CHAPTER 12
SECURING DATA WITH IPSEC
Scenario:
laptop using a USB connector.
chapter 12, applies to the Transport Layer.
======================================================================
winsec12.html PAGE
2 2002/05/20
Lesson 1:
Designing IPSec Policies
IPSec implements encryption and authenticity at a lower lever in the TCP/IP stack than application
layer protocols such as SSL and TLS.
IPSec protection is transparent to applications. The application doesn’t have to be IPSec-aware
because the data transferred between the client and the server is normally transmitted in plain text.
The IPSec process encrypts the payload after it leaves the application at the client and then
decrypts the payload before it reaches the application at the server.
Telnet client sends a packet destined to the Telnet Server. The port must be static.
The IPSec driver at the client computer intercepts the packet when it reaches the IP layer and
compares the packet to the list of IPSec filters configured at the client. If you enable policy it
will check information.
The IPSec driver forwards the packet to the Internet Security Association and Key Management
Protocol ISAKMP to negotiate a SA between the client and server. Performs the Negotiation.
The client and server proceed with the ISAKMP process using the Internet Key Exchange IKE
protocol by connecting using UDP.
The results of the SA returned to the IPSec driver so that the IPSec driver can perform all tasks.
The IPSec driver applies the required encryption or integrity algorithm or both to the data and then
sends the data to the NIC for transmission to the client.
NOTE: the process of encrypting and decrypting IPSec-protected packets can be processor
intensive. To increase performance, consider purchasing IPSec-aware network cards that will
offload the IPSec encryption process from the computer’s processor.
Planning IPSec Protocols
IPSec provides two protocols for protection of transmitted data, authentication headers (AH)
and Encapsulating Security Payloads (ESP).
IPSec encrypts the Header information, NAT tries to change the header.
Assessing AH (Authentication Headers)
AH provides authentication, integrity and antireplay protection to transmitted data on the network.
AH doesn’t protect transmitted data from being read, but it does eliminate the possibility of the
data being modified during transmission. The following fields are in an AH header:
Next Header. Protocol ID for the header and AH header. To see this on the
system perform a search of the “protocol” file.
Length. Total length of the AH.
======================================================================
winsec12.html PAGE
3 2002/05/20
SPI (Security Parameter Index). The security association that was negotiated
in the ISAKMP protocol exchange.
Sequence Number. The sequence number is incremented by one to ensure that
the packet is assigned a unique sequence number.
Authentication Data. Contains the hash created against the signed portion of the
AH packet.
Deploying AH
Use AH when communications must be restricted to specific computers in a workgroup or
project.
The advantage of AH is that it allows mutual authentication capabilities to protocols that don’t
support mutual authentication. Only supported by Widows 2000 Network clients.
IMPORTANT: AH is supported only by Windows 2000 clients in a Microsoft networking
environment. If you want to deploy mutual authentication in a mixed network containing
Windows 98, Windows NT 4.0 and Windows 2000-based clients, consider using SMB
singing as an alternative. (at the lower-level).
Assessing ESP (Encapsulating Security Payloads)
ESP packets are used to provide encryption services to transmitted data. In addition ESP
provides authentication, integrity, and antireplay services.
NOTE: When designing an IPSec solution, you can combine AH and ESP protocols in a single
IPSec SA. While both AH and ESP provide integrity protection to transmitted data, AH protects
the entire packet from modification while ESP protects only the TCP/UDP header and the data
payload from inspection.
The encryption provided by ESP encrypts the TCP or UDP header and the application data
included within an IP packet. There are two fields:
======================================================================
winsec12.html PAGE
4 2002/05/20
SPI (Security Parameter Index). This field identifies the SA that was negotiated
between the source computer and the destination computer for IPSec communications.
Sequence number. This field protects the SA from replay attacks.
Padding. This field is a variable length between 0-255 bytes that brings the length
of the application data and ESP trailer to a length divisible by 32 bits so that they match
the required size for the cipher algorithm.
Padding Length. The length of the padded field.
Next Header. This field identifies the protocol used for the transmission of the
data, such as the TCP or UDP.
Authentication Data. This files contains the ICV Integrity Check Value and a
message authentication code.
IMPORTANT: The ICV isn’t applied to any mutable fields in the ESP header, TCP/UDP
header, application data, or ESP trailer. A mutable filed is any field that changes value during
transmission. For example, the value of the TTL field decreases by one for every router that
it crosses. If this field were included in the ICV, the ICV would be invalidated every time an
ESP packet crossed a router.
ESP provides integrity protection by signing the ESP header, the TCP/UDP header, the
application data, and the ESP trailer. ESP also provides inspection protection by encrypting the
TCP/UDP header, the application data, and the ESP trailer.
Deploying ESP
ESP provides encryption services for transmitted data. Only operating systems and network
devices that support IPSec can apply ESP encryption. Only operating systems and network
devices that support IPSec can apply ESP encryption.
While the AH protects the entire packet, ESP signing doesn’t include protection for the IP header
used to route the packet through the network.
The only difference between AH and ESP is the portion of the data packet that’s protected
against modification. While AH protects the entire packet, ESP signing doesn’t include
protection for the IP header used to route the packet through the network.
NOTE: To allow IPSec traffic to pass through a firewall, you must allow packets using
UDP 500 and the protocol identifier (ID) of 51 for AH or a protocol ID of 50 for ESP to
pass through the firewall. In addition, the firewall must not be performing Network Address
Translation (NAT). IPSec packets can’t pass through a NAT because the fields modified by
the NAT process are protected by IPSec and can’t be modified without invalidating the packet.
NAT has to modify the
header.
======================================================================
winsec12.html PAGE
5 2002/05/20
Include AH in your IPSEC design to meet the following security objectives:
To protect the entire packets against modification.
To provide mutual authentication of both the client and server.
To limit communications to authorized computers for a project.
Use ESP in your IPSec design to
meet the following Security objectives:
To protect the application payload from being observed during transmission.
To protect the TCP/UDP header and application data from modification during transmission.
Finally, apply both AH and ESP when you require encryption of transmitted data and protection
of the entire packet against modifications. To ensure total protection of transmitted data, you
can negotiate a SA that requires both AH and ESP.
Planning IPSec Modes
You can use IPSec in one of two modes: Transport mode or tunnel mode.
Transport Mode: If you require IPSec protection from the issuing client all the way to the
destination server, this is IPSec transport mode.
Tunnel Mode: Data is protected only between the two defined tunnel points or gateways.
Tunnel Mode is known as gateway-to-gateway protection of transmitted data.
When the data is transmitted between the client and server, it’s sent in an unprotected state
until the initial gateway. Then the protection specified in SA, AH or ESP is applied to the
packets as they’re transmitted to the destination network.
Examining Tunnel Mode Packets
IPSec tunnel mode packets differ from transport mode packets in that a new IP header is
added to the packet as it’s transmitted between gateways.
The fields included in the ESP header don’t very between transport mode and tunnel mode.
*** See the chart on
page 441 ***
======================================================================
winsec12.html PAGE
6 2002/05/20
Applying the Decision
The data must be encrypted as it passes across the network to ensure that no one can read it.
The data must be signed to prove its authenticity.
Because NAT is being performed, IPSec tunnel mode is unable to pass through the firewall.
To allow IPSec tunnel mode to connect the two networks, deploy a separate dual-homed
server at each network to allow you to establish an IPSec tunnel that bypasses the firewall.
Designing IPSec Filters
To identify the protocols that are to be protected with AH or ESP protocols, you must define
IPSec filters that identify known characteristics for the protocols.
The IPSec filter is defined to match data transmission from an IP address to the Telnet server’s
IP address where the source port is any port and the destination port is TCP port 23.
The characteristics that you can use to identify a protocol include:
· Source address information.
· Destination address information.
· Protocol Type
·
·
A mirrored filter reverses the source and destination information so that response packets
that originate at the server are also protected by IPSec when they’re sent back to the client.
Copies are mutual or both ways.
IMPORTANT: The only time you don’t use mirrored rules is when you define filters for
IPSec tunnel mode. In this case, you must design separate filters to reflect the tunnel
endpoint that is used at end of the tunnel.
Determining IPSec Exclusions
While you can use IPSec to protect most protocols, it can’t protect some protocol due
to the nature or use of the protocol. The protocols are:
· IP broadcast addresses.
· Multicast addresses
· RSVP Resource ReSerVation Protocol
· Kerberos
· Internet Key Exchange (IKE)
======================================================================
winsec12.html PAGE
7 2002/05/20
Designing IPSec Filter Actions
Once you’ve defined which protocol will be protected with IPSec, you must then define
what action is taken if the host sends or receives packets that match an IPSec filter.
filter should never be allowed to exist on the network.
algorithms that must be used to secure data transmission if an IPSec filter is matched.
In addition to the three basic actions, you can define settings that define how the Windows
2000-based computer will react if non-IPSec protected data is received and how frequently
new session keys are defined to protect the IPSec data.
Designing IPSec Encryption and
Integrity Algorithms
If AH protection is required, define Message Digetst V5 (MD5) or Secure Hash Algorithm
v1 (SHA1) as the integrity algorithm.
If ESP encryption is required, set the digital signing algorithm to be MD5 or SHA1 and the
DES or 3DES.
You can define multiple algorithms for the Negotiate Security action.
Designing IPSec Authentication
IPSec requires that the two network hosts using IPSec authenticate with each other before
entering into SA negotiations. IPSec allows 3 methods for authenticating the two hosts
involved in the SA:
Kerberos. NOTE: You can’t use Kerberos between forests.
Certificates. You can use certificate-based authentication to authenticate network hosts
using IPSec.
======================================================================
winsec12.html PAGE
8 2002/05/20
Preshared Keys. Preshared keys are text strings entered at the two hosts to prove their
identities.
Planning IPSec Authentication
Protocols
====================================================================
Use Under the Following Circumstances
====================================================================
Kerberos All computers using IPSec are members of the same Active
Authentication directory directory service forest.
You want to minimize the amount of configuration
Public Key You require strong authentication between hosts not in the
Authentication same forest.
A common root CA for the two hosts using IPSec.
Each host has a valid machine certificate installed that
can be used to authenticate the host.
You want to use L2TP/IPSec for a VPN solution.
Preshared Keys You can’t use Kerberos or public key authentication.
Some third-party IPSec solutions may not be able to
use Kerberos or public key authentication, and the
only resort is to use preshared keys.
You’re testing a new IPSec filter and want to make sure
that authenication problems aren’t causing the SA’s
failure.
================================================================
Lesson Summary:
defining the IPSec mode and protocol that’s to be used, and the algorithms.
======================================================================
winsec12.html PAGE
9 2002/05/20
Lesson 2:
Planning IPSec Deployment
Once you’ve designed an IPSec policy that meets your needs, you must deploy the IPSec
policy to all Windows 2000-based computers that require the security provided by the
IPSec policy.
Assessing the preconfigured IPSec
Policies
There are 3 default IPSec Policies. The default IPSec policies are available in both a
domain or workgroup environment and you can apply them locally or by using Group
Policy.
The predefined IPSec policies are:
Secure Server (Require Security). Secures all network traffic to or from the computer
that the IPSec policy is applied to, with the exception of ICMP, better known as Packet
InterNet Groper (PING) traffic.
Server (Request Security). If differs from the first in that it only requests that IPSec
security be applied.
Client (Respond Only). This policy doesn’t enable IPSec for specific protocols, but it
allows the affected computer to negotiate an IPSec SA with any servers that request or
require IPSec protection.
*** See the chart on
page 458 **** Could be on the test
Deploying IPSec Policies in a
Workgroup Environment
A workgroup environment can’t depend on Active Directory for the consistent
application of IPSec policies. In a workgroup environment, you can configure IPSec
policies only by connecting to the local computer security settings.
When designing IPSec deployment in a workgroup environment, include the following
tasks in your IPSec deployment design:
======================================================================
winsec12.html PAGE
10 2002/05/20
Deploying IPSec Policies in a
Domain Environment
Active Directory enables an administrator to standardize IPSec configuration by
applying IPSec policies in Group Policy objects.
NOTE: You can’t use security templates to define IPSec policies. Security templates
don’t include settings for IPSec policy definition. To define IPSec policies, create the
IPSec policy at the stand-alone computer and then export the settings to a .ipsec
export file. The export file can then be imported to the Group Policy object where
you wish to deploy the IPSec policy.
How to Design IPSec deployment:
OU structure.
wish to enable IPSec for all Windows 2000-based computers in a domain.
Automatically Deploying Computer Certificates
IPSec gives two computers entering into a SA the ability to authenticate with certificates.
In a Windows 2000 network, only DCs acquire certificates by default. To enable IPSec,
you can choose one of three certificate templates:
======================================================================
winsec12.html PAGE
11 2002/05/20
Configure a Group Policy object to perform the automatic certificate request.
Distribute certificates to all client computers requiring L2TP tunnel connectivity.
Troubleshooting IPSec Problems
Use these tools for troubleshooting:
computers.
IPSec Monitor. Ipsecmon.exe shows any currently active IPSec SAs that are established
with your computer and the current IPSec statistics for your computer.
NetDiag. The Netdial utility, included in the Windows 2000 Support tools, allows you to
verify the current SAs active on your computer.
SMS System Management Server Network Monitor. Allows you to inspect data packets
as they’re transmitted across the network.
Oakley Logs. As a last resort, you can enable Oakley logs to look at detailed debugging
of an IPSec connection. By default, Oakley logs aren’t enabled.
Lesson Summary:
computers on your network.