46
Securing Network Securing Network Communications Communications Using IPSec Using IPSec Chapter Twelve

Securing Network Communications Using IPSec Chapter Twelve

Embed Size (px)

Citation preview

Page 1: Securing Network Communications Using IPSec Chapter Twelve

Securing NetworkSecuring NetworkCommunicationsCommunications

Using IPSecUsing IPSec

ChapterTwelve

Page 2: Securing Network Communications Using IPSec Chapter Twelve

Exam Objectives in this Chapter: Implement secure access between private

networks. Create and implement an IPSec policy.

Configure network protocol security. Configure protocol security in a heterogeneous client

computer environment. Configure protocol security by using IPSec policies.

Configure security for data transmission. Configure IPSec policy settings.

Page 3: Securing Network Communications Using IPSec Chapter Twelve

Exam Objectives in this Chapter: cont. Plan for network protocol security.

Specify the required ports and protocols for specified services.

Plan an IPSec policy for secure network communications. Plan security for data transmission.

Secure data transmission between client computers to meet security requirements.

Secure data transmission by using IPSec. Troubleshoot security for data transmission. Tools

might include the IP Security Monitor MMC snap-in and the Resultant Set of Policy (RSoP) MMC snap-in.

Page 4: Securing Network Communications Using IPSec Chapter Twelve

Lessons in this Chapter: Securing Internetwork Communications Planning an IPSec Implementation Deploying IPSec Troubleshooting Data Transmission

Security

Page 5: Securing Network Communications Using IPSec Chapter Twelve

Before You Begin This chapter assumes a basic

understanding of TCP/IP communications, as described in Chapter 2, “Planning a TCP/IP Network Infrastructure.”

To perform the practice exercises in this chapter, you must have installed and configured Windows Server 2003 using the procedure described in “About This Book.”

Page 6: Securing Network Communications Using IPSec Chapter Twelve

Securing Internetwork Communications Packet Filtering

Packet filtering is a method for regulating the TCP/IP traffic that is permitted to reach a computer or a network, based on criteria such as IP addresses, protocols, and port numbers.

Page 7: Securing Network Communications Using IPSec Chapter Twelve

Understanding Ports and Protocols In the packet header of each TCP/IP

protocol at each layer of the OSI reference model, identifiers specify which protocol at the next layer should receive the packet.

Page 8: Securing Network Communications Using IPSec Chapter Twelve

Well-Known Port Numbers Application Abbreviation Protocol Port Number

File Transfer Protocol (Control) ftp-control TCP 21

File Transfer Protocol (Default Data) ftp-default data TCP 20

Telnet Simple Mail telnet TCP 23

Transfer Protocol smtp TCP 25

Domain Name Service Dynamic domain TCP/UDP 53

Host Configuration Protocol(Server)

Dhcpsbootps

UDP 67

Bootstrap Protocol Server (nondynamic)

Dynamic Host Configuration Protocol (Client)Bootstrap Protocol Client (nondynamic)

dhcpcbootpc

UDP 68

World Wide Web HTTP http TCP 80

Post Office Protocol - Version 3 pop3 TCP 110

Simple Network Management Protocol snmp UDP 161

Simple Network Management Protocol Trap snmptrap UDP 162

Page 9: Securing Network Communications Using IPSec Chapter Twelve

Exam Tip Be sure to familiarize yourself with the

well-known port numbers assigned to themost commonly used services in Windows Server 2003, as listed in Table 12-1.

Page 10: Securing Network Communications Using IPSec Chapter Twelve

Separate firewall products Two Advantages:

First, by separating the routing and filtering functions on different systems, you are less likely to experience degraded network performance.

Second, firewalls are likely to have more advanced packet filtering capabilities, such as preset filter configurations designed to protect against specific types of attacks

Page 11: Securing Network Communications Using IPSec Chapter Twelve

Packet Filtering Criteria Creating packet filters is a matter of

selecting the specific criteria you want the system to examine and specifying the values that you want to allow or deny passage.

The criteria most commonly used in packet filtering are: Port numbers Protocol identifiers IP addresses Hardware addresses

Page 12: Securing Network Communications Using IPSec Chapter Twelve

Spoofing Once an attacker finds out the IP

addresses that the filter allows access to the network, it is simple to impersonate another computer by using its IP address.

Page 13: Securing Network Communications Using IPSec Chapter Twelve

Relationship to the OSI model

Physical

Data-Link

Network

Transport

Session

Presentation

Application

Port Numbers

Protocol Identifiers

IP Addresses

Hardware Addresses

Page 14: Securing Network Communications Using IPSec Chapter Twelve

Windows Server 2003 Packet Filtering Using TCP/IP Packet TCP/IP Packet

FilteringFiltering Using Routing and

Remote Access Service Packet Filtering Notice the limitations

on page 12-8

Page 15: Securing Network Communications Using IPSec Chapter Twelve

Using Routing and Remote Access Service Packet Filtering Creating filters based on the IP addresses,

protocols, and port numbers of a packet’s source or destination

Creating filters for ICMP messages, specified by the message type and code values

Creating multiple filters of the same type Windows Server 2003 RRAS includes a packet filtering

mechanism that is more capable than that of the TCP/IP client, but you can only use it when you have configured Windows Server 2003 to function as a router

Page 16: Securing Network Communications Using IPSec Chapter Twelve

Practice: Creating Packet Filters in Routing and

Remote Access Service Exercise 1: Examining the Default Routing and

Remote Access Exercise 2: Creating New Packet Filters

Page 12-10

Page 17: Securing Network Communications Using IPSec Chapter Twelve

Planning an IPSec Implementation You can store your files in encrypted form

using the Encrypting File System (EFS), for example, or an individual application might be able to protect files with a password, but when you access the file over the network or send it to someone else, your computer always decrypts it first.

Page 18: Securing Network Communications Using IPSec Chapter Twelve

Evaluating Threats There are many ways that unauthorized

personnel can use this captured data against you: Compromising keys Spoofing Modifying data Attacking applications

Page 19: Securing Network Communications Using IPSec Chapter Twelve

Introducing IPSec IPSec encrypts the information in IP

datagrams by encapsulating it, so that even if the packets are captured, none of the data inside can be read.

Because IPSec operates at the network layer, as an extension to the IP protocol, it provides end-to-end encryption, meaning that the source computer encrypts the data, and it is not decrypted until it reaches its final destination

Page 20: Securing Network Communications Using IPSec Chapter Twelve

Other Protocols Secure Sockets Layer (SSL), an application

layer protocols that can encrypt only specific types of traffic.

Page 21: Securing Network Communications Using IPSec Chapter Twelve

IPSec Functions page 12-17

Key generation use a technique called the Diffie–Hellman algorithm to

compute identical encryption keys. Cryptographic checksums

Uses its cryptographic keys to calculate a checksum for the data in each packet, called a hash message authentication code (HMAC), then transmits it with the data.

IPSec supports two hash functions: HMAC in combination with Message Digest 5 (MD5) and

HMAC in combination with Secure Hash Algorithm-1 (SHA1.) HMAC-SHA1 is the more secure function, partly due to

SHA1’s longer key length (SHA1 uses a 160-bit key as opposed to the 128-bit key used by MD5).

Page 22: Securing Network Communications Using IPSec Chapter Twelve

IPSec Functions Mutual authentication

They must authenticate each other to establish a trust relationship

IPSec can use Kerberos, digital certificates, or a preshared key for authentication.

Replay prevention IPSec prevents packet replays from being

effective by assigning a sequence number to each packet. An IPSec system will not accept a packet that has an incorrect sequence number.

IP packet filtering

Page 23: Securing Network Communications Using IPSec Chapter Twelve

IPSec Protocols IP Authentication Header

When a computer uses AH to protect its transmissions, the system inserts an AH header into the IP datagram, immediately after the IP header and before the datagram’s payload.

ApplicationData

TransportLayer

ProtocolHeader

Signed

IPSecAH

header

IPheader

Page 24: Securing Network Communications Using IPSec Chapter Twelve

IPSec Protocols Next Header Payload Length Reserved Security Parameters Index Sequence Number Authentication Data

Authentication Data

Next Header Payload Length Reserved

Security Parameters Index

Sequence Number

AH Header Format

Page 25: Securing Network Communications Using IPSec Chapter Twelve

IPSec Protocols IP Encapsulating Security Payload

The IP Encapsulating Security Payload (ESP) protocol is the one that actually encrypts the data in an IP datagram, preventing intruders from reading the information in packets they capture from the network.

Encrypted with ESP header

IPSec ESP Authentication

Signed by ESP Auth trailer

IPSecESP

Trailer

ApplicationData

TransportLayer

Protocolheader

IPSecESP

header

IPheader

Page 26: Securing Network Communications Using IPSec Chapter Twelve

IPSec Protocols Security Parameters Index Payload Data Pad Length Next Header

IPheader

IPSecAH

header

Encrypted with ESP header

IPSecESP

header

TransportLayer

ProtocolHeader

ApplicationData

IPSecESP

Trailer

IPSec ESPAuthentication

Page 27: Securing Network Communications Using IPSec Chapter Twelve

Transport Mode and Tunnel Mode IPSec can operate in two modes:

Transport mode you use transport mode, in which the two end

systems must support IPSec Tunnel mode.

Tunnel mode is designed to provide security for wide area network (WAN) connections, and particularly virtual private network (VPN) connections, which use the Internet as a communications medium.

Page 28: Securing Network Communications Using IPSec Chapter Twelve

The tunnel mode communications

Tunnel Endpoints

Transit Internet work

Header

Tunneled Packet

Transit Internet work

Tunnel

PacketPacket

Page 29: Securing Network Communications Using IPSec Chapter Twelve

The tunnel mode communications Five steps on page 12-22 The original datagram, inside the new datagram,

remains unchanged. The IPSec headers are part of the outer datagram, which exists only to get the inner datagram from one router to the other.

Encrypted with ESP header

IPSec ESP Authentication

Signed by ESP Auth trailer

IPSecESP

Trailer

ApplicationData

TransportLayer

ProtocolHeader

OriginalIP

Header

IPSecESP

Header

IPHeader

Page 30: Securing Network Communications Using IPSec Chapter Twelve

Deploying IPSec IPSec is based on standards published by

the Internet Engineering Task Force (IETF); so all IPSec implementations conforming to those standards should be compatible.

Page 31: Securing Network Communications Using IPSec Chapter Twelve

IPSec Components There are several components:

IPSec Policy Agent Internet Key Exchange (IKE)

The IKE communication processIKE communication process proceeds in two stages.

The first stagefirst stage, called the Phase 1 SA, includes the negotiation of which encryption algorithm, hashing algorithm, and authentication method the systems will use.

The second stagesecond stage consists of the establishment of two Phase 2 SAs, one in each direction.

IPSec Driver

Page 32: Securing Network Communications Using IPSec Chapter Twelve

Planning an IPSec Deployment In actual deployment, you must consider just

what network traffic you need to protect and how much protection you want to provide.

IPSec is resource intensive in two different ways. First, the addition of AH and ESP headers to each

packet increases the amount of traffic on your network.

Second, calculating hashes and encrypting data both require large amounts of processor time.

Page 33: Securing Network Communications Using IPSec Chapter Twelve

Working with IPSec Policies IPSec policies flow down through the

Active Directory hierarchy just like other group policy settings. When you apply an IPSec policy to a domain, for example, all the computers in the domain inherit that policy.

Page 34: Securing Network Communications Using IPSec Chapter Twelve

Using the Default IPSec Policies

Client (Respond Only) Secure Server (Require Security) Server (Request Security)

Page 35: Securing Network Communications Using IPSec Chapter Twelve

Modifying IPSec Policies RulesRules IP filter lists Filter actions

Page 36: Securing Network Communications Using IPSec Chapter Twelve

Modifying IPSec Policies Rules IP filter listsIP filter lists Filter actions

Page 37: Securing Network Communications Using IPSec Chapter Twelve

Modifying IPSec Policies Rules IP filter lists Filter actionsFilter actions

Page 38: Securing Network Communications Using IPSec Chapter Twelve

Exam Tip Be sure you are familiar with the

components of an IPSec policy and with the functions of each component.

Page 39: Securing Network Communications Using IPSec Chapter Twelve

Practice: Creating an IPSec Policy

Exercise 1: Creating an MMC Console and Viewing the Default Policies

Page 12-30 Exercise 2: Creating a New IPSec Policy

Page 12-31

Page 40: Securing Network Communications Using IPSec Chapter Twelve

Troubleshooting Data Transmission Security Troubleshooting Policy Mismatches

Incompatible IPSec policies. It is also possible for two computers to be

configured to use IPSec for a particular type of traffic, but have incompatible filter action settings, such as different authentication methods or encryption algorithms

Examine the Security logs in the Event Viewer console.

Page 41: Securing Network Communications Using IPSec Chapter Twelve

Troubleshooting Data Transmission Security

Using the IP Security Monitor Snap-in If you have IPSec policies deployed by Group Policy Objects at

different levels of the Active Directory tree, the IPSec policy that is closest to the computer object is the one that takes effect.

Page 42: Securing Network Communications Using IPSec Chapter Twelve

Troubleshooting Data Transmission Security

Using the Resultant Set of Policy Snap-in You can use RSoP to view all the effective group policy

settings for a computer or user, including the IPSec policies

Page 43: Securing Network Communications Using IPSec Chapter Twelve

Exam Tip Be sure you understand the differences

between the IP Security Monitor snap-inand the Resultant Set of Policy snap-in, and know when it is preferable to use each one.

Page 44: Securing Network Communications Using IPSec Chapter Twelve

Examining IPSec Traffic Windows Server 2003 Network Monitor

includes parsers for IKE, AH, and ESP traffic.

However, you cannot use Network Monitor to examine packet information that has been encrypted using ESP.

Page 45: Securing Network Communications Using IPSec Chapter Twelve

Practice: Using Resultant Set of Policy

Exercise 1: Creating a Resultant Set of Policy Console

Page 12-39 Exercise 2: Performing an RSoP Scan Exercise 3: Creating a Domain IPSec Policy

Page 12-40

Page 46: Securing Network Communications Using IPSec Chapter Twelve

Summary Case Scenario Exercise

Page 12-43 Troubleshooting Lab

Page 12-44 Exam Highlights

Key Points Key Terms

Page 12-45