CHAPTER
5
IMPLEMENTING IPSec
Lesson 1:
Introducing and Enabling IPSec
IPSec is the long-term direction for secure networking. It provides a key line of defense against
private network and Internet attacks, balancing ease of use with security.
Internet Protocol Security
As the Internet has evolved, along with intranets, the need for security has increased. The main
areas of concern are that network traffic is safe from
Data modification while en route
Interception, viewing, or copying when intercepted
Being accessed by unauthenticated parties
IPSec is a framework of open standards for ensuring private, secure communications over IP
networks through the use of cryptographic security services. The Microsoft Windows 2000
implementation of IPSec is based on standard developed by the Internet Engineering Task
Force (IETF) IPSec working group. IPSec has two goals:
- To protect IP packets
- To provide a defense against network attacks
Both goals are net through the use of cryptography-based protection services, security protocols,
and dynamic key management. This foundation provides both the strength and flexibility to
protect communications among computers on a private network and in remote sites connected
by the Internet, and dial-up client. It can even be used to filter data packets on a network.
IPSec is based on end-to-end security model, meaning that the only computers that must know
about IPSec are the sending and receiving computers. Each handles security as its respective end,
with the assumption that the medium over which the communication takes place is not secure.
Routers that forward packets between the source and destination are not required to support
IPSec. This model allows IPSec to be successfully deployed for your existing enterprise scenarios:
=====================================================================
wininf5.html PAGE
2 2002/03/15
- Local area network (LAN): client/server, peer to peer
- Wide area network (WAN): router to router
- Remote access: dial-up clients and Internet access from private networks
In-Depth Defense
Data must be protected from interception, modification, or access by unauthorized parties.
Network attacks can result in system downtime and public exposure of sensitive information.
User-access control security methods (smart cards, Kerberos version 5 authentication) are not
adequate to protect against most network-level attacks, because they rely solely on user names
and passwords. Many computers are shared by multiple users. As a result, the computer is
often left in a logged-on state, making it unsecured. If a user name and password have been
hijacked, user-access control security cannot stop the attacker’s access to network resources.
Physical-level protection strategies protect the actual network wires from being accessed and
the network access points from being used. Instead, the best method of protecting data is
provided with IPSec’s end-to-end model: The sending computer encrypts the data prior to
transmission (before it ever reaches the network wires) and the receiving computer decrypts
the data only after it has been received. For this reason, IPSec should be one of the
components in a layered enterprise security plan. It protects your private data in a public
environment by providing a strong, cryptography-based defense against attacks. Used in
combination with strong user-access control, perimeter, and physical-level security, IPSec
ensures an in-depth defense for your data.
Benefits of IPSec
Windows 2000 IPSec is implemented transparently to the user. Users do not have to be in
the same domain to communicate with IPSec protection. They can each be in any trusted
domain in the enterprise. IPSec Management allows administration to be centralized.
Security policies are created by a domain administrator for the most common communication
scenarios. These policies are stored in the directory service and assigned to domain policies.
When each computer logs on to the domain, it automatically downloads its security policy,
avoiding the need to configure each computer individually. Windows 2000 IPSec provides
the following advantages to help achieve a high level of secure communication with a low
cost of use.
=====================================================================
wininf5.html PAGE
3 2002/03/15
- Centralized security policy administration, which reduces administrative overhead costs.
- Transparency of IPSec to users and applications.
- Flexibility in configuring security policies that meet the needs of a diverse enterprise.
- Flexibility of configuring security policies that meet the needs of a diverse enterprise.
- Confidentiality services, which prevent unauthorized access to sensitive data as it passes
between communicating parties.
- Strong authentication services verify the identity of both the sender and receiver.
- Each packet is encrypted
- Long key lengths and dynamic rekeying during ongoing communications help protect
against attacks.
- Secure links end to end for private network users within the same domain or across
any trusted domain in the enterprise.
- Secure links end to end based on IP address between remote users and users in any
domain in the enterprise.
Simplified Depoyment
To achieve secure communications with a low cost of ownership, Windows 2000 simplifies
the deployment of IPSec with the following features:
Integration with the Windows 2000 Security Framework
IPSec used the Windows 2000 secure domain as a trust model. By default, IPSec policies use
the Windows 2000 default authentication (Kerberose V5 authentication) method to identify and
trust communicating computers. Computers that are members of a Windows 2000 domain or
trusted domain can easily establish IPSec secured communications.
=====================================================================
wininf5.html PAGE
4 2002/03/15
Centralized IPSec Policy
Administration at the Active Directory Level
IPSec policies can be assigned through the Group Policy features of Active Directory. This
allows the IPSec policy to be assigned to the domain or organization unit level, which eliminates
the administrative overhead of configuring each computer individually.
Transparency of IPSec to Users and
Applications
IPSec’s high level of protection comes from its implementation of the IP transport level (network
layer 3). Implementing security at Layer 3 provides protection for upper-layer protocols in the
Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, such as TCP, User
Datagram Protocol (UDP), Hypertext Transfer Protocol (HTTP), and even custom protocol
that send traffic at the IP layer.
The primary benefit of securing information at this low level is that all applications and services
using IP for transport of data can be protected with IPSec. This is an improvement over other
security mechanisms that operate above Layer 3, such as Secure Sockets Layer (SSL), which
only protects applications that use SSL. If protection were required for all applications, then
modifications to each application would be necessary.
Layer 3 Protection
PROTECTED
IP Sec
=====================================================================
wininf5.html PAGE
5 2002/03/15
Flexible Security Configuration
The security services dynamically exchange and manage cryptography-based keys between
communicating computers.
Automatic Key Management
IPSec service dynamically exchange and manage cryptography-based keys between
communicating computers.
Automatic Security Negotiation
IPSec service dynamically negotiate a mutual set of security requirements between communicating
computers, eliminating the need for both computers to have identical policies.
Public Key Infrastructure Support
Using public key certificates for authentication is supported to allow authentication and secure
communication with computers that do not belong to a Windows 2000 trusted domain.
Preshared Key
Support
If authentication using the Kerberos V5 protocol or public key certificates is not possible, a
preshared key (a shared, secret password) can be configured to enable authentication and trust
between the communicating computers.
IP Security Process
This is an overview of the IP Security process.
- An IP packet matches an IP filter than is part of an IPSec policy.
- The IPSec policy can have several optional security methods. The IPSec driver needs
to know which method to use to secure the packet.
- ISAKMP (Internet Security Association and Key Management Protocol) negotiates a
security method and sends it plus a security key to the IPSec driver.
- The method and key become the IPSec security association (SA). The IPSec driver
stores this SA in its database.
- Both communication hosts need to encrypt or decrypt IP traffic, so both need to know
and store the SA.
=====================================================================
wininf5.html PAGE
6 2002/03/15
IPSec Architecture
IPSec is implemented in Windows 2000 using the following components:
- IPSec policy agent
- ISAKMP/Oakley Key Management Service
- IPSec driver
- IPSec model
IPSec Policy Agent Service
The policy agent is an IPSec mechanism residing on each Windows 2000 computer. The policy
agent starts automatically when the computer is started. The policy agent performs the following
tasks at the intervals specified in the IPSec policy.
Retrieves the computer’s assigned IPSec policy from Windows 2000 Active Directory.
If there are no IPSec policies in the directory service or if the policy agent cannot connect to the
directory service, it attempts to read the policy from the computer’s registry. The policy agent
services stops if there are no IPSec policies in the directory service or registry.
If there are policies in the directory service, the data transfer of policy information form the
directory service to the computer is protected with data integrity and encryption services.
Sends the policy information to the IPSec driver, the ISAKMP/Oakley service, and the
computer’s registry.
ISAKMP/Oakley Key Management Service
This service is an IPSec mechanism residing on each computer running Windows 2000. Before
IP datagrams can be transmitted from one computer to another, a security association must be
established between the two computers.
=====================================================================
wininf5.html PAGE
7 2002/03/15
The ISAKMP centralized the administration, and is a
two-phase operation:
Establishes a secure channel between the two computers for the communication.
Establishes a security association between the two computers, which is passed to the IPSec
driver, along with the shared key, on both the sending and receiving computers.
IPSec Driver
The IPSec driver (IPSEC.SYS) resides on each computer running Windows 2000. The driver
watches all IP datagrams for a match with a filter list in the computer’s security policy. The filter
list defines which computers and network require secure communications.
NOTE: The policy agent automatically starts the IPSec driver.
The IPSec Model
See page 107 for the diagram.
NOTE: Any routers or switches that are in the path between the communicating computers
should only participate in forwarding the encrypted IP datagrams to their destination. However,
if a firewall or other security gateway is between the communicating computers, IP forwarding
must be enabled or special filtering must be created to permit forwarding of encrypted IP
datagrams.
Consideration fro IPSec
IPSec provides encryption of outgoing packets, but at a cost in performance. IPSec implements
symmetric encryption of network data that is very efficient. You can configure IPSec policies to:
- Specify the types of authentication and the levels of confidentiality required between
IPSec clients.
- Specify the lowest security level at which communications are allowed to occur
between IPSec-aware clients
=====================================================================
wininf5.html PAGE
8 2002/03/15
- Allow or prevent communications with non-IPSec-aware clients
- Require all communications to be encrypted for confidentiality, or you can allow
communications in plaintext.
Consider using IPSec to provide
security for the following applications:
- Peer-to-peer communications over your organization’s intranet, such as a legal department.
- Client/server communications to protect sensitive information stored on servers.
- Remote access communications (VPN, for VPNs using IPSec with L2TP) remember
to set up
- Group Policy to permit auto enrollment for IPSec certificates. For detailed information about
machine certificates for L2TP over IPSec VPN connections.
- Secure router-to-router WAN communications.
Consider the following strategies for IPSec
in your network Security:
- Identify clients and servers to use IPSec communications
- Identify whether client authentication is based on Kerberos trust or digital certificates.
- Describe each IPSec policy, including rules and filter lists.
- Describe certificate services needed to support client authentication by digital certificates.
- Describe enrollment processes and strategies to enroll users for IPSec certificates.
Lesson Summary:
- IPSec is a framework of open standards for ensuring private, secure communications
over IP networks through the use of cryptographic security services.
- The architecture of IPSec is comprised of four major components: IPSec policy
agent,
- ISAKMP/Oakley Key Management Service, IPSec driver, and IPSec model.
=====================================================================
wininf5.html PAGE
9 2002/03/15
Lesson 2:
Configuring IPSec
The Microsoft Management Console (MMC) can be used to create and configure IPSec
policies. It can be configured to centrally manage policy (for Active Directory), manage
policy locally, or manage policy remotely for a computer.
Prerequisites for Implementing IPSec
The computers in your network need to have an IPSec policy defined that is appropriate for
your network security strategy. Computers in the same domain might be organized into groups
with IPSec Policy applied to the groups. Computers in different domains might have
complementary IPSec policies to support secure network communications.
How to Implement IPSec
You can view the default IP Security policies in the Group Policies snap-in in MMC. Active
Directory\Group Policy\computer Configuration\Windows Settings\Security Settings\IP
Security Policies on Active Directory.
Configuring IPSec Policies
The initial window displays three predefined policy entries: Client (Respond Only), Secure
Server (Require Security), and Server (Request Security). By default none of these policies
are enabled.
These defaults are the same whether the IPSec policy is local or stored in Active Directory as
part of a group policy.
- The Client (Respond Only) policy allows communications in plaintext but
will respond to IPSec requests and attempt to negotiate security.
- The Server (Request Security) policy causes the server to attempt to initiate
secure communications for every session.
- The Secure Server (Require Security) policy requires Kerberos trust for
all IP packets sent from this computer, which the exception of broadcast,
multicast, Resource Reservation Setup Protocol (RSVP), and ISAKMP packets.
=====================================================================
wininf5.html PAGE
10 2002/03/15
NOTE: Only one policy can be assigned at a time. If an IPSec policy is configured in several
overlapping group policies, the normal group policy hierarchy applies.
Connection Types
NOTE: All policy settings can be configured through wizards. Use of the wizards is turned
on by default, but can be turned off by deselecting the Use Add Wizard check box.
Designating a connection type for each rule will determine which computer connections
(Network Adapters or modems) will be affected by an IP)Sec policy.
Authentication Method
The authentication method defines how each user is going to be assured that the other
computers or users really are who they say they are. There are three authentication methods:
Kerberos. The Kerboros V5 security protocol is the default authentication technology.
Kerberos issues tickets, or virtual proof-of-identity cards, when a computer logs on to a
trusted domain. This method can be used for any clients running the Kerberos V5 protocol.
Certificates. This requires that at least one trusted certificate authority (CA) has been configured.
Preshared Key. This is a shared key that is secret and is previously agreed on by two users.
NOTE: The key derived from the authentication if for authentication only, it is not the key
used to encrypt or authenticate the data.
IP Packet Filtering
IP Security is applied to packets as they are sent and received. Packets are matched against
filters when being sent (outbound) to see if they should be secured, blocked, or passed through
in clear text.
Input filters. Which apply to traffic received, allow the receiving computer to match the traffic
with the IP filter list, respond to requests for secure communication, or match the traffic with an
existing SA and decrypt the secured packets.
=====================================================================
wininf5.html PAGE
11 2002/03/15
Output filters. Which apply to traffic leaving a computer toward a destination, trigger a security
negotiation that must take place before traffic is sent.
IMPORTANT Although input and output filters are defined and used in the filter list, it is
unclear in the user interface as to which filter is being created. The source and destination
addresses determine whether the filter is inbound or outbound.
There must be a filter to cover any traffic scenarios to which the associated rule applies. A
filter contains the following parameters:
The source and destination address of the IP packet.
- My IP Address. The IP address of the local machine.
- Any IP Address. Unicast addresses only. IPSec does not support multicast or
broadcast addresses.
- A specific IP Address. This is a specific IP address on the local network or on the Internet.
- A specific IP Subnet. This includes any IP address on a specified IP subnet.
NOTE: IPSec populates My IP Address with the first bound IP address
Only. If the machine is multihomed, IPSec will use only one of the IP
Addresses, not both. Routing and Remote Access clients are considered
to be multihomed, and therefore IPSec may not populate the IP address
properly.
The protocol over which the packet is being transferred. This automatically defaults to cover
all IP client protocol in the TCP/IP suite.
======================================================================
Protocol Type Description
======================================================================
ANY Any Protocol
EGP Exterior Gateway Protocol
HMP Host Monitoring Protocol
ICMP Internet Control Message Protocol
Other Unspecified protocol based on IP protocol number
RAW Raw data on top of IP
RDP Reliable Datagram Protocol
RVD MIT Remote Virtual Disk
TCP Transport Control Protocol
UDP User Datagram Protocol
XNS-IDP
=====================================================================
wininf5.html PAGE
12 2002/03/15
The source and destination port of the protocol for TCP and UDP. This also defaults to cover
all ports, but can be configured to apply only to packets sent or received on a specific port.
Select the filter when editing or creating a filter. Filters can be managed globally by right-clicking on the
managed computer in the left pane. They cal also be managed within each of the policies’ Rules
Properties pages. The Filter Creation Wizard allows these properties to be configured.
Mirroring
Mirroring allows a filter to match packets with the exact opposite source and destination addresses.
An outbound filter specifying the IP address as the source address and the second computer as the
destination address, for example, will automatically create an inbound filter specifying the second
computer as the source address and the initiating computer’s IP address as the destination.
If Host A wants to always exchange data securely with Host B
- To send secured data to Host B, Host A’s IPSec policy must have a filter specification
for any outbound packets going to Host B.
- To receive secured data from Host A, Host B’s IPSec policy must have a filter
specification for any inbound packets for Host A, or must have a policy with the
default-response rule set to active.
- Mirroring would allow each host to send or receive from the other host without
creating another filter to do so.
Filter Actions
The filter action specifies what security action to take once a filter has been triggered. The
negotiation consists of support for only authenticity and integrity using the authentication header
(AH) protocol, or for integrity and confidentiality using the Encapsulating Security Payload
(ESP) protocol.
One or more negotiated filter actions may be specified. If that filter action cannot be negotiated,
then the next filter action will be attempted.
It at also possible to choose either high or medium security rather than specifying a custom method.
High security both encrypts and provides data integrity. Medium security provides only for data integrity.
=====================================================================
wininf5.html PAGE
13 2002/03/15
Additional IPSec Tasks
Several other tasks available to the administrator are accessed by right-clicking on the IP Security
Policy icon in the left window, and they include:
Manage IP Lists and Filter Actions. This allows the administrator to configure filters and filter
actions separate from individual rules.
Check Policy Integrity. Because Active Directory takes the last information saved as current,
if multiple administrators are editing a policy, the links between policy components could be broken.
- Policy A uses Filter A.
- Policy B uses Filter B.
The policy integrity check eliminates this problem by verifying the links in all IPSec policies.
It is a good idea to run the integrity check after modifications to a policy. Several other tasks
available to the administrator are accessed by rightclicking on the IP Security Policy icon in the
left window.
Restore Default Policies. Restores the predefined policies to the original configuration.
Import Policies. Allows policies to be imported from another host on the network.
Export Policies. Allows a policy to be exported to another host on the network.
Lesson Summary:
Three predefined policy entries – Client (Respond Only), Secure Server (Require Security), and
Server (Request Security), come with Windows 2000.
Using IPSec you have several different authentication methods
Lesson:
Customizing IPSec Policies and Rules
IPSec is easily customizable with policies and rules.
=====================================================================
wininf5.html PAGE
14 2002/03/15
Policy-Based Security
Strong, cryptographic security methods have become necessary to protect communications,
but they can also increase administrative overhead. IPSec reduces this by providing policy-
based administration.
IPSec Policies
An IPSec policy is a named collection of rules and key exchange settings. The policy may
be assigned as a domain security policy or an individual computer’s security policy. A domain
computer will automatically inherit the IPSec policy assigned to the domain security policy
when it logs on to the domain. If a computer is not connected to a domain (for example, a
roving laptop or a stand-alone server), IPSec policies are stored in and retrieved from the
computer registry.
This allows great flexibility in configuring security policies for groups of similar computers or
individual computers with special requirements. For example, one security policy can be
created for all users on the same network or all users in a particular department. IPSec
policies are created with the IPSec Management Snap-in, page 120.
Rules
Rules govern how and when IPSec is used. A rule contains a list of IP filters and specifies
the security actions that will take place upon a filter match. A rule is a collection of:
· IP filters
· Negotiation policies
· Authentication methods
· IP tunneling attributes
· Adapter types
Each security policy may contain multiple rules. This provides the flexibility of assigning one
IPSec policy to multiple computers with different communication scenarios.
=====================================================================
wininf5.html PAGE
15 2002/03/15
IP Filters and Filter Specifications
All rules are based on packets matching an IP filter. Each rule may only have a single IP
filter active. The IPSec driver watches each IP datagram for a match with the active IP filter.
Filter Specifications
IP datagrams are checked for a match against each filter specification. Filter specifications
contain the following properties:
- The source and destination address of an IP datagram, based on IP address, DNS
name, or by a specific subnet or network
- The protocol, TCP or UDP.
- The specific source and destination protocol port number for either TCP or UDP.
Security Methods and Negotiation Policies
Security Methods:
Each security method specifies a unique level of security to be used for the communication.
- High. The IP ESP provides confidentiality, integrity, authentication, and antireplay protection
services.
- Medium. The IP AH security protocol provides integrity, authentication, and antireplay
protection services. Confidentiality is not a part of AH.
- Custom. In addition to choosing between ESP and AH, expert users can specify the
algorithms for authentication, integrity, and confidentiality.
Negotiation Policies
A negotiation policy is a named collection of security methods. Each rule can have a single
negotiation policy specified as currently active.
Because IPSec does not disturb the original IP header, it is considered normal IP traffic and
is routed as such. This is also true for both transport and tunnel modes.
=====================================================================
wininf5.html PAGE
16 2002/03/15
ESP and Routers
ESP neither encrypts nor authenticates the IP header, leaving it undisturbed. Even in tunnel
mode, where the original IP header is encrypted, routing does not pose a problem. The new
tunnel IP header (left undistributed) is used to route between the tunnel endpoints. Once the
packet reached the tunnel destination endpoint, it is authenticated and decrypted. The original
IP packet is forwarded without IPSec authentication or encryption to the final destination.
AH and Routers
AH uses all fields in the IP header to create the Integrity Check Value (ICV). Because routers
modify fields in the IP header as they forward packets, this could cause problems; however the
fields that may be modified are set to zero for ICV calculation.
IPSec Through Firewalls
Any routers or switches in the data path between the communication hosts will simply forward
the encrypted and/or authenticated IP packet to their destination. However, if there is a firewall
or filtering router, IP forwarding must be enabled for the following IP protocols and UDP port:
IP Protocol ID of 51. Both inbound and outbound filters should be set to pass AH traffic.
IP Protocol ID of 50. Both inbound and outbound filters should be set to pass ESP traffic.
Be aware that these settings would be used to allow IPSec traffic to pass through the firewall only
when using transport mode, or if the firewall is on the public side of the tunnel server. The router
would have to create and maintain all the Sas associated with each connection.
NOTE: Traditional firewall filtering (filtering on TCP or UDP ports) cannot be done to ESP traffic,
as the port numbers are encrypted.
=====================================================================
wininf5.html PAGE
17 2002/03/15
IPSec Through NAT and Proxies
It is not possible to use IPSec through a NAT or application proxy. Even though the IP header is
left intact, the encryption and authentication do not allow for other fields in the packet to be changed.
NAT
The following sections will discuss why IPSec does not work through NAT.
Inability to Distinguish Multiple IPSec Data Streams
The ESP header contains the Security Parameters Index (SPI). The SPI is used in conjunction
with the destination IP address in the standard IP header and IPSec header to identify an IPSec SA.
Inability to change TCP and UDP checksums
The UDP and TCP headers contain a checksum that includes the source and destination IP address
of the standard IP header. The addresses in the standard IP header cannot be changed without
invalidating the checksum in the TCP and UDP headers.
Application Proxies
Because application proxies operate at the application layer they would need to be IP-Sec-aware
and have a security association for each IPSec client.
Securing SNMP
All SNMP-enabled systems must be configured to use IPSec, or at a minimum, the IPSec policies
must be configured to allow unsecured communications if all the SNMP-enabled hosts cannot
also be IPSec-enabled.
IPSec does not automatically encrypt the SNMP protocol. The only exceptions are the predefined
policies Secure Initiator and Lockdown, which have been configured to secure SNMP traffic as
well.
*** See page 124***
=====================================================================
wininf5.html PAGE
18 2002/03/15
DHCP, DNS, WINS Servers, or Domain Controllers
If enabling IPSec for any servers running these services, consider whether or not all their clients are
IPSec-capable.
When DNS is not IPSec-Enabled
To specify a host’s DNS name in an IP Filter List specification (rather than the IP address) if DNS
servers are not IPSec-enabled, a special policy setting is required.
TCP/IP Properties
If a computer that is a member of a domain is disconnected from its domain, then a copy of the
domain IPSec properties will be retrieved from the computer’s registry. If the computer is not a
member of a domain, a local IPSec policy will be stored in the registry. The TCP/IP properties
allow the nondomain computer to always use IPSec, use IPSec only if possible, or never use
IPSec.
NOTE: If the computer is connected to a domain, these properties will not be configurable.
Lesson Summary:
- IPSec is very easy to customize with policies and rules.
- You can secure a network using various methods and taking into consideration such
things as proxies, NAT, SNMP, DHCP, DNS, WINS, and domain controllers.
Lesson 4:
Monitoring IPSec
To view how your IPSec policies and rules are being used in your network, you may want to
monitor IPSec. There is a IPSec monitoring tool IPSECMON.EXE, and Event Viewer,
Performance Monitor, and Network Monitor.
=====================================================================
wininf5.html PAGE
19 2002/03/15
IPSec Management and Troubleshooting Tools
Windows 2000 provides tools that you can use to manage and troubleshoot IPSec.
Management Tools
The IP Security Policy Management snap-in creates and edits policies.
The IP Security Management tool is also on the default Start/Programs/Administrative Tools.
Monitoring and Troubleshooting Tools
IPSECMON.EXE is started at the command prompt.
IPSec Statistics
The following IPSec statistics can be measured using IP Security Monitor:
- Active Associations. Simply a counter of active SAs.
- Confidential Bytes Sent/Received. Total of bytes sent and received using the ESP
protocol.
- Authenticated Bytes Sent/Received. Total of bytes sent and received using the
AH protocol.
- Bad SPI Packets. Total number of packets for which the SPI was wrong.
- Packets Not Decrypted. Total number of packets that failed decryption.
- Packets Not Authenticated. Similar to Bad SPI Packets and Packets Not Decrypted,
this is the total number of packets containing data that could not be verified.
- Key Additions. The total number of keys that ISAKMP has sent to the IPSec driver.
ISAKMP/Oakley Statistics
Oakley Main Modes. Total number of successful ISAKMP SAs created during Phase 1
negotions.
Oakley Quick Modes. Total number of successful IPSec SAs created during Phase 2
negotiations
Soft Associations. Total number of Phase 2 negotiations that resulted in agreements to send
using clear text.
Authentication Failures. Total number of identity authentication failures (Kerberos, user
certificate, manually configured passwords).
=====================================================================
wininf5.html PAGE
20 2002/03/15
Performance Monitor includes IPSec objects and counters that can be examined. These
related events can also be recorded and then later analyzed in Event Viewer:
- Policy agent and IPSec driver events in the system log.
- Oakley events in the application log.
- ISAKMP events (SA detains) in the security log (if logon auditing is enabled)
Using Network Monitor
Network Monitor Version is a useful troubleshooting tool with IPSec. Both the limited
version included with Windows 2000 Server and the full version included with Microsoft
Systems Management Server version 2.0 feature parsers for ISAKMP, AH, and ESP.
NOTE: The ESP data itself will not be readable because of the encryption.
Lesson Summary:
Use the command-line tool IPSECMON.EXE and Network Monitor to troubleshoot
communication for IPSec.
CLASSROOM NOTES:
- IPSec works at the Network Layer of the OSI.
- Set-up to protect the packets
- IPSec is flexible
- End-to-end
- Cryptography based
- Quarentine a virus attacked file is as good as deleting it.
- If authentication using the Kerberos5 protocol or public key certificates is not possible,
- A preshared key (a shared, secret password) can be configured to enable authentication
and trust between the communication computers.
- Perfect forwarding key, refreshes on the fly.
- Try at home Local Security Policy, IPSec DifferHellman!
- Des = 56 Bit key
- 3Des = 56 X 3 = 168 Bit key
- Secure server (require security )Properties.
- Highest level of security
- All policies disabled by default.
- Assign the Policy (once created).
- IPSec cannot be used with NAT or app1.proxy
- Ipsec works on a different layer.
- Don’t forget about binding order, in the OSI layer, each layer only talks to the layer
above and below it.
- 2 Filters IPSec inbound and outbound.
- Trap initiates an event is triggers a message to SNMP server, set-up filter.
- DHCP, WINS and DNS page 124. Type IPSECMON @ command prompt