security data transmission and authentication lesson 9
TRANSCRIPT
Security Data TransmissionSecurity Data Transmission and Authentication and Authentication
Lesson 9
Skills MatrixSkills Matrix
Technology Skill Objective Domain Objective #
Securing Network Traffic with IPSec
Configure IPsec 1.4
Configuring Network Authentication
Configure network authentication
3.3
Configuring the Windows Firewall
Configure firewall settings
3.5
Security Network Traffic with IPSecSecurity Network Traffic with IPSec• Whether you have a public presence on
the Internet or maintain a private network, securing your data is a core requirement.
• Much attention is placed on perimeter security and preventing attacks from outside the network.
• Much less attention is focused on attacks within the network, where an attack is more likely to occur.
• A solid security strategy employs many layers of coordinated security.
Security Network Traffic with IPSecSecurity Network Traffic with IPSec• The IP Security (IPSec) suite of
protocols was introduced to provide a series of cryptographic algorithms that can be used to provide security for all TCP/IP hosts at the Internet layer, regardless of the actual application that is sending or receiving data.
• With IPSec, a single security standard can be used across multiple heterogeneous networks, and individual applications need not be modified to use it.
Security Network Traffic with IPSecSecurity Network Traffic with IPSec
• IPSec has two principle goals:– To protect the contents of IP packets.– To provide a defense against network
attacks through packet filtering and the enforcement of trusted communication.
Security Network Traffic with IPSecSecurity Network Traffic with IPSec
• IPSec has a number of features that can significantly reduce or prevent the following attacks:– Packet sniffing.– Data modification.– Identity spoofing.– Man-in-the-middle attacks.– Denial of service attacks (DoS).
IPSecIPSec
• IPSec is an architectural framework that provides cryptographic security services for IP packets.
• IPSec is an end-to-end security technology.
• Each computer handles security at its respective end with the assumption that the medium over which the communication takes place is not secure.
IPSecIPSec• IPSec has many security features designed
to meet the goals of protection IP packets and defend against attacks through filtering and trusted communication.
• Automatic security association.
• IP packet filtering.• Network layer
security.• Peer
authentication.
• Data origin Authentication.
• Data Integrity.• Data
confidentiality.• Anti-Replay.• Key management.
IPSec ModesIPSec Modes• You can configure IPSec to use one of two
modes: transport mode or tunnel mode:– Transport mode — Use transport mode
when you require packet filtering and when you require end-to-end security. •Both hosts must support IPSec using the
same authentication protocols and must have compatible IPSec filters.
– Tunnel mode — Use tunnel mode for site-to-site communications that cross the Internet (or other public networks). •Tunnel mode provides gateway-to-gateway
protection.
IPSec ProtocolsIPSec Protocols
• The IPSec protocol suite provides security using a combination of individual protocols, including the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol.
• These protocols work independently or in tandem, depending on the need for confidentiality and authentication.
Authentication Header (AH)Authentication Header (AH)• The Authentication Header (AH)
protocol provides authentication, integrity, and antireplay for the entire packet (both the IP header and the data payload carried in the packet).
• It does not provide confidentiality, which means that it does not encrypt the data. – The data is readable, but protected from
modification.
• AH uses keyed hash algorithms to sign the packet for integrity.
Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)
• The Encapsulating Security Payload (ESP) protocol provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload.
• ESP in transport mode does not sign the entire packet; only the IP payload (not the IP header) is protected.
• ESP can be used alone or in combination with AH.
Encryption and Integrity Algorithms in Encryption and Integrity Algorithms in Windows Server 2008 IPSecWindows Server 2008 IPSec
Security AssociationSecurity Association• A security association (SA) is the combination
of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers.
• The SA contains the information needed to determine how the traffic is to be secured (the security services and protection mechanisms) and with which secret keys (cryptographic keys).
• Two types of SAs are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA.
ISAKMP SAISAKMP SA
• The ISAKMP SA, also known as the main mode SA, is used to protect IPSec security negotiations.
• The ISAKMP SA is created by negotiating the cipher suite (a collection of cryptographic algorithms used to encrypt data) used for protecting future ISAKMP traffic, exchanging key generation material, and then identifying and authenticating each IPSec peer.
Internet Key Exchange (IKE)Internet Key Exchange (IKE)• The Internet Key Exchange (IKE) is a standard
that defines a mechanism to establish SAs.• IKE combines ISAKMP and the Oakley Key
Determination Protocol, a protocol that is to generate secret key material.
• The Diffie-Hellman key exchange algorithm allows two peers to determine a secret key by exchanging unencrypted values over a public network.
• A malicious user who intercepts the key exchange packets can view the numbers, but cannot perform the same calculation as the negotiating peers in order to derive the shared secret key.
Dynamic RekeyingDynamic Rekeying
• Windows Server 2008 IPSec also supports dynamic rekeying, which is the determination of new keying material through a new Diffie-Hellman exchange on a regular basis.
• Dynamic rekeying is based on an elapsed time, 480 minutes or 8 hours by default, or the number of data sessions created with the same set of keying material.
IPSec PoliciesIPSec Policies• IPSec policies are the security rules that define
the desired security level, hashing algorithm, encryption algorithm, and key length.
• These rules also define the addresses, protocols, DNS names, subnets, or connection types to which these security settings will apply.
• IPSec policies can be configured to meet the security requirements of a user, group, application, domain, site, or for an entire enterprise network. Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in.
IPSec PoliciesIPSec Policies• IPSec policies are hierarchical in nature, and
are organized as follows:– Each IPSec policy consists of one or more IP
Security Rules.– Each IP Security Rule includes a single IP
Security Action that is applied to one or more IP Filter Lists.
– Each IP Filter List contains one or more IP Filters.
• Only one IPSec policy can be active on any one computer at a given time. – If you wish to assign a new IPSec policy to a
particular computer, you must first un-assign the existing IPSec policy.
Creating a IPSec PolicyCreating a IPSec Policy1. Select the option to create a new IPSec
policy. This will prompt you to launch the IP Security Rule wizard.a. Select the option to create a new IP
Security Rule. This will prompt you to create a new IP Filter List.i. Select the option to create a new IP Filter
List.ii.Select the option to create a new IP Filter.
This will prompt you to launch the New IP Filter Wizard. Once you have created one or more IP Filters, you can finish creating the IP Filter List.
Creating a IPSec PolicyCreating a IPSec Policy
iii. Once you have created one or more IP Filter Lists, select the option to create one or more Filter Actions. This will launch the IP Security Filter Action Wizard.
iv. Once you have created one or more IP Security Filter Actions, you can complete the IP Security Rule Wizard.
b. Once you have created one or more IP Security Rules, you can complete the IPSec Policy Wizard.
Creating a IPSec PolicyCreating a IPSec Policy
2. Once you have completed the IPSec Policy Wizard, you can assign your new IPSec policy to a single computer or a group of computers.
Creating a IPSec PolicyCreating a IPSec Policy
Creating a IPSec PolicyCreating a IPSec Policy
Creating a IPSec PolicyCreating a IPSec Policy
Creating a IPSec PolicyCreating a IPSec Policy
Creating a IPSec PolicyCreating a IPSec Policy
Creating a IPSec PolicyCreating a IPSec Policy
Creating a IPSec PolicyCreating a IPSec Policy
Windows Firewall with IPSec PoliciesWindows Firewall with IPSec Policies
• The driving factor behind combining administration of the Windows Firewall with IPSec policies is to streamline network administration on a Windows Server 2008 computer. – In Windows Server 2003, it was
possible to configure duplicate or even contradictory settings between IPSec and the Windows Firewall.
IPSec Default IPSec Default SettingsSettings
Connection Security RulesConnection Security Rules
• Windows Server 2008 comes with four pre-configured Connection Security Rule templates:– Isolation rule.– Authentication exemption rule.– Server-to-Server rule.– Tunnel rule.
Windows Firewall with Advanced Windows Firewall with Advanced SecuritySecurity
Creating a Connection Security RuleCreating a Connection Security Rule
Creating an Authentication Exemption Creating an Authentication Exemption RulelRulel
Viewing Configured Connection Viewing Configured Connection Security RulesSecurity Rules
IPSec DriverIPSec Driver• The IPSec driver receives the active IP filter list
from the IPSec Policy Agent. • The Policy Agent then checks for a match of
every inbound and outbound packet against the filters in the list.
• The IPSec driver stores all current quick mode SAs in a database.
• The IPSec driver uses the SPI field to match the correct SA with the correct packet.
• When an outbound IP packet matches the IP filter list with an action to negotiate security, the IPSec driver queues the packet, and then the IKE process begins negotiating security with the destination IP address of that packet.
IPSec Policy AgentIPSec Policy Agent• The purpose of the IPSec Policy Agent
is to retrieve information about IPSec policies and to pass this information to other IPSec components that require it in order to perform security functions.
• The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008 operating system, appearing as IPSec Services in the list of system services in the Services console.
Deploying IPSecDeploying IPSec
• IPSec policies can be deployed using local policies, Active Directory, or both.
Deploying IPSec Deploying IPSec • When deploying IPSec policies via GPO, there
are three built-in IPSec policies that are present by default:– Use the Client (Respond Only) policy on
computers that normally do not send secured data.
– The Server (Request Security) policy can be used on any computer — client or server — that needs to initiate secure communications.
– The Secure Server (Require Security) policy, does not send or accept unsecured transmissions.
• Like the Server policy, the Secure Server policy uses Kerberos authentication.
IPSec Policies node in a GPOIPSec Policies node in a GPO
Viewing the Windows Firewall with Advanced Viewing the Windows Firewall with Advanced Security node of a GPOSecurity node of a GPO
Monitoring IPSecMonitoring IPSec
• Windows Server 2008 provides several tools you can use to manage and monitor IPSec, including the IP Security Monitor, RSoP, Event Viewer, and the netsh command-line utility.
• In addition, the new Windows Firewall with Advanced Security MMC snap-in provides additional monitoring of Connection Security Rules and IPSec Security Associations.
Network AuthenticationNetwork Authentication• In addition to securing network traffic
with IPSec, another common issue is securing the network authentication process.
• The default authentication protocol in an Active Directory network is the Kerberos v5 protocol, but there are situations in which the NT LAN Manager (NTLM) authentication protocols come into play. – NTLM is typically considered a legacy
authentication protocol
Windows FirewallWindows Firewall
• Beginning with Windows Server 2003 Service Pack 1, the Windows server operating system has included a built-in stateful firewall called the Windows Firewall.
• A stateful firewall is so named because it can track and maintain information based on the status of a particular connection.
Windows FirewallWindows Firewall• The Windows Firewall is enabled by default on
all new installations of Windows Server 2008, and can be managed manually via the Windows Firewall Control Panel applet, the new Windows Firewall with Advanced Security MMC snap-in, or via Group Policy Objects in an Active Directory environment.
• The default configuration of the Windows Firewall in Windows Server 2008 will block all unsolicited inbound traffic; that is, attempts to access the computer from a remote network host that has not been specifically authorized by the administrator of the local server.
Windows FirewallWindows Firewall
Windows FirewallWindows Firewall
Windows Firewall ExceptionsWindows Firewall Exceptions
Windows Firewall ExceptionsWindows Firewall Exceptions
Viewing Inbound Exceptions in Windows Viewing Inbound Exceptions in Windows Firewall with Advanced SecurityFirewall with Advanced Security
SummarySummary
• IPSec is the standard method of providing security services for IP packets.
• ESP protocol provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload, while the AH protocol provides authentication, integrity, and anti-replay for the entire packet.
SummarySummary
• Two types of SAs are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA.
• To negotiate SAs for sending secure traffic, IPSec uses IKE, a combination of ISAKMP and the Oakley Key Determination Protocol. ISAKMP messages contain many types of payloads to ex-change information during SA negotiation.
SummarySummary• Main mode negotiation is used to
establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations.
• Quick mode negotiation is used to establish the IPSec SA to protect data.
• You can use Netsh IPSec static mode to create and assign IPSec policies, add a persistent policy, and change other configuration features.
SummarySummary
• You can use Active Directory Group Policy Objects or the Local Group Policy Object to configure NTLM authentication levels on a Windows Server 2008 computer.
SummarySummary
• The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.