Summary of Exam Objectives

Windows 2000 and its successors provide administrators with a new tool in their defense against security violations. IPSec allows administrators to secure information as it crosses a network. IPSec secures data at the network layer and carries out its activity transparently in the background. Users and applications do not need to be aware of IPSec. IPSec's implementation at the network layer gives it an advantage over security protocols, such as Secure Sockets Layer (SSL), for which applications must be specifically written to support.

Hallmarks of secure communications ensure authentication, integrity, and confidentiality. Authentication assures a receiver that a message was indeed sent by the individual who claims to have sent it. Data integrity ensures that message content has not been altered during transit. Confidentiality ensures that others cannot read data during transit. Combining all three provides solid end-to-end security between any two communicating hosts.

To meet the goals of authentication, integrity, and confidentiality, algorithms are used to represent the original data in a different fashion. Authentication methods available include Kerberos, public key certificates, and preshared keys. Integrity algorithms used by Windows 2000 IPSec include MD5 and SHA1. Confidentiality is ensured by scrambling messages using either DES or 3DES.

Algorithms must work with keys to carry out their functions. Computers must have access to the same shared secret key when they perform forward and reverse operations using these algorithms. IPSec implements IKE, which is a combination of ISAKMP and the Oakley protocols. Key management techniques ensure that intruders cannot compromise security by accessing a single key.

IPSec uses two protocols that add their own headers to IP datagrams. The authentication header provides authentication and integrity but not confidentiality. The Encapsulating Security Payload provides authentication, integrity, and confidentiality. The two protocols can be combined to provide a higher degree of security.

Each IPSec connection a computer establishes has its own security association. The two types of SA are ISAKMP and IPSec. The ISAKMP SA provides a secure channel for the exchange of keying information to provide a master key, and the IPSec SA defines parameters for each secure IPSec channel between computers. A separate IPSec SA is created for both inbound and outbound connections. Each IPSec SA is individualized by assigning it a security parameters index.

Planning security requirements involves taking an inventory of all hardware, software, intellectual property (data), and human resources. After the inventory, it is important to assess the cost to the organization if any of the assets are lost or compromised. Assign each asset an impact value, and focus security concerns on the basis of the value assigned. Also, keep in mind that an enemy is most likely to be inside an organization.

Network security enabled by IPSec is policy driven. Policies are integrated into Active Directory on domain machines, or implemented as local machine policies. Each IPSec-aware computer uses a policy agent, which checks for IPSec policy during startup and periodically afterward.

IPSec policies are implemented as a series of rules. These rules include IPSec filter lists and IPSec filter actions. If a computer seeks to establish a session with a computer whose IP addressing information matches a number in one of the filter lists, a filter action affiliated with that list is triggered. The creations of IPSec policies, filter lists, and filter rules can be easily accomplished via wizard-driven interfaces. You can create your own policies or use one of the three built-in policies. The built-in policies are the Client, Server, and Secure Server IPSec policies.

Compatibility issues must be taken into account when enabling IPSec in an organization. Windows 2000 and XP/.NET are the only Microsoft operating systems that are IPSec aware. Connection failures will result if a computer configured with the Secure Server policy interacts with non-IPSec-aware machines.

The future of IPSec looks bright. The next generation of the IP—IPv6—has built-in support for IPSec. See RFCs 2411 and 2401 for descriptions and specifications for IPSec as an Internet standard.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net