Securing - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Securing

Description:

Describe the features and benefits of the IP Security protocol ... Mange Filter Actions. To define what happens when a match is made. 10. Managing IP Filter Lists ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 52
Provided by: anned162
Category:
Tags: mange | minge | securing

less

Transcript and Presenter's Notes

Title: Securing


1
Chapter 10
  • Securing
  • Network Protocols

2
Learning Objectives
  • Describe the features and benefits of the IP
    Security protocol
  • Describe the two modes of operation for IP
    Security
  • Transport
  • Tunnel
  • Describe the IP Security authentication and
    architecture

continued
3
Learning Objectives
  • Configure IP Security for transport mode on a
    Windows 2000 server
  • Configure IP Security for tunnel mode on a
    Windows 2000 server
  • Customize IP Security policies and rules
  • Manage and monitor IP Security

4
IPSec Overview
  • An extension of the IP protocol that provides
    point-to-point encryption of data begin sent
    between two computers on an IP-based network
  • Works at the Network layer
  • A framework of open standards developed by the
    IPSec working group of the Internet Engineering
    Task Force (IETF)
  • Any Windows 2000 computer may act as an IPSec
    client (initiates the IPSec connection) or an
    IPSec server (receives it)

5
What IPSec Does
  • Two basic services
  • Authentication
  • Encryption and decryption
  • Often called an end-to-end security measure

6
Greatest Benefit of IPSec
  • Completely transparent to users, applications,
    and protocols above and below the Networking layer

7
Additional Features of IPSec
  • Uses the Windows 2000 domain as a trust model
  • IPSec policies are assigned centrally through the
    Active Directory Group Policy feature
  • All packets are encrypted using time-specific
    information
  • Long key lengths and dynamic changes of keying
    are used during ongoing communications

continued
8
Additional Features of IPSec
  • Private network users can connect using secure
    end-to-end links with any trusted domain in the
    enterprise
  • Remote users and private network users can
    connect using secure end-to-end links based on IP
    addresses

9
Modes of Operation
  • Transport mode
  • Tunnel mode

10
Transport Mode
  • Two computers configured to use IPSec create a
    security association between themselves and carry
    out secure communication

11
Tunnel Mode
  • Two communicating computers do not use IPSec
    themselves
  • An IPSec connection is created between two
    routers that connect two networks over a transit
    internetwork
  • The gateways connecting each clients LAN to the
    transit network create a virtual tunnel that uses
    the IPSec protocol to secure all communication
    that passes through it

12
IPSec Authentication
  • Kerberos
  • Default authentication system used by Windows
    2000
  • An open standard, widely supported by other OSs
  • Certificates
  • Provided by a certificate authority
  • Pre-shared keys
  • Passwords entered into each computer
  • As long as both computers are configured with the
    same pre-shared key, they trust one another

13
IPSec Architecture
  • IPSec components
  • IPSec policy agent service
  • ISAKMP/Oakley Service
  • IPSec driver
  • IPSec process

14
IPSec Components
  • IPSec policy agent service
  • Retrieves computers assigned IPSec policy from
    the Active Directory
  • ISAKMP/Oakley Service
  • Creates security association between
    communicating computers
  • Generates keys used to encrypt/decrypt data sent
    over the IPSec connection

continued
15
IPSec Components
  • IPSec driver
  • Encrypts and decrypts data using keys prepared by
    the ISAKMP/Oakley Service
  • Sends data between computers

16
IPSec Process
  • An application on one computer (Host 1) sends
    data to another computer (Host 2)
  • Data passes down through networking layers of
    Host 1, where it is fragmented and shaped into
    packets to send over the network
  • When the data reaches the networking level and is
    ready for routing by the Internet Protocol, the
    IPSec driver for Host 1 notifies the ISAKMP/
    Oakley Service that an IPSec connection is needed

continued
17
IPSec Process
  • ISAKMP/Oakley Services on both computers
    establish a security association and generate a
    shared key
  • ISAKMP/Oakley Services on both computers transfer
    the shared key to the IPSec drivers on those
    hosts
  • The IPSec driver on Host 1 uses the key to
    encrypt the data and then sends the data to Host 2

continued
18
IPSec Process
  • The IPSec driver on Host 2 receives the data and
    uses the shared key to decrypt it
  • The IPSec driver passes the data up to the next
    networking layer
  • When the data works its way up to the top layer,
    the application on Host 2 receives the data and
    never knows it was encrypted

19
Installing IPSec
  • Installed by default on any Windows 2000 computer
  • To enable it
  • Create an MMC console using the IP Security
    Management snap-in
  • Assign policies to be used

20
Configuring IPSec
  • Main tasks
  • Create a new policy (a set of rules that governs
    a connection)
  • Manage the list of filters and filter actions
    available for use in the rules you create for
    policies
  • Other tasks
  • Check policy integrity
  • Restore default policies
  • Import/export policies for use in other IPSec
    snap-ins

21
Configuring IPSec
22
Configuring IPSec
23
Creating a New Policy
  • A wizard-based process
  • Right-click IP Security Policies on Local Machine
    object
  • Choose New IP Security Policy from the shortcut
    menu
  • Decide whether to enable the default response
    rule for the policy
  • Unless you customize the default rule, it is
    probably best not to enable it

24
Creating a New Policy
25
Creating a New Policy
  • If you do enable the default rule, the wizard
    asks you to configure an authentication method
    for the rule

26
Creating a New Policy
27
Configuring a Policy
  • A policy holds two property pages
  • General
  • Rules

28
General Properties
  • Change name of the policy and the description

29
General Properties
  • Advanced button opens Key Exchange Settings
    dialog box
  • Control how often the policy requires
    communicating computers to regenerate new keys
  • Methods button displays a list of security
    methods used to exchange keys
  • Master key Perfect Forward Secrecy option
  • Prohibit reuse of keying material or keys

30
General Properties
31
Rules Properties
32
Rules Page Entries
  • Check box to left of the rule
  • Specifies whether the rule is turned on or off
  • Filter List
  • Defines connections to which a particular rule
    applies
  • Filter Action
  • Action taken for any connection that makes the
    match
  • Authentication Method
  • Tunnel Setting
  • Connection Type

33
IP Filter List Properties
34
Filter Action Properties
35
Authentication Methods
36
Tunnel Setting Properties
  • Specify whether or not a connection is tunneled
    on a per-rule basis

37
Tunnel Setting Properties
  • To construct a tunnel, you need two tunnel rules
    on both ends of the tunnel with appropriate
    filter lists and filter actions
  • Configure an outgoing rule with a filter list
    that specifies the other end of the tunnel as the
    tunnel endpoint
  • Configure the incoming rule with a filter for
    incoming traffic from any subnet from the remote
    end of the tunnel

38
Connection Type Properties
  • Specify the kind of connection to which the rule
    applies
  • LANs only
  • Remote access connections only
  • All network connections (both LAN and remote
    access)

39
Managing Filter Lists and Actions
  • Right-click the IP Security Policies on Local
    Machine object
  • Choose the Manage IP Filter Lists and Filters
    Actions command from the shortcut menu to open a
    dialog box with two pages
  • Manage IP Filter Lists
  • To match a connection
  • Mange Filter Actions
  • To define what happens when a match is made

40
Managing IP Filter Lists
  • Used to manage filter lists available to all
    policies
  • Filter Properties
  • Description page
  • Addressing page
  • Protocol page

41
Managing IP Filter Lists
42
Addressing Properties
  • Specify source and destination addresses you want
    the filter to match
  • Mirrored option makes a filter reciprocal

43
Protocol Properties
  • Match traffic being sent or received on a
    particular port or protocol

44
Managing Filter Actions
  • Defines actions available to policies
  • Three actions by default
  • Permit the connection
  • Request security before allowing the connection
  • Require security before allowing the connection

45
Managing Filter Actions
  • General page
  • Name the action
  • Describe the action
  • Security Methods page
  • Options the action can perform when a connection
    matches a filter list
  • Permit the connection with no further
    intervention
  • Block the connection altogether
  • Negotiate security for the connection

46
Managing Filter Actions
  • Negotiate Security controls
  • Security Method preference order list
  • Accept unsecured communication, but always
    respond using IPSec
  • Allow unsecured communication with non
    IPSec-aware computer
  • Session key Perfect Forward Secrecy

47
Applying Policies to the Active Directory
  • Mostly the same process as applying policies to a
    local computer
  • Configure the IPSec snap-in to configure default
    policies for a domain (local or remote trusted)
  • Define policies, rules, authentications, filter
    lists, and filter actions
  • The difference
  • Use the Group Policies snap-in to attach the
    policy to a domain or organizational unit within
    Active Directory

48
Basic Rules of Group Policy Management
  • A policy applied at the domain level always
    overrides a policy applied at local computer
    level
  • A policy applied to an organizational unit
    overrides policies applied at the domain level
  • If hierarchy or organizational units are
    configured, policies applied at lower levels in
    the hierarchy override policies applied at higher
    levels
  • If you assign an IPSec policy and then delete the
    Group Policy object that created the policy, the
    policy remains in effect

49
Managing andMonitoring IPSec
  • Use the shortcut menu to
  • Assign and unassign a policy
  • Check Policy Integrity command
  • Restore Default Policies command
  • Import and Export Policies commands
  • Use the IPSec Monitor to
  • View the active security associations on local
    and remote computers
  • Display configured and active connections and a
    number of IPSec statistics

50
Managing and Monitoring IPSec
51
Chapter Summary
  • Overview of benefits, features, and operations of
    IPSec
  • Installing IPSec
  • Configuring IPSec
  • Managing and monitoring IPSec
Write a Comment
User Comments (0)
About PowerShow.com