As networks throughout the world become more interconnected, network administrators are challenged with ensuring that data transferred across a network is secure. This is where the IP Security (IPSec) protocol comes into play and allows for authentication of hosts, data integrity, and data encryption. IPSec is used to protect data that is sent between hosts on a network, which can be remote access, VPN, LAN, or WAN. IPSec ensures that data cannot be viewed or modified by unauthorized users while being sent to its destination. Before data is sent between two hosts, the source computer encrypts the information. It is decrypted at the destination computer. IPSec provides the following benefits:
As you will see when you begin to configure IPSec, different levels of security can be implemented to meet varying needs. IPSec is implemented through IPSec policies. The policies are created and assigned to individual computers or groups of computers (or groups of users). The policies determine the level of security that will be used. IPSec consists of three components that work together to provide secure communications between hosts:
The following steps outline how the different components work together to provide secure communications:
In summary, before any data is transferred between two hosts, the security level must be negotiated. This negotiation includes agreeing on an authentication method, a hashing method, and an encryption method. Configuring IPSecYou can enable IPSec using the Local Security Policy snap-in. The following list describes the three default policies. You can enable any policy for the local computer by right-clicking the policy and choosing the Assign option.
If you are running Active Directory, you can create an IPSec policy that is stored within Active Directory. To view the policies, open the Group Policy snap-in, shown in Figure 5.23. Figure 5.23. IPSec policies within the Group Policy snap-inThe three policies that exist by default are Client, Server Secure, and Server. (The process of creating new IPSec policies is outlined in the following section.) To assign an IPSec policy to Group Policy, right-click the policy and click the Assign option. Configuring IPSec for Transport ModeIPSec can be used in one of two modes: transport mode or tunnel mode. Tunnel mode is used for server-to-server or server-to-gateway configurations. The tunnel is the path a packet takes from the source computer to the destination computer. This way, any IP packets sent between the two hosts or between the two subnets, depending on the configuration, are secured. Transport mode is used for host-to-host communication such as between a client and a server. This mode is normally used to secure end-to-end communications, for example, between a client and a server on the same network. Two formats can be used with tunneling mode: ESP tunnel mode and AH tunnel mode. With Authentication Header (AH) tunnel mode, the data itself is not encrypted. It provides authentication and integrity, and it protects the data from modification, but it is still readable. With Encapsulating Security Payload (ESP) tunnel mode, authentication, integrity, and data encryption are provided. Exam Alert Tunnel mode is not used for remote access VPNs. IPSec/L2TP or PPTP (Point-to-Point Tunneling Protocol) is used for VPN connections. Tunnel mode is used for systems that cannot use IPSec/L2TP or PPTP VPNs. To create a new IPSec policy, perform the following steps:
To configure an IPSec tunnel, perform the following steps:
Customizing IPSec Policies and RulesAn IPSec policy tells a server what actions to perform on network traffic when using IPSec. The components of an IPSec policy define what type of IP traffic is covered by the policy, the type of authentication mechanism that should be used, and what happens to the traffic when it does or does not meet the criteria of a policy. Each of the policies can be edited using the policy's Properties window. IPSec policies consist of several components, including the following:
Let's take a look at an example. You can create an IPSec policy that blocks all PING traffic to and from a computer. To do so, you would need to complete the following steps:
To begin configuring an IPSec policy, right-click the policy and click Properties. From the General tab of an IPSec policy's Properties window, you can change the name and description for the policy and configure the interval at which the computer will check for policy updates. Using the Advanced button, you can configure the Key Exchange Settings. Tip When configuring the Key Exchange Settings, you can select the Master Key Perfect Forward Secrecy option. This ensures that no previously used keying material is used to generate new master keys. You can also specify the interval at which authentication and key generation must take place. The Rules tab lists all of the rules that are configured for the policy. Other rules can be added by clicking the Add button; you can edit the existing rules using the Edit button. Clicking the Edit button opens the Edit Rule Properties window (see Figure 5.24). Figure 5.24. Editing IPSec rules
The IP Filter List tab defines the type of traffic to which the rule will apply. The Filter Action tab defines whether the rule negotiates for secure traffic and how the traffic will be secured. Configuring the filter actions enables you to define the different security methods that can be negotiated. The security algorithms supported by IPSec include MD5 and SHA1. The encryption algorithms supported include DES and 3DES. The Authentication Methods tab enables you to configure the method used to establish trust between the two computers (see Figure 5.25). If multiple authentication methods are configured for a rule, you can change the order in which they are used. The authentication methods available include these:
Figure 5.25. Configuring IPSec authentication methods
The Connection Type tab enables you to define the types of connections to which the rule applies. This enables you to define different rules for different types of connections. Rules can be applied to local area connections, remote access connections, or all network connections. The Tunnel Setting tab enables you to specify a tunnel endpoint where communication will take place between two specific computers. You can edit the existing policies, or you can create and assign a new policy through the Group Policy snap-in. To create a new policy, right-click IP Security Policies on Active Directory within a Group Policy Object and select Create IP Security Policy. A wizard walks you through the process of creating the initial policy, which you can configure further using the Properties window for the new policy. Exam Alert In Windows 2000, the secedit /refreshpolicy machine_policy command was used to refresh policy settings. Windows Server 2003 uses the gpupdate command to refresh policy settings. When the command is used on its own, both the computer and user settings are applied. Using the command with the /target switch, you can specify that only the computer or user settings are applied. The /force switch causes all policy settings to be reapplied, regardless of whether they have changed. One of the first steps to try when a client and server cannot communicate is to disable the IPSec policy. Matching policies must exist on both computers before communication can take place. |