Security Data Transmission and Authentication by W3zHsgV3


									Security Data Transmission
        and Authentication
                   Lesson 9
Skills Matrix
Technology Skill           Objective Domain              Objective #
Securing Network Traffic   Configure IPsec               1.4
with IPSec
Configuring Network        Configure network             3.3
Authentication             authentication
Configuring the Windows    Configure firewall settings   3.5
Security Network Traffic with IPSec
• Whether you have a public presence on the
  Internet or maintain a private network, securing
  your data is a core requirement.
• Much attention is placed on perimeter security and
  preventing attacks from outside the network.
• Much less attention is focused on attacks within
  the network, where an attack is more likely to
• A solid security strategy employs many layers of
  coordinated security.
Security Network Traffic with IPSec
• Disk encryption and physical security protect data
  at rest on a drive or tape.
• Unfortunately, they do not protect data in motion
  as it is transmitted across the network.
• You need a mechanism to protect data as it is
  transmitted over network links.
• IPSec is a tool with encryption powers that allows
  you to encrypt data and use magical checksum
  hashes to ensure that packets are not tampered
  with as they is transmitted. You can do either or
  both with IPSec.
Security Network Traffic with IPSec
• The IP Security (IPSec) suite of protocols was
  introduced to provide a series of
  cryptographic algorithms that can be used to
  provide security for all TCP/IP hosts at the
  Internet layer, regardless of the actual
  application that is sending or receiving data.
• With IPSec, a single security standard can be
  used across multiple heterogeneous
  networks, and individual applications need
  not be modified to use it.
Security Network Traffic with IPSec
• IPSec has two principle goals:
  – To protect the contents of IP packets.
  – To provide a defense against network attacks
    through packet filtering and the enforcement
    of trusted communication.
Security Network Traffic with IPSec
• IPSec has a number of features that can
  significantly reduce or prevent the following
  – Packet sniffing.
  – Data modification.
  – Identity spoofing.
  – Man-in-the-middle attacks.
  – Denial of service attacks (DoS).
• IPSec is an architectural framework that
  provides cryptographic security services for
  IP packets. Think of it as IP+Security.
• IPSec is an end-to-end security technology.
• Each computer handles security at its
  respective end with the assumption that the
  medium over which the communication
  takes place is not secure.
• IPSec is the most common VPN protocol.
• IPSec has many security features designed to
  meet the goals of protection IP packets and
  defend against attacks through filtering and
  trusted communication.
  • Automatic security     • Data origin
    association.             Authentication.
  • IP packet filtering.   • Data Integrity.
  • Network layer          • Data confidentiality.
    security.              • Anti-Replay.
  • Peer authentication.   • Key management.
IPSec Modes
• You can configure IPSec to use one of two modes:
  transport mode or tunnel mode:
  – Transport mode — Use transport mode when you
    require packet filtering and when you require end-to-
    end security. It typically provides host-to-host security.
     •Both hosts must support IPSec using the same
       authentication protocols and must have compatible
       IPSec filters.
  – Tunnel mode — Use tunnel mode for site-to-site
    communications that cross the Internet (or other
    public networks).
     •Tunnel mode provides gateway-to-gateway
IPSec Protocols
• The IPSec protocol suite provides security
  using a combination of individual protocols,
  including the Authentication Header (AH)
  protocol and the Encapsulating Security
  Payload (ESP) protocol.
• These protocols work independently or in
  tandem, depending on the need for
  confidentiality and authentication.
Authentication Header (AH)
• The Authentication Header (AH) protocol provides
  authentication, integrity, and antireplay for the
  entire packet (both the IP header and the data
  payload carried in the packet).
• It does not provide confidentiality, which means
  that it does not encrypt the data.
  – The data is readable, but protected from
• AH uses keyed hash algorithms to sign the packet
  for integrity.
Encapsulating Security Payload (ESP)
• The Encapsulating Security Payload (ESP)
  protocol provides confidentiality (in addition
  to authentication, integrity, and anti-replay)
  for the IP payload. This is encryption.
• ESP in transport mode does not sign the
  entire packet; only the IP payload (not the IP
  header) is protected.
• ESP can be used alone or in combination
  with AH.
Encryption and Integrity Algorithms in Windows
Server 2008 IPSec

                       * This also applies to Windows 7 and Server 2008 R2.
Security Association
• A security association (SA) is the combination of
  security services, protection mechanisms, and
  cryptographic keys mutually agreed to by
  communicating peers.
• The SA contains the information needed to determine
  how the traffic is to be secured (the security services
  and protection mechanisms) and with which secret
  keys (cryptographic keys). These are set up on a per
  connection basis.
• Two types of SAs are created when IPSec peers
  communicate securely: the ISAKMP SA and the IPSec
• ISAKMP SA is known as the main mode SA
• Used to protect IPSec security negotiations.
• The ISAKMP SA is created by negotiating the
  cipher suite (a collection of cryptographic
  algorithms used to encrypt data) used for
  protecting future ISAKMP traffic, exchanging
  key generation material, and then identifying
  and authenticating each IPSec peer.
Internet Key Exchange (IKE) – p. 208
• The Internet Key Exchange (IKE) is a standard that
  defines a mechanism to establish SAs.
• IKE combines ISAKMP and the Oakley Key
  Determination Protocol, a protocol that is to
  generate secret key material.
• The Diffie-Hellman key exchange algorithm allows
  two peers to determine a secret key by exchanging
  unencrypted values over a public network.
• A malicious user who intercepts the key exchange
  packets can view the numbers, but cannot perform
  the same calculation as the negotiating peers in
  order to derive the shared secret key.
Dynamic Rekeying
• Windows Server 2008 IPSec also supports
  dynamic rekeying, which is the determination of
  new keying material through a new Diffie-Hellman
  exchange on a regular basis.
• This increases security by changing the key
• Dynamic rekeying is based on an elapsed time,
  480 minutes or 8 hours by default, or the number
  of data sessions created with the same set of
  keying material.
IPSec Policies – p. 209
• IPSec policies are the security rules that define the
  desired security level, hashing algorithm, encryption
  algorithm, and key length.
• An IP Filter can be mirrored; traffic that is defined in one
  direction will also be defined in the opposite direction
• These rules also define the addresses, protocols, DNS
  names, subnets, or connection types to which these
  security settings will apply.
• IPSec policies can be configured to meet the security
  requirements of a user, group, application, domain, site,
  or for an entire enterprise network. Windows Server
  2008 has integrated management of IPSec into the
  Windows Firewall with Advanced Security MMC snap-in.
IPSec Policies
• IPSec policies are hierarchical in nature, and are
  organized as follows:
   – Like group policy, each IPSec policy consists of one
     or more IP Security Rules configured for clients.
   – Each IP Security Rule includes a single IP Security
     Action that is applied to one or more IP Filter Lists.
   – Each IP Filter List contains one or more IP Filters.
• !! Only one IPSec policy can be active on any one
  computer at a given time.
   – If you wish to assign a new IPSec policy to a
     particular computer, you must first un-assign the
     existing IPSec policy.
How to Create an IPSec Policy – p. 211
1. Select the option to create a new IPSec policy.
   This will prompt you to launch the IP Security Rule
   wizard. (See slide 24 for images. Instructions on
   page 212 of text.)
    a. Select the option to create a new IP Security
       Rule. This will prompt you to create a new IP
       Filter List.
        i. Select the option to create a new IP Filter List.
        ii. Select the option to create a new IP Filter. This
            will prompt you to launch the New IP Filter
            Wizard. Once you have created one or more IP
            Filters, you can finish creating the IP Filter List.
Creating a IPSec Policy
     iii. Once you have created one or more IP
          Filter Lists, select the option to create one
          or more Filter Actions. This will launch the
          IP Security Filter Action Wizard.
     iv. Once you have created one or more IP
          Security Filter Actions, you can complete
          the IP Security Rule Wizard.
  b. Once you have created one or more IP
     Security Rules, you can complete the IPSec
     Policy Wizard.
Creating a IPSec Policy
2. Once you have completed the IPSec Policy
   Wizard, you can assign your new IPSec
   policy to a single computer or a group of
Creating a IPSec Policy
Creating a IPSec Policy
Creating a IPSec Policy
Creating a IPSec Policy
Creating a IPSec Policy
Creating a IPSec Policy
Creating a IPSec Policy
Windows Firewall with IPSec Policies
• The driving factor behind combining
  administration of the Windows Firewall with
  IPSec policies is to streamline network
  administration on a Windows Server 2008
  – In Windows Server 2003, it was possible to
    configure duplicate or even contradictory
    settings between IPSec and the Windows
IPSec Default
Settings p.217
Connection Security Rules
• Windows Server 2008 comes with four pre-
  configured Connection Security Rule
  – Isolation rule
  – Authentication exemption rule.
  – Server-to-Server rule.
  – Tunnel rule.
Connection Security Rules
• The four pre-configured templates:
   – Isolation rule
     • Allows you to restrict inbound and outbound connections based
       on certain sets of criteria.
  – Authentication exemption rule.
     • Allows you to specify one or more computers that do not need to
       be authenticated in order to pass traffic, i.e. DHCP
  – Server-to-Server rule.
     • Secures traffic between two servers or groups of servers
  – Tunnel rule..
     • Will secure traffic only between two tunnel endpoints, not actual hosts.
Windows Firewall with Advanced Security
Creating a Connection Security Rule

* See page 219
for the activity
instructions to
create a
security rule in
the Windows
Firewall with
Security MMC.
Creating an Authentication Exemption Rule
Viewing Configured Connection Security Rules

p. 221
IPSec Driver – p. 222
• The IPSec driver receives the active IP filter list from the
  IPSec Policy Agent.
• The Policy Agent then checks for a match of every
  inbound and outbound packet against the filters in the
• The IPSec driver stores all current quick mode SAs in a
• The IPSec driver uses the SPI field to match the correct
  SA with the correct packet.
• When an outbound IP packet matches the IP filter list
  with an action to negotiate security, the IPSec driver
  queues the packet, and then the IKE process begins
  negotiating security with the destination IP address of
  that packet.
IPSec Policy Agent – p. 224
• The purpose of the IPSec Policy Agent is to
  retrieve information about IPSec policies and
  to pass this information to other IPSec
  components that require it in order to
  perform security functions.
• The IPSec Policy Agent is a service that
  resides on each computer running a
  Windows Server 2008 operating system,
  appearing as IPSec Services in the list of
  system services in the Services console.
Deploying IPSec – p. 225
• IPSec policies can be deployed using:
  – local policies
  – Active Directory
  – Both local policies and AD group policies.
Deploying IPSec
• When deploying IPSec policies via GPO, there are
  three built-in IPSec policies that are present by
   – Use the Client (Respond Only) policy on computers
     that normally do not send secured data.
   – The Server (Request Security) policy can be used on
     any computer — client or server — that needs to
     initiate secure communications.
   – The Secure Server (Require Security) policy, does
     not send or accept unsecured transmissions.
• Like the Server policy, the Secure Server policy
  uses Kerberos authentication.
Deploying IPSec
• Permanent IPSec policies are know as persistent
• These are stored in the registry and protect the
  computer between startup and AD IPSec policy
• You must restart to make changes in persistent
  policies appear.
• AD-based IPSec policies override local IPSec
• Though multiple IPSec policies may be assigned,
  only one can be active at a time for a given host.
IPSec Policies node in a GPO – p. 227
Viewing the Windows Firewall with Advanced
Security node of a GPO
Monitoring IPSec – p. 227
• Windows Server 2008 provides several tools
  you can use to manage and monitor IPSec,
  including the IP Security Monitor, RSoP,
  Event Viewer, and the netsh command-line
• In addition, the new Windows Firewall with
  Advanced Security MMC snap-in provides
  additional monitoring of Connection Security
  Rules and IPSec Security Associations.
Network Authentication
• In addition to securing network traffic with
  IPSec, another common issue is securing the
  network authentication process.
• The default authentication protocol in an
  Active Directory network is the Kerberos v5
  protocol, but there are situations in which
  the NT LAN Manager (NTLM) authentication
  protocols come into play.
  – NTLM is typically considered a legacy
    authentication protocol
Windows Firewall
• Beginning with Windows Server 2003
  Service Pack 1, the Windows server
  operating system has included a built-in
  stateful firewall called the Windows Firewall.
• A stateful firewall is so named because it
  can track and maintain information based
  on the status of a particular connection.
Windows Firewall
• The Windows Firewall is enabled by default on all
  new installations of Windows Server 2008, and can
  be managed manually via: 1) the Windows Firewall
  Control Panel applet, 2) the new Windows Firewall
  with Advanced Security MMC snap-in, or 3)via
  Group Policy Objects in an Active Directory
• The default configuration of the Windows Firewall
  in Windows Server 2008 will block all unsolicited
  inbound traffic; that is, attempts to access the
  computer from a remote network host that has not
  been specifically authorized by the administrator of
  the local server.
Windows Firewall
Windows Firewall
Windows Firewall Exceptions
Windows Firewall Exceptions
Viewing Inbound Exceptions in Windows Firewall
with Advanced Security
• IPSec is the standard method of providing
  security services for IP packets.
• ESP protocol provides confidentiality (in
  addition to authentication, integrity, and
  anti-replay) for the IP payload, while the AH
  protocol provides authentication, integrity,
  and anti-replay for the entire packet.
• Two types of SAs are created when IPSec
  peers communicate securely: the ISAKMP SA
  and the IPSec SA.
• To negotiate SAs for sending secure traffic,
  IPSec uses IKE, a combination of ISAKMP
  and the Oakley Key Determination Protocol.
  ISAKMP messages contain many types of
  payloads to ex-change information during SA
• Main mode negotiation is used to establish
  the ISAKMP SA, which is used to protect
  future main mode and all quick mode
• Quick mode negotiation is used to establish
  the IPSec SA to protect data.
• You can use Netsh IPSec static mode to
  create and assign IPSec policies, add a
  persistent policy, and change other
  configuration features.
• You can use Active Directory Group Policy
  Objects or the Local Group Policy Object to
  configure NTLM authentication levels on a
  Windows Server 2008 computer.
• The Windows Firewall with Advanced
  Security MMC snap-in allows you to control
  inbound and outbound traffic on a Windows
  Server 2008 computer, as well as integrate
  Windows Firewall configuration with IPSec
  through the use of Connection Security

To top