VIEWS: 95 PAGES: 59 POSTED ON: 4/10/2012
Security Data Transmission and Authentication Lesson 9 Skills Matrix Technology Skill Objective Domain Objective # Securing Network Traffic Configure IPsec 1.4 with IPSec Configuring Network Configure network 3.3 Authentication authentication Configuring the Windows Configure firewall settings 3.5 Firewall Security Network Traffic with IPSec • Whether you have a public presence on the Internet or maintain a private network, securing your data is a core requirement. • Much attention is placed on perimeter security and preventing attacks from outside the network. • Much less attention is focused on attacks within the network, where an attack is more likely to occur. • A solid security strategy employs many layers of coordinated security. Security Network Traffic with IPSec • Disk encryption and physical security protect data at rest on a drive or tape. • Unfortunately, they do not protect data in motion as it is transmitted across the network. • You need a mechanism to protect data as it is transmitted over network links. • IPSec is a tool with encryption powers that allows you to encrypt data and use magical checksum hashes to ensure that packets are not tampered with as they is transmitted. You can do either or both with IPSec. Security Network Traffic with IPSec • The IP Security (IPSec) suite of protocols was introduced to provide a series of cryptographic algorithms that can be used to provide security for all TCP/IP hosts at the Internet layer, regardless of the actual application that is sending or receiving data. • With IPSec, a single security standard can be used across multiple heterogeneous networks, and individual applications need not be modified to use it. Security Network Traffic with IPSec • IPSec has two principle goals: – To protect the contents of IP packets. – To provide a defense against network attacks through packet filtering and the enforcement of trusted communication. Security Network Traffic with IPSec • IPSec has a number of features that can significantly reduce or prevent the following attacks: – Packet sniffing. – Data modification. – Identity spoofing. – Man-in-the-middle attacks. – Denial of service attacks (DoS). IPSec • IPSec is an architectural framework that provides cryptographic security services for IP packets. Think of it as IP+Security. • IPSec is an end-to-end security technology. • Each computer handles security at its respective end with the assumption that the medium over which the communication takes place is not secure. • IPSec is the most common VPN protocol. IPSec • IPSec has many security features designed to meet the goals of protection IP packets and defend against attacks through filtering and trusted communication. • Automatic security • Data origin association. Authentication. • IP packet filtering. • Data Integrity. • Network layer • Data confidentiality. security. • Anti-Replay. • Peer authentication. • Key management. IPSec Modes • You can configure IPSec to use one of two modes: transport mode or tunnel mode: – Transport mode — Use transport mode when you require packet filtering and when you require end-to- end security. It typically provides host-to-host security. •Both hosts must support IPSec using the same authentication protocols and must have compatible IPSec filters. – Tunnel mode — Use tunnel mode for site-to-site communications that cross the Internet (or other public networks). •Tunnel mode provides gateway-to-gateway protection. IPSec Protocols • The IPSec protocol suite provides security using a combination of individual protocols, including the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol. • These protocols work independently or in tandem, depending on the need for confidentiality and authentication. Authentication Header (AH) • The Authentication Header (AH) protocol provides authentication, integrity, and antireplay for the entire packet (both the IP header and the data payload carried in the packet). • It does not provide confidentiality, which means that it does not encrypt the data. – The data is readable, but protected from modification. • AH uses keyed hash algorithms to sign the packet for integrity. Encapsulating Security Payload (ESP) • The Encapsulating Security Payload (ESP) protocol provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload. This is encryption. • ESP in transport mode does not sign the entire packet; only the IP payload (not the IP header) is protected. • ESP can be used alone or in combination with AH. Encryption and Integrity Algorithms in Windows Server 2008 IPSec * This also applies to Windows 7 and Server 2008 R2. Security Association • A security association (SA) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. • The SA contains the information needed to determine how the traffic is to be secured (the security services and protection mechanisms) and with which secret keys (cryptographic keys). These are set up on a per connection basis. • Two types of SAs are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA. ISAKMP SA • ISAKMP SA is known as the main mode SA • Used to protect IPSec security negotiations. • The ISAKMP SA is created by negotiating the cipher suite (a collection of cryptographic algorithms used to encrypt data) used for protecting future ISAKMP traffic, exchanging key generation material, and then identifying and authenticating each IPSec peer. Internet Key Exchange (IKE) – p. 208 • The Internet Key Exchange (IKE) is a standard that defines a mechanism to establish SAs. • IKE combines ISAKMP and the Oakley Key Determination Protocol, a protocol that is to generate secret key material. • The Diffie-Hellman key exchange algorithm allows two peers to determine a secret key by exchanging unencrypted values over a public network. • A malicious user who intercepts the key exchange packets can view the numbers, but cannot perform the same calculation as the negotiating peers in order to derive the shared secret key. Dynamic Rekeying • Windows Server 2008 IPSec also supports dynamic rekeying, which is the determination of new keying material through a new Diffie-Hellman exchange on a regular basis. • This increases security by changing the key periodically. • Dynamic rekeying is based on an elapsed time, 480 minutes or 8 hours by default, or the number of data sessions created with the same set of keying material. IPSec Policies – p. 209 • IPSec policies are the security rules that define the desired security level, hashing algorithm, encryption algorithm, and key length. • An IP Filter can be mirrored; traffic that is defined in one direction will also be defined in the opposite direction • These rules also define the addresses, protocols, DNS names, subnets, or connection types to which these security settings will apply. • IPSec policies can be configured to meet the security requirements of a user, group, application, domain, site, or for an entire enterprise network. Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in. IPSec Policies • IPSec policies are hierarchical in nature, and are organized as follows: – Like group policy, each IPSec policy consists of one or more IP Security Rules configured for clients. – Each IP Security Rule includes a single IP Security Action that is applied to one or more IP Filter Lists. – Each IP Filter List contains one or more IP Filters. • !! Only one IPSec policy can be active on any one computer at a given time. – If you wish to assign a new IPSec policy to a particular computer, you must first un-assign the existing IPSec policy. How to Create an IPSec Policy – p. 211 1. Select the option to create a new IPSec policy. This will prompt you to launch the IP Security Rule wizard. (See slide 24 for images. Instructions on page 212 of text.) a. Select the option to create a new IP Security Rule. This will prompt you to create a new IP Filter List. i. Select the option to create a new IP Filter List. ii. Select the option to create a new IP Filter. This will prompt you to launch the New IP Filter Wizard. Once you have created one or more IP Filters, you can finish creating the IP Filter List. Creating a IPSec Policy iii. Once you have created one or more IP Filter Lists, select the option to create one or more Filter Actions. This will launch the IP Security Filter Action Wizard. iv. Once you have created one or more IP Security Filter Actions, you can complete the IP Security Rule Wizard. b. Once you have created one or more IP Security Rules, you can complete the IPSec Policy Wizard. Creating a IPSec Policy 2. Once you have completed the IPSec Policy Wizard, you can assign your new IPSec policy to a single computer or a group of computers. Creating a IPSec Policy Creating a IPSec Policy Creating a IPSec Policy Creating a IPSec Policy Creating a IPSec Policy Creating a IPSec Policy Creating a IPSec Policy Windows Firewall with IPSec Policies • The driving factor behind combining administration of the Windows Firewall with IPSec policies is to streamline network administration on a Windows Server 2008 computer. – In Windows Server 2003, it was possible to configure duplicate or even contradictory settings between IPSec and the Windows Firewall. IPSec Default Settings p.217 Connection Security Rules • Windows Server 2008 comes with four pre- configured Connection Security Rule templates: – Isolation rule – Authentication exemption rule. – Server-to-Server rule. – Tunnel rule. Connection Security Rules • The four pre-configured templates: – Isolation rule • Allows you to restrict inbound and outbound connections based on certain sets of criteria. – Authentication exemption rule. • Allows you to specify one or more computers that do not need to be authenticated in order to pass traffic, i.e. DHCP – Server-to-Server rule. • Secures traffic between two servers or groups of servers – Tunnel rule.. • Will secure traffic only between two tunnel endpoints, not actual hosts. Windows Firewall with Advanced Security Creating a Connection Security Rule * See page 219 for the activity instructions to create a connection security rule in the Windows Firewall with Advanced Security MMC. Creating an Authentication Exemption Rule Viewing Configured Connection Security Rules p. 221 IPSec Driver – p. 222 • The IPSec driver receives the active IP filter list from the IPSec Policy Agent. • The Policy Agent then checks for a match of every inbound and outbound packet against the filters in the list. • The IPSec driver stores all current quick mode SAs in a database. • The IPSec driver uses the SPI field to match the correct SA with the correct packet. • When an outbound IP packet matches the IP filter list with an action to negotiate security, the IPSec driver queues the packet, and then the IKE process begins negotiating security with the destination IP address of that packet. IPSec Policy Agent – p. 224 • The purpose of the IPSec Policy Agent is to retrieve information about IPSec policies and to pass this information to other IPSec components that require it in order to perform security functions. • The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008 operating system, appearing as IPSec Services in the list of system services in the Services console. Deploying IPSec – p. 225 • IPSec policies can be deployed using: – local policies – Active Directory – Both local policies and AD group policies. Deploying IPSec • When deploying IPSec policies via GPO, there are three built-in IPSec policies that are present by default: – Use the Client (Respond Only) policy on computers that normally do not send secured data. – The Server (Request Security) policy can be used on any computer — client or server — that needs to initiate secure communications. – The Secure Server (Require Security) policy, does not send or accept unsecured transmissions. • Like the Server policy, the Secure Server policy uses Kerberos authentication. Deploying IPSec • Permanent IPSec policies are know as persistent policies. • These are stored in the registry and protect the computer between startup and AD IPSec policy enforcement. • You must restart to make changes in persistent policies appear. • AD-based IPSec policies override local IPSec policies. • Though multiple IPSec policies may be assigned, only one can be active at a time for a given host. IPSec Policies node in a GPO – p. 227 Viewing the Windows Firewall with Advanced Security node of a GPO Monitoring IPSec – p. 227 • Windows Server 2008 provides several tools you can use to manage and monitor IPSec, including the IP Security Monitor, RSoP, Event Viewer, and the netsh command-line utility. • In addition, the new Windows Firewall with Advanced Security MMC snap-in provides additional monitoring of Connection Security Rules and IPSec Security Associations. Network Authentication • In addition to securing network traffic with IPSec, another common issue is securing the network authentication process. • The default authentication protocol in an Active Directory network is the Kerberos v5 protocol, but there are situations in which the NT LAN Manager (NTLM) authentication protocols come into play. – NTLM is typically considered a legacy authentication protocol Windows Firewall • Beginning with Windows Server 2003 Service Pack 1, the Windows server operating system has included a built-in stateful firewall called the Windows Firewall. • A stateful firewall is so named because it can track and maintain information based on the status of a particular connection. Windows Firewall • The Windows Firewall is enabled by default on all new installations of Windows Server 2008, and can be managed manually via: 1) the Windows Firewall Control Panel applet, 2) the new Windows Firewall with Advanced Security MMC snap-in, or 3)via Group Policy Objects in an Active Directory environment. • The default configuration of the Windows Firewall in Windows Server 2008 will block all unsolicited inbound traffic; that is, attempts to access the computer from a remote network host that has not been specifically authorized by the administrator of the local server. Windows Firewall Windows Firewall Windows Firewall Exceptions Windows Firewall Exceptions Viewing Inbound Exceptions in Windows Firewall with Advanced Security Summary • IPSec is the standard method of providing security services for IP packets. • ESP protocol provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload, while the AH protocol provides authentication, integrity, and anti-replay for the entire packet. Summary • Two types of SAs are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA. • To negotiate SAs for sending secure traffic, IPSec uses IKE, a combination of ISAKMP and the Oakley Key Determination Protocol. ISAKMP messages contain many types of payloads to ex-change information during SA negotiation. Summary • Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations. • Quick mode negotiation is used to establish the IPSec SA to protect data. • You can use Netsh IPSec static mode to create and assign IPSec policies, add a persistent policy, and change other configuration features. Summary • You can use Active Directory Group Policy Objects or the Local Group Policy Object to configure NTLM authentication levels on a Windows Server 2008 computer. Summary • The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.
Pages to are hidden for
"Security Data Transmission and Authentication"Please download to view full document