Embed Size (px)
Citation preview
Module 8: Planning and Troubleshooting IPSec
Overview
Understanding Default Policy Rules
Planning an IPSec Deployment
Troubleshooting IPSec Communications
Lesson: Understanding Default Policy Rules
Multimedia: Overview of IPSec
Rules for an IPSec Connection
Default IPSec Policies
Client (Respond Only) Default Policy Rules
Server (Request Security) Default Policy Rules
Secure Server (Require Security) Default Policy Rules
Multimedia: Overview of IPSec
The objective of this presentation is to explain that IPSec is a framework of open standards for ensuring secure, private communication over Internet Protocol networks
You will learn how to:
Identify the processes for data encryption, decryption, or signing
Explain the functionality of the IPSec policy agents and drivers
Define the functionality of the ISAKMP service
Explain how the IPSec policy triggers the encryption of data between two computers
Rules for an IPSec Connection
Rule Description
IP filter listSpecifies which network traffic will be secured, by using inbound and outbound filters
Filter action Specifies how traffic matching the filter will be handled (dropped, encrypted, and so on)
Authentication methods
Specifies how two computers will authenticate themselves to each other (Kerberos, preshared key, or X509 certificates)
Tunnel endpoint Allows you to specify a tunnel endpoint for IPSec tunnels
Connection typeAllows the rule to be applied to LAN traffic, WAN traffic, or both
Default IPSec Policies
IPSec uses polices and rules to secure network trafficRules are composed of: The type of traffic to match What to do when traffic matches An authentication method Either tunnel or transport mode The connection type (LAN or WAN)
Default polices include: Client (Respond Only) Server (Request Security) Secure Server (Require Security)
IPSec uses polices and rules to secure network trafficRules are composed of: The type of traffic to match What to do when traffic matches An authentication method Either tunnel or transport mode The connection type (LAN or WAN)
Default polices include: Client (Respond Only) Server (Request Security) Secure Server (Require Security)
Client (Respond Only) Default Policy Rules
This policy has the following settings:This policy has the following settings:
First rule (default response rule) • IP Filter List: <Dynamic> • Filter Action: Default Response • Authentication: Kerberos • Tunnel Setting: None • Connection Type: All
First rule (default response rule) • IP Filter List: <Dynamic> • Filter Action: Default Response • Authentication: Kerberos • Tunnel Setting: None • Connection Type: All
This policy enables the computer on which it is active to respond to requests for secured communications
This policy enables the computer on which it is active to respond to requests for secured communications
USEUSE
Server (Request Security) Default Policy Rules
This policy has the following settings:This policy has the following settings:
This policy allows the entire communication to be unsecured if the other computer is not IPSec–enabled
This policy allows the entire communication to be unsecured if the other computer is not IPSec–enabled
USEUSE
First rule• IP Filter List: All IP
Traffic• Filter Action: Request
Security (Optional)• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
First rule• IP Filter List: All IP
Traffic• Filter Action: Request
Security (Optional)• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
Second rule• IP Filter List: All ICMP
Traffic• Filter Action: Permit• Authentication: N/A• Tunnel Setting: None• Connection Type: All
Second rule• IP Filter List: All ICMP
Traffic• Filter Action: Permit• Authentication: N/A• Tunnel Setting: None• Connection Type: All
Third rule• IP Filter List:
<Dynamic>• Filter Action: Default
Response• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
Third rule• IP Filter List:
<Dynamic>• Filter Action: Default
Response• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
Secure Server (Require Security) Default Policy Rules
This policy has the following settings:This policy has the following settings:
All outbound communication to be secured, allowing only the initial inbound communication request to be unsecured
All outbound communication to be secured, allowing only the initial inbound communication request to be unsecured
USEUSE
First rule• IP Filter List: All IP
Traffic• Filter Action: Require
Security• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
First rule• IP Filter List: All IP
Traffic• Filter Action: Require
Security• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
Second rule• IP Filter List: All ICMP
Traffic• Filter Action: Permit• Authentication: None• Tunnel Setting: None• Connection Type: All
Second rule• IP Filter List: All ICMP
Traffic• Filter Action: Permit• Authentication: None• Tunnel Setting: None• Connection Type: All
Third rule• IP Filter List:
<Dynamic>• Filter Action: Default
Response• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
Third rule• IP Filter List:
<Dynamic>• Filter Action: Default
Response• Authentication:
Kerberos• Tunnel Setting: None• Connection Type: All
Practice: Using Policy-Based Management
In this practice, you will discuss the policy-based management of IPSec
Lesson: Planning an IPSec Deployment
Determining the IPSec Policy Deployment Method
Determining the Authentication Method to Use
Determining IPSec Policy Needs
Best Practices for Planning IPSec
Guidelines for Planning an IPSec Deployment Using Active Directory
Guidelines for Planning an IPSec Deployment Using Local Policies
Determining the IPSec Policy Deployment Method
In a heterogeneous environment
In a heterogeneous environment
Active DirectoryActive Directory
Active DirectoryActive Directory
Using Local PoliciesUsing Local Policies
Using Active DirectoryUsing Active Directory
Determining the Authentication Method to Use
Authentication method Use
Kerberos V5 security protocol
Clients and servers running Windows 2000 (and later versions) that are part of an Active Directory domain
Public key certificate
Internet accessRemote access to corporate resourcesExternal business partnersComputers that do not run the Kerberos V5 security protocol
Preshared secret key
When both computers must manually configure IPSec
Determining IPSec Policy Needs
Identify enterprise needs
Evaluate potential threats to determine if IPSec can mitigate them
Identify rules and settings for your policy
Create a new policy or modify an existing policy
Best Practices for Planning IPSec
Best practicesBest practices
Evaluate the type of information being sent over your networkEvaluate the type of information being sent over your network
Determine where your information is storedDetermine where your information is stored
Evaluate your vulnerability to network attacksEvaluate your vulnerability to network attacks
Design and document an enterprise-wide network security planDesign and document an enterprise-wide network security plan
Test the IPSec policies in your security planTest the IPSec policies in your security plan
Guidelines for Planning an IPSec Deployment Using Active Directory
Evaluate Active Directory–based Group Policy for deploymentEvaluate Active Directory–based Group Policy for deployment
Identify groups of computers that require securityIdentify groups of computers that require security
Determine where to assign Group Policy ObjectDetermine where to assign Group Policy Object
Evaluate security threatsEvaluate security threats
Determine if IPSec can mitigate threatsDetermine if IPSec can mitigate threats
Define the IPSec PolicyDefine the IPSec Policy
Guidelines for Planning an IPSec Deployment Using Local Policies
Determine if local Group Policy is the best method for deploymentDetermine if local Group Policy is the best method for deployment
Identify groups of computers that require securityIdentify groups of computers that require security
Determine if certificate infrastructure is in placeDetermine if certificate infrastructure is in place
Evaluate security threatsEvaluate security threats
Determine if IPSec can mitigate threatsDetermine if IPSec can mitigate threats
Determine how policies will be deployedDetermine how policies will be deployed
Practice: Planning an IPSec Deployment
In this practice, you will determine the feasibility of a proposed IPSec deployment plan
Lesson: Troubleshooting IPSec Communications
IPSec Troubleshooting Tools
Viewing Key Exchange Information Using Event Viewer
Verifying That a Policy Is Applied Using RSoP
IPSec Troubleshooting Tools
Tool Uses
IPSec Monitor snap-inSearch for all matches for filters of a specific traffic type
IP Security Policy Management snap-in
Create, modify, and activate IPSec policies
Active Directory Users and Computers and Group Policy
Troubleshoot policy precedence issuesDetermine which policies are available, assigned, or applied
Resultant Set of Policy (RSoP)
Determine which policies are assigned, but not applied to clients
Event Viewer View IPSec policy-related events
Oakley log View details of the SA establishment process
Viewing Key Exchange Information Using Event Viewer
Use Event Viewer to:Use Event Viewer to:
Verify that security auditing is enabled
View IPSec–related events in Event Viewer
Verify that security auditing is enabled
View IPSec–related events in Event Viewer
Verifying That a Policy Is Applied Using RSoP
Using RSoP
Logging mode queries
View all IPSec policies that are assigned to a specific client
Planning mode queries
View all IPSec policies that are assigned to members of a Group Policy container
Practice: Troubleshooting IPSec Communications
In this practice, you will troubleshoot an IPSec communication issue
Lab A: Troubleshooting IPSec
Exercise 1: Planning IPSec for a LAN/WAN Environment
Exercise 2: Troubleshooting an IPSec Infrastructure
