IPSec: Internet Protocol Security in Windows 2000

1
IPSec Internet Protocol Security in Windows 2000

• Sean Krulewitch
• University Information Technology Security Office
• Office of the Vice President for Information
  Technology

2
Agenda

• IPSec Overview
• Using IPSec to encrypt/authenticate network
  packets
• Using IPSec as a basic packet filtering firewall
• Windows 2000 IPSec components
• Configuration of IPSec
• IPSec Tools
• Demo IPSec Offload
• QA

3
IPSec Overview

• What is IPSec
• Why is IPSec necessary
• How is IPSec Implemented
• Packet filtering with IPSec

4
What is IPSec?

• The purpose of IPSec is to protect data as it is
  traveling between two nodes (i.e., computers) on
  the network. It protects the data through
  encryption, and digital signatures, thereby
  preventing the data from being modified and/or
  interpreted by anyone who might happen to
  intercept it on the network.

5
Key concepts of IPSec

• IETF set of standards for securing Internet
  traffic (RFC 2401, RFC 2402, RFC 2406, RFC 2409,
  and more!)
• Suite of protocols for authentication (of data
  origin), integrity, encryption and encapsulation
  of TCP/IP packets.
• IPSec lives at the Network layer and can protect
  both the payload as well as the header of the
  packet. Provides encryption on a per packet
  basis.
• Provides true end-to-end security between hosts.
• Services and applications do not need to be IPSec
  aware. i.e., no code changes are necessary.
  IPSec is transparent to applications and users.

6
Why is IPSec necessary?

• IP Protocols are not secure!
• Original protocols were never designed with
  strong security, rather they were designed to
  withstand network interruptions.
• Prevent snooping or sniffing of data on the wire.
• Prevent replay of packets.
• Prevent data from being modified or changed in
  transit.
• Ensure that the origin and nature of traffic is
  trusted and within security policy (i.e.,
  anti-spoofing)
• Thwart denial of service (DoS) and
  Man-in-the-middle attacks.

7
How is IPSec Implemented?

• IPSec is a collection of protocols.
• Internet Key Exchange (IKE) RFC 2409
• Internet Security Association Key Management
  Protocol (ISAKMP) RFC 2408
• Oakley Key determination protocol RFC 2412
• Authentication Header (AH) RFC 2402
• Encapsulation Security Payload (ESP) RFC 2406

8
Internet Key Exchange (IKE)

• A hybrid protocol that is used to negotiate
  Security Associations and provide the necessary
  key material in a protected manner.
• Security Association A set of keys and policies
  used to manage an instance of protected
  communication.
• Negotiations occur in two phases and each phase
  produces a different SA. For now remember that a
  Phase I negotiation will occur as the initial
  negotiation between two peers and Phase II
  negotiations will follow as needed from the
  initial Phase I negotiation.
• UDP port 500

9
Authentication Header (AH)

• Used when the packet needs to be authenticated
  and signed, but the data itself is not sensitive.
• Low overhead about 24 bytes added to the
  packet.
• IP Protocol 51

10
Diagram of AH Packet(Transport Mode)
TTL, TOS and other mutable fields excluded.
11
Diagram of AH Packet(Tunnel Mode)
Original IP Header
TCP Header
Data
Hash protects entire packet

Original IP Header
TCP Header
AH IPSec Header
Data
New IP Header
TTL, TOS and other mutable fields excluded.
12
Encapsulation Security Payload (ESP)

• Used when the packet must be authenticated,
  signed AND encrypted.
• Higher overhead about 32-36 bytes added to the
  packet.
• Processor intensive. Consider IPSec offload
  cards for high bandwidth systems that require
  IPSec.
• IP Protocol 50

13
Diagram of ESP Packet(Transport Mode)
Original IP Header
TCP Header
Data
14
Diagram of ESP Packet(Tunnel Mode)
Original IP Header
TCP Header
Data
Original IP Header
TCP Header
ESP Header
Data
ESP Trailer
ESP Auth
New IP Header
Encrypted
Integrity Hash
15
Packet Filtering with IPSec

• Although mainly designed for encryption and
  authentication, the IPSec standard provides for a
  very capable static packet filtering mechanism.
• Hosts on the internal network with live IP
  addresses can be protected from outside attacks.
• Key ports to block TCP/UDP 137 UDP 138 TCP
  139 TCP/UDP 445, etc.

16
Windows 2000 IPSec components

• IPSec Policy Agent polls policies from the
  directory service for use with the IPSec driver
  and negotiations of security associations (SA)
• IPSec Driver responsible for monitoring,
  filtering and securing packets
• ISAKMP/Oakley Security Association negotiator
  Manages security negotiations between nodes and
  exchanges keys for use with crypto/hashing
  functions
• IPSec Policy Objects and SA database
• Security Association API provides a programming
  interface between above components
• Management tools for logging, troubleshooting and
  creating IPSec policies, events and metrics

17
Enabling IPSec
18
IP Security Policy Management
19
Creating IPSec Policy Objects
20
IPSec Negotiations
Rules Tab Phase II
General Tab Phase I
Main or Aggressive Mode
Quick Mode
21
Main Mode Phase I
Note PFS offers better security but results in
a slower key refresh.
Use minutes rather than sessions and tune to
100MB per key.
Mutual authentication of peers and initial key
exchange occur in Phase I
22
Key Exchange Security Methods

• For high security always use
• PFS
• 3DES
• SHA1
• DH Medium(2)

23
IP Security Rules
A single IPSec policy can have many rules.
A rule can have a single active IP Filter list
24
Filter Lists
A filter list can be made up of many individual
filters or selectors.
25
Filter Actions
When a selector is triggered, the packet can be
passed, blocked, or secured.
26
Quick Mode Phase II
If the packet is being secured, then a Phase II
SA is negotiated. In Phase II, the peers
negotiate the type of encryption/signing theyll
support as well as a session key to protect
future communications.
27
Windows 2000 IPSec Tools

• IP Security Management MMC Snap-in
• Network Monitor Window 2000 version updated to
  parse IPSec packets
• netdiag.exe Network Connectivity Tester
• ipsecpol.exe IPSEC Policy Configuration Tool
• ipsecmon.exe
• netsh.exe

28
Netdiag.exe Network Connectivity Tester
Output of netdiag /testipsec /v Netdiag
/testipsec /debug gives reports more detail.
29
ipsecpol.exe IPSEC Policy Configuration Tool
30
IPSECMON.EXE
31
NETSH.EXE
32
Demo
33
Q A