70 293 MCSE Guide to Planning a Microsoft
- Slides: 51
70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
Objectives • Describe IP Security issues and how the IPSec protocol addresses them • Choose the appropriate IPSec mode for a given situation • Implement authentication for IPSec • Enable IPSec • Create IPSec policies • Monitor and troubleshoot IPSec 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 2
Why IPSec Is Important • IPSec provides security for IP-based networks • Authenticate both computers engaged in a conversation • Use digital signatures to verify that data has not been tampered with while in transit • Encrypt data while in transit 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 3
How Hackers Work • IPv 4 has no built-in security mechanisms to protect the communication between two hosts • Hackers can corrupt or eavesdrop on communications • • Packet sniffing Data replay Data modification Address spoofing 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 4
Authentication, Encryption, and Digital Signatures • IPSec authenticates the endpoints of any IP-based conversation using IPSec • Each participant must be known and trusted • Encryption can be used by IPSec to hide the contents of data packets • Digital signatures on each packet in a conversation ensure that a packet has not been modified 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 5
Advantages of IPSec • IPSec exists at the network layer of the TCP/IP architecture so most applications are unaware of it • IPSec is a valuable addition to a network when data integrity or confidentiality are required • IPSec is widely used by many vendors • It is a standards protocol 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 6
Disadvantages of IPSec • Pre-Windows 2000 operating systems from Microsoft do not support the IPSec • IPSec can significantly slow network communication • Only latest versions of IPSec can be routed through NAT, which is a serious limitation for remote users • IPSec adds complexity to a network 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 7
Disadvantages of IPSec (continued) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 8
IPSec Modes • The modes of operation define whether communication is secured between two hosts or two networks, and which IPSec services are used • When implementing IPSec, you must choose tunnel mode or transport mode • Must choose AH mode or ESP mode 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 9
AH Mode • Use AH mode when you are concerned about packets being captured with a packet sniffer and replayed • Authentication Headers (AH) mode enforces authentication of the two IPSec clients and includes a digital signature on each packet • Authenticates the two endpoints and adds a checksum • Checksum guarantees that the packet is not modified in transit, including the IP headers • AH mode does not provide data confidentiality, however; the payload of the packet is unencrypted 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 10
ESP Mode • Most implementations of IPSec use ESP mode because data encryption is desired • The ESP mode authenticates the two endpoints, adds a checksum, and encrypts the data in the packet • Authentication performs the same function as in AH mode • Checksum guarantees that the packet was not modified in transit, excluding the IP headers • Encryption ensures that unintended recipients cannot read the data in the packet 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 11
Transport Mode • IPSec in transport mode is used between two hosts • Both endpoints in the communication must support IPSec • This limits the implementation of IPSec because many devices, such as printers, rarely offer IPSec support 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 12
Transport Mode (continued) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 13
Transport Mode (continued) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 14
Tunnel Mode • IPSec in tunnel mode is used between two routers • The two hosts communicating through the routers do not need to support IPSec • Authentication takes place between the two routers when using IPSec in tunnel mode • Less secure because a hacker could place an unauthorized computer on a trusted network 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 15
Tunnel Mode (continued) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 16
Tunnel Mode (continued) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 17
IPSec Authentication • Endpoints of an IPSec are authenticated • Internet Key Exchange is the process used by two IPSec computers or routers to negotiate the following security parameters • • • Method of authentication AH or ESP mode Transport or tunnel mode Encryption and hashing algorithms Parameters for key exchange 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 18
IPSec Authentication (continued) • Security association (SA): when security parameters have been agreed upon • Three methods Windows Server 2003 uses to authenticate IPSec connections: • Preshared key • Certificates • Kerberos 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 19
Preshared Key • A preshared key is a combination of characters entered at each endpoint of the IPSec connection • Authentication is based on both endpoints knowing the same secret • The major advantage is simplicity • The major disadvantage is the movement of the preshared key when configuring the two devices 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 20
Certificates • Certificates may be presented for authentication • If the two certificates are part of the same hierarchy, each IPSec device accepts the certificate of the other • The main disadvantage of using third-party certificates is cost 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 21
Kerberos • Kerberos is the authentication system used by Windows 2000/XP/Server 2003 for access to network resources • Seamless integration with domain security • Not a commonly supported authentication system for IPSec on non-Microsoft products such as routers • Not appropriate for Windows computers that are not part of the Active Directory forest 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 22
Enabling IPSec • IPSec is enabled on Windows Server 2003 using IPSec policies • An IPSec policy must be in place to use IPSec • The three policies installed by default • Server (Request Security) • Client (Respond Only) • Secure Server (Require Security) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 23
Assigning a Default IPSec Policy • • A single server can have many IPSec policies No policy is used until it is assigned One policy can be assigned at a time per machine The Local Security Policy snap-in can assign an IPSec policy on a single computer • Group Policy can assign an IPSec policy to a group of computers 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 24
Activity 10 -1: Assigning an IPSec Policy • The purpose of this activity is to assign an IPSec policy to enable encryption of data packet 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 25
Activity 10 -2: Verifying an IPSec Security Association • The purpose of this activity is to verify that the IPSec policy you have enabled is working 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 26
Creating Your Own IPSec Security Policy • An IPSec rule controls how IPSec is implemented and each rule is composed of: • • • An IP filter list An IPSec filter action Authentication methods A tunnel endpoint A connection type • An IP filter list is a list of protocols that will be affected by the rule 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 27
Creating Your Own IPSec Security Policy (continued) • An IPSec filter action is what will be done to the protocols defined in the filter list • Authentication methods are the protocols that can be used for authentication if IPSec is rule-based • The tunnel endpoint is the remote host IPSec is being performed with when tunnel mode is used • The connection type defines the type of connections to which this rule applies 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 28
Activity 10 -3: Creating an IPSec Policy • The purpose of this activity is to create a new IPSec policy that is more flexible than the default policies 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 29
Adding and Creating Rules • After creating an IPSec policy, edit it to add rules that define how different types of IP traffic are handled • After selecting an IP filter list, select an action to be performed on the packets that match the IP filter list • The three filter actions that exist by default are • Permit • Request security • Require security 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 30
Activity 10 -4: Creating a New IPSec Filter Rule • The purpose of this activity is to add a new IPSec filter rule that allows ICMP traffic to pass through unmodified 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 31
IPSec Filter Lists • When a new IP filter list is created • Give it a name • Have the option of giving it a description • Add IP filters that make up the list and specify the traffic to which this list applies 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 32
Activity 10 -5: Creating an IPSec Filter List • The purpose of this activity is to create a new IPSec filter list for all FTP traffic 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 33
Filter Actions • Filter actions define what is done to traffic that matches an IP filter list: • Permit • Request Security (Optional) • Require Security • Filter actions define a number of security parameters, including the type of encryption • In highly secure situations, you may want to modify these or create your own 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 34
Cryptography Algorithms • Two algorithms for AH and ESP data integrity • Secure Hash Algorithm (SHA 1) • Message Digest 5 (MD 5) • Two algorithms for ESP data encryption • Data encryption standard (DES) • Triple data encryption standard (3 DES) 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 35
Activity 10 -6: Creating a Filter Action • The purpose of this activity is to create a new filter action that enforces encryption 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 36
Activity 10 -7: Adding a Customized Filter List and Filter Action • The purpose of this activity is to edit your FTP filter and add a rule using the customized filter list and filter action you have created 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 37
Troubleshooting IPSec • IPSec troubleshooting deals with • General network issues • IPSec-specific configuration settings • Group policy settings 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 38
Troubleshooting IPSec (continued) • Most common IPSec troubleshooting tools/utilities • • Ping IPSec Security Monitor Event Viewer Resultant Set of Policy Netsh Oakley logs Network Monitor 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 39
Ping • Tests network connectivity between two hosts • The default IPSec policies permit ICMP packets and do not interfere with ping • Does not test IPSec specifically, but can confirm that two hosts can communicate • If they cannot communicate, they are not able to create an IPSec SA 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 40
IPSec Security Monitor • MMC snap-in that allows you to view the status of IPSec SAs • Can confirm that an SA was negotiated between two hosts • Can be used to view the configuration of the IPSec policy that is applied 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 41
Event Viewer • Event Viewer can be used to view the events that the IPSec Policy Agent writes to the event log • Events show the configuration settings that IPSec is using and events generated during the creation of SAs • Events are only written to the log if the Audit logon events option is enabled in the local security policy or Group Policy 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 42
Resultant Set of Policy Snap-in • If you try to distribute and apply IPSec policies through Group Policy, and they are not functioning as you expect, you can use the Resultant Set of Policy (RSo. P) snap-in • Allows you to • View which policies apply • Simulate the application of new policies to test their results 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 43
Netsh • The Netsh utility allows you to configure networkrelated settings: • • Bridging DHCP Diagnostics IP configuration remote access Routing WINS Remote procedure calls 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 44
Netsh (continued) • IPSec configuration can also be modified using Netsh • Some IPSec management tasks that can be performed with Netsh: • Viewing policies • Adding policies • Deleting policies 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 45
Oakley Logs • Oakley logs track the establishment of SAs • This logging is not enabled by default 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 46
Network Monitor • Network Monitor can be used to view packets that are traveling on the network and to identify IPSec traffic • Cannot view encrypted information inside an IPSec packet • Useful for determining whether packets are being properly transmitted between computers • Not useful for troubleshooting application level problems if the traffic is encrypted 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 47
Activity 10 -8: Disabling IPSec • The purpose of this activity is to disable IPSec policies that have been applied 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 48
Summary • IPv 4 has no built-in security mechanisms and uses IPSec to make communication secure • IPSec AH mode does not perform data encryption, but can authenticate and guarantee data integrity • IPSec ESP mode can perform data encryption, authentication, and guarantees data integrity for the data portion of the packet, but not the IP headers 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 49
Summary (continued) • Transport mode is used between two hosts • Tunnel mode is used between two routers • The Windows Server 2003 implementation can perform authentication using a preshared key, certificates, or Kerberos • IPSec policies contain rules that control • Authentication • Which traffic is affected and what is done to the affected traffic • Type of connections affected • Whether this computer is a tunnel endpoint 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 50
Summary (continued) • Filter actions define what is done to traffic that matches an IP filter list • SHA 1 and MD 5 are used for AH and ESP data integrity • DES and 3 DES are used for ESP data encryption • IPSec troubleshooting covers general network issues, IPSec-specific configuration settings, and group policy settings 70 -293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 51
- Mcse wiki
- Mcse mobility
- Mcse windows 7
- Mcse exchange server
- Mcp mcse
- Plus gros camion benne du monde
- In un rifugio di alta montagna il 31 marzo 2012
- Compartiment c voiture 293
- Thomson
- Diqqətinizə görə təşəkkürlər
- 293 efektif vaziyeti
- Planner quick start guide
- Microsoft dynamics nav 2009 installation guide
- Teams quick start guide
- Microsoft teams meeting quick start guide
- Microsoft official academic course microsoft word 2016
- Microsoft official academic course microsoft excel 2016
- Microsoft windows startwarren theverge
- Microsoft excel merupakan program pengolah
- Microsoft official academic course microsoft word 2016
- Jenks course planning guide
- Intune deployment project plan
- Supports the incident action planning process
- Landscape unit planning guide
- Microsoft assessment and planning
- Microsoft capacity planning
- Microsoft assessment and planning
- Strategic planning vs tactical planning
- Goal achievement matrix
- Role segmentation workforce planning
- N planning
- Aggregate planning is capacity planning for
- Short medium and long term planning in education
- Language policy and planning ppt
- Aggregate planning is capacity planning for
- Capacity aggregation example
- Essay conclusion examples
- World geography spring final review
- Words their way spelling inventory upper
- Sperry
- Windermere high school curriculum guide
- Windchill bulk migrator installation and usage guide
- Wetflag app
- West b test prep
- Welcome message for tourist
- Waukee power school
- Ja biztown citizen guide answer key
- Ja biztown citizen guide answer key
- Local guide program
- Narasunda
- Ways with words pdf
- American born chinese anticipation guide