploying IPSec When deploying IPSec policies via GPO, there are three built-in IPSec policies that are present by default: – Use the Client (Respond Only) policy on computers that normally do not send secured data. – The Server (Request Security) policy can be used on any computer — client or server — that needs to initiate secure communications. – The Secure Server (Require Security) policy, does not send or accept unsecured transmissions. Like the Server policy, the Secure Server policy uses Kerberos authentication.
IPSec Policies node in a GPO
Viewing the Windows Firewall with Advanced Security node of a GPO
Monitoring IPSec Windows Server 2008 provides several tools you can use to manage and monitor IPSec, including the IP Security Monitor, RSoP, Event Viewer, and the netsh command-line utility. In addition, the new Windows Firewall with Advanced Security MMC snap-in provides additional monitoring of Connection Security Rules and IPSec Security Associations.
Network Authentication In addition to securing network traffic with IPSec, another common issue is securing the network authentication process. The default authentication protocol in an Active Directory network is the Kerberos v5 protocol, but there are situations in which the NT LAN Manager (NTLM) authentication protocols come into play. – NTLM is typically considered a legacy authentication protocol
Windows Firewall Beginning with Windows Server 2003 Service Pack 1, the Windows server operating system has included a built-in stateful firewall called the Windows Firewall. A stateful firewall is so named because it can track and maintain information based on the status of a particular connection.
Windows Firewall The Windows Firewall is enabled by default on all new installations of Windows Server 2008, and can be managed manually via the Windows Firewall Control Panel applet, the new Windows Firewall with Advanced Security MMC snap-in, or via Group Policy Objects in an Active Directory environment. The default configuration of the Windows Firewall in Windows Server 2008 will block all unsolicited inbound traffic; that is, attempts to access the computer from a remote network host that has not been specifically authorized by the administrator of the local server.
Summary IPSec is the standard method of providing security services for IP packets. ESP protocol provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload, while the AH protocol provides authentication, integrity, and anti-replay for the entire packet.
Summary Two types of SAs are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA. To negotiate SAs for sending secure traffic, IPSec uses IKE, a combination of ISAKMP and the Oakley Key Determination Protocol. ISAKMP messages contain many types of payloads to ex-change information during SA negotiation.
Summary Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations. Quick mode negotiation is used to establish the IPSec SA to protect data. You can use Netsh IPSec static mode to create and assign IPSec policies, add a persistent policy, and change other configuration features.
Summary You can use Active Directory Group Policy Objects or the Local Group Policy Object to configure NTLM authentication levels on a Windows Server 2008 computer.
Summary The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.