Download Chapter 12 PowerPoint

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
Document related concepts

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Lag wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

IEEE 1355 wikipedia , lookup

Computer security wikipedia , lookup

Wireless security wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Securing Data with Internet Protocol
Security (IPSec)


Designing IPSec Policies
Planning IPSec Deployment
Designing IPSec Policies








Making IPSec design decisions
Describing IPSec communications
Planning IPSec protocols
Planning IPSec modes
Designing IPSec filters
Designing IPSec filter actions
Designing IPSec encryption and integrity algorithms
Designing IPSec authentication
IPSec Design Decisions






Decide which IPSec protocols to use.
Decide whether to implement IPSec transport mode
or IPSec tunnel mode.
Design IPSec filters that identify which packets to
protect with IPSec.
Determine which actions will take place if the packets
meet the IPSec filter criteria.
Determine which encryption levels will be used if
packets meet the IPSec filter criteria.
Design how computers using IPSec protection will
authenticate each other.
Describing IPSec Communications


IPSec implements encryption and authenticity at a
lower level in the TCP/IP stack than do Secure
Sockets Layer (SSL) and Transport Layer Security
(TLS).
An application does not have to be IPSec-aware.
The IPSec Process (Using a Telnet
Protocol Example)
Planning IPSec Protocols

IPSec provides two protocols for protecting
transmitted data.




Authentication Headers (AH)
Encapsulating Security Payloads (ESP)
AH and ESP are separate protocols.
Use AH and ESP individually or combined to provide
both integrity and inspection protection.
Assessing AH




Provides authentication, integrity, and anti-replay
protection to transmitted data
Does not protect transmitted data from being read
Eliminates the possibility of the data being modified
during transmission
Supported only by Microsoft Windows 2000 clients in
a Microsoft networking environment
IPSec AH Header Fields
Deploying AH





Authenticates computers involved in data
transmissions
Provides integrity to the transmitted packets so an
attacker cannot modify or replay the transmitted data
Used to restrict communications to specific
computers in a workgroup or project
Ensures that mutual authentication takes place
between the computers so that only authenticated
computers can participate in communications
Allows mutual authentication capabilities to protocols
that do not support mutual authentication
Assessing ESP


Provides encryption, authentication, integrity, and
anti-replay services
Encrypts the Transmission Control Protocol (TCP) or
User Datagram Protocol (UDP) header and the
application data included within an IP packet

Does not include the original IP header unless IPSec tunnel
mode is used
IPSec ESP Fields
Deploying ESP


ESP is necessary when the application does not
recognize application-layer security.
The application does not have to support IPSec.




The IPSec encryption and decryption process takes place at
the IP/IPSec layer.
The application is unaware that IPSec protection
takes place.
Only operating systems and network devices that
support IPSec can apply ESP encryption.
ESP provides digital signing of the transmitted data.
Application Is Encryption Unaware
AH and ESP Differences



AH protects the entire packet.
ESP protects only the TCP/UDP header and the data
payload from inspection.
To ensure complete packet protection, configure the
security association (SA) to implement both IPSec AH
and ESP protocols.
Allowing IPSec Traffic to Pass Through a
Firewall



To pass protected traffic, configure a firewall to allow
connections to UDP port 500 and protocol ID 50 for
ESP or protocol ID 51 for AH.
IPSec using ESP may lead to a firewall losing the
ability to inspect data as it is transmitted through the
firewall.
The firewall must not be performing Network Address
Translation (NAT).


IPSec packets cannot pass through a NAT.
The fields protected by IPSec cannot be modified by NAT
without invalidating the packets.
Making the Decision: Using AH, ESP, or a
Combination of AH and ESP

Use AH in the IPSec security design




Use ESP in the IPSec security design



To protect the entire packet against modification
To provide mutual authentication of both client and server
To limit communication to authorized computers for a project
To protect the application payload from being observed during
transmission
To protect the TCP/UDP header and application data from
modification during transmission
Use both AH and ESP when encryption of transmitted
data and protection of the entire packet against
modification is required.

Negotiate an SA that requires both AH and ESP to ensure total
protection of transmitted data
Applying the Decision: Applying AH and
ESP for Fabrikam

For the data collection software



Apply both AH and ESP protection to each packet
Configure ESP to allow the data payload to be encrypted as
it is transmitted from the client to the server
For the network link to A. Datum Corporation

Only use ESP to encrypt all data transmitted over the
Internet between the two networks
IPSec Transport Mode
IPSec Tunnel Mode
AH Tunnel Mode Packet
ESP Tunnel Mode Packet
Making the Decision: Using IPSec
Transport Mode or Tunnel Mode

Use IPSec transport mode when





Communications are taking place where inspection of transmitted
data must be prevented
NAT is not being performed on the packets as they are transmitted
from the source computer to the destination computer
Data must be encrypted over the entire path from the source
computer to the destination computer
The connection is between only two computers
Use IPSec tunnel mode when


Data must be protected when being transmitted over a public
portion of the network
Encryption can only take place between perimeter servers to avoid
passing through a firewall or a perimeter server implementing NAT
Applying the Decision: Using IPSec
Transport Mode at Fabrikam

Fabrikam requires the use of IPSec transport mode
for the data collection software.



All data is being transmitted between the Windows 2000–
based laptops and the server at the Washington office.
The data must be encrypted as it passes across the network
to ensure that no one can read it.
The data must be signed to prove its authenticity.
Applying the Decision: Using IPSec Tunnel
Mode at Fabrikam
Designing IPSec Filters

Characteristics Used to Identify a Protocol





Source address information
Destination address information
Protocol type
Source port
Destination port
Protecting Response Packets by Using
IPSec



Configure all defined IPSec filters as mirrored filters.
A mirrored filter reverses the source and destination
information so that response packets are protected
by IPSec when they are sent back.
Do not use mirrored rules when filters for IPSec
tunnel mode are defined.

Design separate filters to reflect the tunnel endpoint that is
used at each end of the tunnel.
When IPSec Filters Are Not Required

Whenever the Layer Two Tunneling Protocol (L2TP) is
used to establish a virtual private network (VPN),
IPSec filters do not have to be defined.

Windows 2000 automatically enables IPSec ESP protection
for the L2TP tunnel.
Determining IPSec Exclusions





IP broadcast addresses
Multicast addresses
Resource ReSerVation Protocol (RSVP)
(protocol ID 46)
Kerberos
Internet Key Exchange (IKE)
Making the Decision: Defining IPSec
Filters





Only one IPSec policy can be assigned per computer.
Define policies for computers, not for users.
Define the protocol requirements so that explicit
filters can be defined, and determine attributes for
each required filter.
IPSec encrypted traffic cannot be identified if it
passes through a firewall.
If multiple filters are defined, the most specific filters
are evaluated first and the least specific filters are
evaluated last.
Making the Decision: Defining IPSec
Filters (Cont.)


Always mirror defined packet filters when using IPSec
transport mode.
Define an IPSec filter for each direction when
defining IPSec tunnel mode connections.
Applying the Decision: Fabrikam WAN
Configuration
Possible IPSec Filter Actions



Permit
Block
Negotiate Security
Windows 2000 IPSec Filter Settings and
New Session Key Frequency



Accept Unsecured Communication, But Always
Respond Using IPSec
Allow Unsecured Communication With Non-IPSecAware Computers
Session Key Perfect Forward Secrecy
Making the Decision: Defining IPSec Filter
Actions






Block
Permit
Negotiate
Enable Fallback To No Security
Accept Unsecured Communication, But Always
Respond Using IPSec
Session Key Perfect Forward Secrecy
Applying the Decision: Defining IPSec
Filter Actions for Fabrikam



For the data collection software, set the filter action
to Negotiate Security.
To allow or disallow other protocols, define another
filter that is set to be any protocol.
The tunnel servers between Fabrikam's Washington
office and the A. Datum Corporation office require
two different IPSec filter actions.
Designing IPSec Encryption and Integrity
Algorithms


Configure IPSec filter properties to specifically define
which algorithms IPSec uses when negotiating
security.
Define separate algorithms for AH and ESP-protected
data streams.
Custom Settings for IPSec Protection


Can be used to define how IPSec protects
transmitted data
If AH protection is required


Define Message Digest v5 (MD5) or Secure Hash Algorithm
v1 (SHA1) as the integrity algorithm
If ESP encryption is required


Set the digital signing algorithm to be MD5 or SHA1
Set the encryption algorithm to be Data Encryption Standard
(DES) or Triple DES (3DES)
Multiple Algorithms for the Negotiate
Security Action

Can be used to define desired IPSec protection while
allowing less secure variations that are used only if
negotiation fails for the higher-level encryption
New Key Generation


Can define key generation based on the amount of
data that is transmitted (in kilobytes) and the lifetime
of the key (in seconds).
Configuring these options can protect the key from
compromise.
Making the Decision: Planning Encryption
and Integrity Algorithms for an SA




If configuring for multiple algorithm support, sort the
algorithms from strongest to weakest.
Include security methods only for the required
algorithms.
Use of strong encryption protocols requires the
installation of the Windows 2000 High Encryption
Pack.
Modify the default key generation settings in highersecurity networks.
Applying the Decision: Planning
Encryption and Integrity Algorithms for
Fabrikam


Fabrikam will use ESP to protect their transmitted
data, with authenticity required for the data payload
but not for the entire packet.
Assuming the Windows 2000 High Encryption Pack is
not installed, provisions must be made to allow the
clients to connect without it.
Designing IPSec Authentication

Methods for authentication



Kerberos
Certificates
Preshared keys
Making the Decision: Planning IPSec
Authentication Protocols

Use Kerberos authentication



When all computers using IPSec are members of the same
Active Directory directory service forest
To minimize the amount of configuration involved in
authenticating hosts, but still maintain security for
authentication
Use public key authentication




When strong authentication is required between hosts not in
the same forest
When a common root Certification Authority (CA) exists for
the two hosts using IPSec
When each host has a valid machine certificate installed that
can be used to authenticate the host
To use L2TP/IPSec for a VPN solution
Making the Decision: Planning IPSec
Authentication Protocols (Cont.)

Use preshared keys




When Kerberos or public key authentication cannot be used
When testing a new IPSec filter, to ensure that
authentication problems are not causing the SA's failure
When establishing an IPSec SA between two hosts and the
association will only be between the two hosts
When the preshared key is set to be complex and access to
the IPSec configuration interface is secured to prevent
inspection of the preshared key established between the two
hosts
Applying the Decision: Planning IPSec
Authentication Protocols for Fabrikam


For the data collection software, the easiest
authentication method is Kerberos.
For the tunnel servers between the two
organizations, the most secure authentication
method is public key.

Ensures that the certificates for each tunnel server are
recognized and trusted by the other organization
Planning IPSec Deployment





Assessing the preconfigured IPSec policies
Deploying IPSec policies in a workgroup environment
Deploying IPSec policies in a domain environment
Automatically deploying computer certificates
Troubleshooting IPSec problems
Predefined IPSec Policies



Secure Server (Require Security)
Server (Request Security)
Client (Respond Only)
Custom IPSec Policies


Used when specific protocols must be excluded from
default policies
Created when modifications are required to the
default policies
Restoring Default Policies


Right-click the IPSec Policies On Local Machine or
IPSec Policies On Active Directory console, and then
click Restore Default Policies.
This action will restore the default setting for all three
default IPSec policies.
Making the Decision: Deploying the
Default IPSec Policies

Use the Secure Server (Require Security) policy when
any of the following business requirements exist:





The highest level of security is required
All traffic sent to the server must be protected by using
IPSec
Fallback to unprotected data transmissions is not desired
Only Windows 2000–based computers are required to
connect to the server
All servers that require the IPSec configuration are placed in
the same organizational unit (OU) or OU structure
Making the Decision: Deploying the
Default IPSec Policies (Cont.)

Use the Server (Request Security) policy when any of
the following business requirements exist:




All traffic sent to the server should be protected by using
IPSec
Fallback to unprotected data transmissions is supported for
legacy clients
The server must support a mix of Windows 2000 and non–
Windows 2000 clients
All servers that require the IPSec configuration are placed in
the same OU or OU structure
Making the Decision: Deploying the
Default IPSec Policies (Cont.)

Use the Client (Respond Only) policy when any of the
following business requirements exist:



The Windows 2000–based computer should be enabled to
use IPSec protection when requested by a server
The client computer should not initiate IPSec protection
All computers within an OU or OU structure are to be
enabled for IPSec protection
Applying the Decision: Default IPSec
Policies for Fabrikam


Fabrikam requires custom IPSec policies to meet its
security objectives.
The data collection software could possibly use a
default IPSec policy.


If more than one laptop is used, assign the Client (Respond
Only) IPSec policy.
Modify the IPSec policy applied to the server hosting the
data collection software to accept unsecured
communication, but always respond using IPSec.
Deploying IPSec Policies in a Workgroup
Environment



A workgroup environment cannot depend on Active
Directory for the consistent application of IPSec
policies.
IPSec policies in a workgroup environment can only
be configured by connecting to the local computer
security settings.
To achieve consistent IPSec configuration



Export properly configured IPSec settings to an .ipsec export
file
Import the settings to all matching computers
IPSec settings cannot be configured through security
templates.
Making the Decision: Deploying IPSec in a
Workgroup Environment




Define the required IPSec policies at a test machine.
Create a lab environment that emulates the
production network.
Export the IPSec policies to an .ipsec export file.
Store the exported IPSec policies in a secure location.
Applying the Decision: Deploying IPSec in
a Workgroup Environment at Fabrikam

The two tunnel servers may not be members of the
domain at Fabrikam or A. Datum Corporation.


IPSec must be defined in the local computer policy for each
tunnel server.
Deploy the IPSec policy by manually configuring the IPSec
policy at each tunnel server.
Deploying IPSec Policies in a Domain
Environment



Define IPSec policies for the site, domain, or OU.
The use of Group Policy ensures that a computer's
administrator cannot override the desired IPSec
settings at the local computer.
The settings inherited from Group Policy always
supersede local policy settings.
Making the Decision: Deploying IPSec in
an Active Directory Environment





Place computer accounts with the same IPSec
requirements into the same OU or OU structure.
Know the processing order for Group Policies and
local computer policies.
Assign the default Client (Respond Only) policy to the
Default Domain Policy.
Assign the default Client (Respond Only) policy to a
specific OU.
A computer can have only a single IPSec policy
assigned at any time.
Applying the Decision: Deploying IPSec in
a Domain Environment at Fabrikam

If Fabrikam deploys additional laptops



The best strategy is to place all the Windows 2000–based
laptops in a common OU.
Define a Group Policy object that applies the custom IPSec
policy.
Two options for the Washington office


Place the data collection server in a separate OU.
Have the Group Policy object applied with a filter so that
only the data collection server applies the Group Policy
object.
Automatically Deploying Computer
Certificates



IPSec gives two computers entering into an SA the
ability to authenticate with certificates.
Only domain controllers (DCs) acquire certificates by
default in a Windows 2000 network.
To use certificates for authentication


Manually configure each computer with the necessary
certificate
Or enable automatic certificate enrollment
Automatic Certificate Enrollment



Automatic certificate enrollment is configured within
Group Policy objects.
Apply the Group Policy object at the site, domain, or
OU.
A CA trusted by both computers in the SA must issue
the certificates.
Certificate Templates Available for
Enabling IPSec

IPSec



Computer



This is a single-use certificate template.
It allows only the computer associated with the certificate to
use IPSec.
This is a multipurpose certificate template that can also be
used for IPSec authentication.
Assign the computer certificate template to non-domain
controllers (DCs).
DC


This is a multipurpose certificate template that allows IPSec
authentication.
Assign the DC certificate template only to DCs.
Making the Decision: Designing
Certificate-Based Authentication for IPSec





Determine which certificate template to issue.
Ensure that a CA is configured to issue the certificate
template.
Ensure that all required computers have the Read
and Enroll permissions for the certificate template.
Configure a Group Policy object to perform the
automatic certificate request.
Distribute certificates to all client computers requiring
L2TP tunnel connectivity.
Applying the Decision: Designing
Certificate-Based Authentication for IPSec
at Fabrikam

If certificate-based authentication is used for the data
collection software IPSec solution, configure
automatic certificate requests.



Apply Group Policy at the OU containing the laptops and at
the OU containing the data collection server.
For the laptops, define the autoenrollment certificate request
to issue either IPSec or computer certificates.
An existing CA must be configured to issue the IPSec
certificates.
Troubleshooting Tools





Ping
IPSec Monitor (Ipsecmon.exe)
Netdiag
System Management Server (SMS) Network Monitor
Oakley logs
Making the Decision: Troubleshooting
IPSec Connection Problems
Applying the Decision: Troubleshooting
IPSec Connection Problems at Fabrikam





Configure the authentication mechanism to use a
preshared key and see if the connection succeeds.
If the authentication continues to fail, run the IPSec
Monitor to see if an SA is established, and determine
if any errors are occurring during the session.
If no session is established, review the IPSec policy
assigned to each computer.
Run the System Management Server (SMS) Network
Monitor to ensure that Internet Security Association
and Key Management Protocol (ISAKMP) packets are
being received at each of the tunnel servers.
Enable the Oakley logs to record detailed information
about the ISAKMP process.
Chapter Summary








IPSec design decisions
Describing IPSec communications
Planning IPSec protocols
Planning IPSec modes
Designing IPSec filters
Designing IPSec filter actions
Designing IPSec encryption and integrity algorithms
Designing IPSec authentication
Chapter Summary (Cont.)





Assessing preconfigured IPSec policies
Deploying IPSec policies in a workgroup environment
Deploying IPSec policies in a domain environment
Automatically deploying computer certificates
Troubleshooting IPSec problems
Related documents
Chapter 9
Chapter 9
Mullvad Barnprogram
Mullvad Barnprogram
Security Issues in Mobile Ad
Security Issues in Mobile Ad
Slide 1
Slide 1
IPSEC Presentation
IPSEC Presentation
Secure Mobile IP Communication - Department of Computer Science
Secure Mobile IP Communication - Department of Computer Science
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
Network Security
Network Security
Web Security
Web Security
William Stallings, Cryptography and Network Security 3/e
William Stallings, Cryptography and Network Security 3/e
IPSec (IP Security)
IPSec (IP Security)