Upload
terry
View
40
Download
0
Tags:
Embed Size (px)
DESCRIPTION
CN2140 Server II. Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS , MCDST, MCP, A+. Agenda. Chapter 9: Security Data Transmission and Authentication Exercise Lab Quiz. Security Network Traffic with IPSec. IP Security (IPSec) suite of protocols - PowerPoint PPT Presentation
Citation preview
CN2140 Server IIKemtis KunanuraksapongMSIS with DistinctionMCT, MCITP, MCTS, MCDST, MCP, A+
Agenda•Chapter 9: Security Data Transmission
and Authentication•Exercise•Lab•Quiz
Security Network Traffic with IPSec•IP Security (IPSec) suite of protocols
▫Two transport layer protocols (TCP and UDP) Checksum
▫Provides one single security standard that use series of cryptographic algorithm to use across the network
•Two principle goals:▫To protect the contents of IP packets▫To provide a defense against network attacks
through packet filtering and the enforcement of trusted communication
Security Network Traffic with IPSec•Reduce or prevent the following attacks:
▫Packet sniffing▫Data modification▫Identity spoofing▫Man-in-the-middle attacks▫Denial of service attacks (DoS)
IPSec•An architectural framework that provides
cryptographic security services for IP packets
•IPSec is an end-to-end security technology▫The medium forward packet as regular
packet▫Only both parties know that there is
encryption•Both sides has to set the same IPSec
policy
IPSec•Security features
▫IP packet filtering▫Network layer security▫Peer authentication
Verify the identity of the peer• Anti-Replay
• A sequence number on each packet• Key management
• Secret key• See the list on page 206
IPSec Modes•Transport mode
▫When you require packet filtering and when you require end-to-end security
▫Both hosts must support IPSec using the same authentication protocols and must have compatible IPSec filters
•Tunnel mode▫For site-to-site communications that cross
the Internet (or other public networks). ▫Tunnel mode provides gateway-to-
gateway protection
IPSec Protocols•Using a combination of individual
protocols▫The Authentication Header (AH) protocol▫The Encapsulating Security Payload (ESP)
protocol
Authentication Header (AH)•Provides authentication, integrity, and
anti-replay for the entire packet (both the IP header and the data payload carried in the packet)
•Does not encrypt the data, but protected from modification
•Uses keyed hash algorithms to sign the packet for integrity
Encapsulating Security Payload (ESP)•Provides confidentiality, authentication,
integrity, and anti-replay•ESP in transport mode does not sign the
entire packet; only the IP payload (not the IP header) is protected
•ESP can be used alone or in combination with AH
IPSec Security Association•The combination of security sets mutually
agreed to by communicating peers•Contains the information needed to determine
▫The security services and protection mechanisms▫Secret keys
•Two types of SAs are created when IPSec peers communicate securely:▫The ISAKMP SA (Internet Security Association
and Key Management Protocol)▫The IPSec SA.
ISAKMP SA (Main mode SA)•The ISAKMP SA is created by negotiating
the cipher suite▫A collection of cryptographic algorithms
•Used to encrypt data used for protecting future ISAKMP traffic
•Exchanging key generation material•Identifying and authenticating each IPSec
peer
IPSec SA (Quick mode SA)•To protect data sent between the IPSec
peers•The packet is protected by ISAKMP SA•Each session has 3 Sas
▫The ISAKMP SA▫The inbound IPSec SA▫The outbound IPSec SA
Inbound of A is the outbound of B
Internet Key Exchange (IKE)•IKE combines ISAKMP and the Oakley
Key Determination Protocol▫To generate secret key material, which
based on Diffie-Hellman key exchange algorithm
Dynamic Rekeying•The determination of new keying material
through a new Diffie-Hellman exchange on a regular basis▫480 minutes or 8 hours by default▫Or the number of data sessions created
with the same set of keying material
IPSec Policies•Security rules that define
▫The desired security level, Hashing algorithm, Encryption algorithm, Key length
▫The addresses, Protocols, DNS names, Subnets
▫Connection types to which these security settings will apply
•Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in
IPSec Policies• IPSec policies are hierarchical and are
organized as follows:▫Each IPSec policy consists of one or more IP
Security Rules▫Each IP Security Rule includes a single IP Security
Action that is applied to one or more IP Filter Lists▫Each IP Filter List contains one or more IP Filters
• Only one IPSec policy can be active on any one computer at a given time▫If you wish to assign a new IPSec policy to a
particular computer, you must first un-assign the existing IPSec policy
Creating a IPSec Policy• Select the option to create a new IPSec policy
▫ This will prompt you to launch the IP Security Rule wizard
• Assign your new IPSec policy to a single computer or a group of computers
▫ Use Console to add IP Security Policy Management Snap-in (For 2000, XP, 2003)
Local computer The AD Domain of which this computer is a members Another AD Domain Another Computer
Windows Firewall with IPSec Policies•For Vista and newer, if you want to deploy
IPSec policies (Connection Security Rules)
Connection Security Rules•Windows Server 2008 comes with four
pre-configured Connection Security Rule templates:▫Isolation rule▫Authentication exemption rule▫Server-to-Server rule▫Tunnel rule
Connection Security Rules•Isolation rule
▫To restrict inbound and outbound connection based on certain sets of criteria Inbound vs outbound authentication
requirements Authentication method Profile (Domain, private, public) Name
Connection Security Rules•Authentication exemption rule
▫To make an exception of authentication to computer(s) Exempt computers (IP, Range of IP, Subnet) Profile Name
Connection Security Rules•Server-to-Server rule
▫To secures traffic between two servers or two groups of servers Endpoints (IP/Range of IP/Subnet) Authentication requirements Authentication method Profile Name
Connection Security Rules•Tunnel rule
▫Same as Server-to-server, but secure only between two tunnel endpoints Endpoint computers Local tunnel computer Remote tunnel computer Authentication method Profile Name
IPSec Driver• IPSec driver is a middle man that match the
policy with the inbound and outbound rules▫ Main mode negotiation initiate the connection
between endpoints▫ Quick mode negotiation determine the type of
connection
IPSec Policy Agent•Retrieve information about IPSec policies•Pass the information to other IPSec
components that require it in order to perform security functions
•The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008
Deploying IPSec• IPSec policies can be deployed using local
policies, Active Directory, or both▫For AD, LSDOU still apply. OU’s IPSec will apply
last and override all other IPSec• Three built-in IPSec policies on GPO:
▫Client (Respond Only) policy On computers that normally do not send secured data
▫The Server (Request Security) policy Can be used on any computer (client or server) that
needs to initiate secure communications▫The Secure Server (Require Security) policy
Does not send or accept unsecured transmissions
Monitoring IPSec•IP Security Monitor•RSoP•Event Viewer•netsh command-line utility•Windows Firewall with Advanced Security
Network Authentication•The default authentication protocol in an
AD network is the Kerberos v5 protocol•NT LAN Manager (NTLM) authentication
▫A legacy authentication protocol▫LM Authentication – the weakest. Since
Win 95▫NTLM Authentication▫NTLMv2 Authentication – the strongest.
Win 2k and later
Windows Firewall•A stateful firewall is a firewall that can
track and maintain information based on the status of a particular connection
•The default configuration of the Windows Firewall will block all unsolicited inbound traffic;▫Attempts to access the computer from a
remote network host that has not been specifically authorized by the administrator of the local server
Windows Firewall•You can turn on, on with block all
incoming connections, off•You also can add exception rules/ports as
needed•For scopes, you have to modify from MMC
Snap-in▫Any computer▫My network (subnet only)▫A specific range of IP Addresses
Assignment•Summarize the chapter in your own word
▫At least 75 words▫Due BEFORE class start on Thursday
•Lab 9▫Due BEFORE class start on Monday