In this section I will be looking at Ipsec.
IPSec is used to authenticate and encrypt data. This provides both privacy for your
connections and also a confirms you are communicating with the correct party.
In this video I will first look at what is IPsec. With security becoming so important
now days, IPSec is an important protocol to understand. Next I will look at the improvements
to IPSec that Windows Server 2008 has to offer over earlier editions of windows.
Next I look at what a security association is. A security association is essential the
settings IPSec will use. Next I will look at the protocols used in Ipsec. There is a
few different protocols to that make up IPSec and it is important to understand what each
of these protocols does. Ipsec also has two different modes that it
runs in. When troubleshooting IPSec it is important to understand how these modes operate.
Next I will look at types of connections. Windows allows you to create a number of different
connection types depending on your needs. Ipsec for Windows also supports a number of
different Authentication methods. In a Windows environment you should be able to accept the
defaults, but if you are connecting to IPSec devices on the network, you may need to fine
tune these settings. Lastly I will look at deploying IPSec on your
network using group policy. Using group policy allows you to set up all your computers on
your network quickly rather than having to configure each one individually.
Originally with IP version 4 there was no security build into it. Back in those days
there was not as much emphasis on security as there is today. To provide security for
internet communications IPSec was developed. IPSec standards for internet protocol security
and is suite of protocols designed for securing IP communications.
Ipsec was an add on to IP version 4, but with IP version 6 it has been included as a native
part of the protocol. Using IPSec you can provide communication between your clients
and your server, between servers and other servers and finally network to network.
The aim is provide reliable secure communication. It does this by providing authentication,
that is being able to prove each party is who they say they are. This stops a hacker
from impersonating a server in order to get information off you like your usernames and
password. Authentication also allows a server to confirm the client is a real client and
not a hacker. Ipsec prevents ears dropping which is listening
in on your communication by a 3rd party. With IPSec the information is encrypted which makes
it impossible for a hacker to use the data. One form of attack a hacker may use is recording
your communication and than playing it back at a later date. This is called a replay attack.
If a hacker was able to record the initial authentication sequence at the start of a
communication they could replay this message and add their own data.
With IPSec replay attacks are impossible. Even if you sent the same data in a different
session, the communication sequence used by IPSec will be completely different and only
valid in that session. This also applies to data tampering. Data tempering is when data
is added, removed or changed in a communication stream. IPSec can detect if the data stream
has been altered in any way and thus prevent data tempering attacks.
With Windows Server 2008 there have been a lot of improves to Ipsec. First IPSec has
now been integrated with the Windows Firewall. Integrating IPSec with the Windows firewall
makes IPSec a lot easier to configure. To understand why consider this.
Your computer is on a network and has it firewall up and running. A virus attempts to connect
to your computer. The virus is blocked by your firewall. This prevents you computer
from getting infected. You later make an IPSec connect to a remote network to access a server.
The port used by IPSec is allowed through the firewall.
The virus infects a computer on the remote network and than attempts to access your computer
via the IPSec connect. Since the firewall has allowed the IPSec connect through the
firewall, any data sent via IPSec is sent straight to your computer bypassing the firewall.
Your computer is now infected with the virus. The firewall was not able to stop the virus
since the virus when over the same port as Ipsec.
To solve this problem, IPSec is now integrated with the Windows firewall. This means any
data traveling over an IPSec connect will still need to pass through the Windows firewall.
The virus is this example when it attempts to go over the IPSec connect would have been
blocked. Previously to configure Windows firewall to work with IPSec was a very difficult task.
Now that IPSec is integrated with the Windows firewall it is very easy to configure IPSec
connections that still allow or block any port that you decide. With IPSec for Windows
server 2008 also comes with support for IP version 6. With Windows server 2008 you can
quickly and easily set up IPSec connection between computers using IP version 6.
Next IPSec integrates with NAP. NAP or network access protection is a system that makes sure
that your network is safe by performing health checks on computers. If the computer does
not pass it’s health check, the computer will have updates installed on it until it
is up to date. IPSec can now be used NAP certificates to provide encryption and authentication.
If you are using a high availability solution, IPSec offers improvements to load balancing
and clustering support. Lastly IPSec has more encryption algorithms. This helps Windows
connect to different devices on the network. Remember, IPSec is an open standard so a lot
of non Microsoft devices on the market use IPsec.
When dealing with IPSec you may see the term security association or SA appear from time
to time. An SA is simply a logical group of security parameters for example the algorithms
used. Windows will have certain algorithms enabled by default but you can add more.
You will find that if you are trying to connect to a device, for example a VPN device, the
device will also support certain algorithms. The two devices will negotiate with each can
agree on the algorithms to use. The SA will also contain the key sizes.
Certain devices will support certain keys sizes. Depending on your needs, you may want
to adjust the key sizes. Larger key sizes give better encryption but also mean more
CPU time is used to generate the communication. For two hosts to communicate they need to
agree on a common S A. If your hosts can’t agree on an S A, IPSec communication will
not be successful. There are a number of protocols used in IPSec
to provide communication. The first is internet Key exchange or IKE. IKE is used to transfer
SA parameters between the hosts. It also handles negotiation of protocols between the two hosts
and generating of keys. The next protocol is authentication header
or AH. If you use the AH protocol you can used it for host and client authentication.
It also supports data integrity and prevents replay attacks. The big limitation of AH is
it does not support encryption and thus it is possible for a 3rd party to ears drop on
communication. A H does not support NAT. If your communication
needs to travel through a NAT device you will need to use encapsulating security payload
or the ESP protocol. This protocol does the same as the AH protocol and supports data
encryption. You may be thinking, why would you even bother with the AH protocol. Why
not only used the ESP protocol. To understand why both protocols are used you need to understand
a little bit more about how IPSec works. Ipsec uses two modes in communication. The
first is main mode. In order to make sure each party is who they said they are and also
make sure that the communication can not be decrypted, large keys should be used and a
strong algorithm. These algorithms are time consuming and CPU
intensive. Once both parties are verified, main mode is used to establish a secure connection
between the two parties to help configure quick mode. Keys for quick mode can be transferred
to each party using Main mode. Since the set up of quick mode is secure,
faster algorithms and smaller keys can be used. You will also notice that communication
is performed in quick mode and not main mode. For this reason, often AH is used for main
mode if it is used at all. AH does not support encryption, but this is not a problem since
communication is not performed in Main mode, only authentication.
For quick mode ESP is often used. ESP provides encryption for your traffic. Thus Main mode
authenticates the two parties and transfers keys for quick mode. Quick mode is used to
transfer data between the hosts using smaller keys and a weaker algorithm. Using this kind
of system is a good compromise on performance versus security.
A lot of CPU is used to identify the hosts are who they say they are and transfers keys
between the hosts. Once complete, less CPU is needed for the communication. In order
for an attacker to decrypt the often weaker quick mode algorithm and key size, you would
still need to decrypt the strong main mode algorithm to gain access to the keys.
As you can see, using this method saves you a lot of CPU time as well as gives you good
security. You may be thinking, could I use ESP for main mode, or AH for quick mode or
any combination in between. The answer is yes. AH is often used for main mode and ESP
for quick mode, but these algorithms can be applied to either mode.
Just remember if you do decide to use AH for quick mode, your communication will not be
encrypted. As you can see there is a lot of things you need to know in order to understand
Ipsec. There is still some more details to go through, but before I do that I will perform
a quick demo of how to create an IPSec connection between two computers. This will help you
understand the fundamentals of IPSec a little better before I move on.
In this demo I am going to create an IPSec connection between two computers using the
Windows firewall with advanced security tool. With Windows Server 2008, IPSec has been embedded
into the firewall to provide better security and make it easier to make IPSec connections.
First of all I need to open Windows firewall with advanced security from the start menu.
If I select the option connection security rules this section is used to configure Ipsec.
To create a new connection right click on connection and select new rule.
The first option requests the use for IPSec for inbound and outbound connections. If IPSec
is not available than clear text communication will be used. The next option requires IPSec
for inbound connection and request IPSec for outbound connections. If IPSec is not available
for the outbound connection than clear text is used but inbound connections must use Ipsec.
The last options always requires that IPSec be used for inbound and outbound connections.
In this case I will accept the default. On the next screen you need to decide which type
of authentication system will be used. In this case I will use the default which is
Kerberos. On this screen you can select which firewall
profiles this connection rule will apply to. For example you may only want to use IPSec
when connected to a public network. It would be best to use IPSec for all communications
when possible, but in the real world this puts more load on your servers. If you servers
cannot handle the extra work load, may you should consider using IPSec for the high risk
profiles only. Lastly you need to enter in a name for the
connection. Press finish and the new connection will be created. If I select monitoring and
than select connection security rules you can see the new rules that I have created.
To monitor more details about the connection, select security associations and expand it.
Here you can see the sections main mode and quick mode. If I select main mode, you will
notice at present there is nothing in here. This is because no IPSec connections have
been created. I have a Windows 7 computer on the network configure to use Ipsec.
If I open a command prompt and ping the Windows 7 computer, you will notice that I don’t
receive a reply from the other computer. This is because the Windows 7 firewall is blocking
the return ping. If I switch back to the admin tool you will notice that after I refresh
the view I now have a connection under main mode. Even though I did not get a response
back from the ping, sending the ping was enough to establish the connection.
Under older version of windows, if the ping command travelled over an IPSec connection
you would have received a response back for the ping command even though the firewall
may be set to block pings. This is the advantage of having IPSec integrated with the firewall
is that all traffic must still pass through the firewall and be subject to it’s rule
list. If I select the properties for the connection
you will notice that I can get some information about the connection. This includes the encryption
used and also the integrity algorithm used. Notice in this particular case there is no
algorithm used for key exchange. Since Kerberos was used there is no need to use a key exchange
algorithm. Remember that IPSec connections are in two
phases, so if I now select quick mode you will also notice the second stage of the connection.
If I select properties I can get some more information about the connection. You will
notice that AH integrity is set to none and ESP integrity is set to SHA one.
Remember ESP includes encryption so is a better choice for quick mode than AH which is only
authentication. If you are having problems with your connections, check main mode and
quick mode. This will help you troubleshoot problems especially when connecting to other
devices. It is not uncommon for main mode to connect
but quick mode to fail. All it takes is the other device not to support a particular algorithm
and quick mode will fail. Checking these sections may give you a hint to what the problem may
be. Windows supports a number of different IPSec
connection rules. First there is isolation. This restrictions connections based on authentication
criteria. The criteria could be for example if the computer is a member of the domain.
If the authentication criteria is successful the IPSec connection is brought up.
Using this rule you could isolate computers that are part of your domain from computers
that are not part of your domain or stand alone. The next rule is authentication exemption.
This rule allows you to specify computers that are exemption from having to authenticate.
Examples of computers that you may use this rule on are domain controllers and certificate
authorities. To authenticate a connection these servers may need to be accessed first.
If you denied access to these kinds of servers it may be impossible for the IPSec connection
to be created. The next connection type is server to server.
The main different between this connection and the others is that you can enter in your
own end point or points. As the name suggests you could make a connect between two servers
by entering in the IP addresses of the servers. However the rule also allows you to connect
a subnet together, a group of computers or a list of IP addresses. The last connection
rule is tunnel. When you use this rule tunnel mode is used for IPSec rather than transport
mode. Transport mode will embed the IPSec packet in an IP packet.
The IP packet is than routed through the network like a normal packet. If you are having issues
with your IPSec packet going through your network you may need to use a tunnel. Once
you have decided which type of connection you are going to use, you will need to use
some kind of authentication on the connection. Windows supports 4 different types of authentication
for Ipsec. First there is Kerberos. Kerberos works only on computers in the domain. For
this reason you can set the connection to authenticate based on the computer or the
computer and the user. You can’t authenticate based on just the username.
If you want to authenticate computers that are not part of your domain you may want to
consider using certificates. All the target computer needs to do is trust the certificate
authority that is issuing the certificates to make the IPSec connection. Certificates
may also be issued by NAP in the form of health certificates.
If the computer passes the NAP health test and it is issued a health certificate. The
health certificate can than be used to access other computers on the network. Using the
health certificates you can prevent your computers accessing the network until they meet the
minimum health requirements accept for servers they need to access to obtain updates to meet
the health checks. The next authentication type is NTLM version
2. This is the system of authentication used by Windows before Kerberos. Kerberos relies
on a trust relationship which is created when a computer is joined to a domain.
If your computer is in a workgroup than you may need to use NTLM. Your may also need to
use NTLM if a firewall is blocking Kerberos. Finally is all else fails you can use a pre
shared key. A pre shared key is very weak method of authentication and not recommended.
In some cases you may need to use a pre shared key, for example if you are accessing an old
network device that only supports pre shared keys. To start configuring your computers
you can configured them manually, however on a large network you will want to use group
policy. The IPSec settings for group policy can be
found under computer settings, polices, Windows settings and than security settings. There
are two places you can set IPSec settings. The first is Windows firewall with advanced
security. You will find that the Windows firewall with
advanced security is an easy way to set up IPSec connections in your domain but not as
powerful. To configure it the same wizard is used as the admin tool. You also have the
option to use “IP security Polices on active directory” if you want more options.
To use these group policy settings is a little more complex because you need to set up 3
different configuration before you can configure a connection. First you need to create a Filter
action. The filter action will determine what will happen when the criteria is meet.
Next you need to create a Filter list. The filter list determines which computers or
devices this rule will apply to. Lastly you need to create a rule. The rule will use the
filter list and the filter action to create an IPSec rule which will be used to build
your IPSec connections. Let’s have a look at how to create a group policy for Ipsec.
To set up a new group policy, Run group policy management from the start menu under administrative
tools. From group policy management, expand down
to the domain, right click it and select create new g p o and link it here. Once I give the
group policy a name it will be created. I can now right click on it and press edit.
In this case I am going to create an IPSec connection through the Windows firewall.
To do this, I need to expand down to Windows firewall with advanced security and then down
further to connection security rules. If I right click connection security rules I have
the option to create a new rule. You will notice the same wizard will appear as did
when I create the rule using the Windows firewall admin tool.
On this screen you can enter in which IP addresses you want this
rule to apply to. In this particular case I will leave it on the default which is all
IP addresses. On this screen you can select which type of
connection you would like to make. To show you all the available options I will select
custom. On the next screen I will set authentication to for all connections. Since I want to secure
telnet, I want to make sure IPSec is always used.
On the next screen I can set what type of authentication I wish to use. In this case
I will select advanced and then press the customize button to show you all the different
options there are. On the advanced screen you can set up additional authentication methods
which are normally not available. For example, if I select the add button on
the left hand side you will notice I have a few options that were not available before.
Kerberos was available in the wizard, but NTLM version 2 was not available. Selecting
this will use the NTLM Challenge response authentication protocol.
This protocol was use before Windows 2000 Kerberos authentication system was introduced.
This protocol is weaker than Kerberos but some scenarios you may want to use it for.
For example one of the computers is not part of the domain.
If you have a firewall between the computers, Kerberos may get blocked by the firewall.
If you are unable to change the settings on the firewall, a workaround may be to use NTLM
authentication. The next option is certificates. If you have a certificate authority or CA
on your network, you may want to consider using it to supply certificates for your IPSec
connections. Certificates contain digital keys which are
used by Ipsec. If you are using NAP, you can select the option only accept health certificates.
If the computer passes all the tests that NAP requires, the computer will be allocated
a health certificates which it can use for Ipsec.
If you select the option enable certificate to account mapping, this means the certificate
will be stored in active directory. Windows will retrieve the certificate from active
directory and use it to make the IPSec connection. The last option, use a pre shared key allows
you to enter in your own pass parse for the connection. Both computers must have the same
pass phrase for the connection to work. This method is not recommend as it is the least
unsecure of all the methods. In this case I will select Kerberos as all
my computers are in a domain. If I accept this pre share key you will notice that if
I press add again I can enter in anther authentication method. In this case I will select NTLM.
In this case, when main mode of the IPSec connection is being set up, authentication
will be attempted with Kerberos and than if that fails NTLM will be used. Notice also
I have the option first authentication is optional.
If I select this, if both authentication modes listed fail the connection will still be allowed.
Ticking this option essential allows you to have anonymous connections. In the second
authentication method I can again add a single authentication method or more than one if
I wish. Notice also I have the option for a second
authentication method. Make sure you don’t tick first and second authentication as optional
for both. If you do this, authentication is effectively switched off. Moving on to the
next screen I can set the protocol used. In this case I want to set the rule up for
telnet which is TCP and port number 23. On the next screen I can again set which firewall
profile I want to use to finally set the name for the connection.
For a basic IPSec connection this works well, but if you want more options you will need
to use IP security on active directory. If I select IP security on active directory,
right click on it and select manage IP filter lists and filter actions.
If I now select the manage filter actions, you will notice here the default filter actions
that are configured. If you want to add your own actions press the add button. Once you
have enter in a name you can select the action behavior.
You can select permit or block for the action or the option negotiate security. If I select
negotiate security, on the next screen I can decide what to do if an unsecure connection
cannot be established. The next screen determines the type of integrity and encryption used.
The first option, integrity and encryption uses ESP to encrypt the data and for authentication.
The second option uses the AH algorithm which does not provide encryption. In this case
I will use the first one since I want my traffic encrypted.
Once you have your action created or you are happy to use one of the defaults ones, select
manage IP filters lists. Press the button add to add your own list. In this example
I want to match only telnet traffic. Notice that I have the option mirrored.
This option will match packets going in both directions allowing you to have two way communication.
On the next screen you can specify the source IP address. Notice in the pull down list you
have a lot of options including DNS name and you can even specify a subnet.
In this case I will select any IP address. The destination IP address I will also leave
as any IP address. For the protocol you will notice I have a big choice of protocols. In
this particular case I will select TCP. On the screen I can enter in a port number.
In this case I want all connections that go to port 25 which is telnet, to be secure,
so I will enter port 25 in the to port field. I have now created a filter in my filter list.
I could add additional filters to the list if I wished.
Now both the filter list and filter action have been created I can now create a policy.
Right click IP security polices on active directory and select create IP security Policy.
Once you enter in a name of the new policy you will be taken in a legacy screen.
If you have old clients like Windows 2003 and Windows XP, you will need to tick this
option. This option will allow Windows to response to the client security request if
no other rules matches. The next is simpler to the advanced firewall wizard authentication
options. You can again select Kerberos, certificates
or a pre shared key. I will just accept the default Kerberos. Once I press finished I
will have the option to edit the properties. You will notice only the default response
rule for older editions of Windows is present. If I press add, I can now add the filter list
and action that I created earlier. The first option allows you to set up a tunnel. In this
particular case I don’t need a tunnel so I will not enable it. On the next screen I
can select which network connections I want to use.
By default it will apply to all network connections which in this case is what I want. On the
filter list screen you can see the telnet filter that I selected earlier. On the next
screen I can select the action which is the action I created earlier which is require
security for all connections. Once again I can set the authentication options,
I will leave it on the default of Kerberos. Once I press finish the new policy is created.
This will require all telnet connections to use Ipsec. Telnet users clear text username
and password, having this policy enabled will ensure that data is encrypted when it is transfer
over the network. Using IP security Policy on active directory
it is harder to set up than Windows firewall with advanced security, but it does allow
you to customize the connection more than the Windows firewall connection wizard allows.
If you decide to use IPSec or when you are studying for your exam, remember AH provides
integrity and authentication. ESP provides integrity, authentication and encryption.
Depending on your needs will determine which algorithm you will choose.
If you have use IPSec in previous editions of windows, you will find that now that it
is integrated in with the Windows firewall, it is a lot easier to administrator and set
up than ever before.
