Configuring and Implementing IPSec


Before enabling IPSec on your local computer or domain, you should configure IPSec through policies. An IPSec policy is a set of rules that define how and when communication is secured between two endpoints. This is done through the configuration of various rules. Each rule contains a collection of actions and filters that begin when they encounter endpoints that match.

Policies allow you to quickly and easily configure IPSec based on the settings required within your organization. Windows Server 2003 comes with the following three preconfigured IPSec policies that may or may not meet your needs:

  • Client (Respond Only) This policy requires IPSec-provided security only when another computer requests it. This policy allows the computer to attempt unsecured communications first and switch to IPSec-secured communications if requested. This policy contains the default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on the requested protocol and port traffic for the communication that is being secured. This policy, which can be used on workstations and servers alike, provides the minimum amount of IPSec security.

  • Server (Request Security) This policy requests security from the other computer and allows unsecured communication with non IPSec-aware computers. The computer accepts inbound unsecured traffic but always attempts to secure further communications by requesting IPSec security from the sending computer. If the other computer is not IPSec-enabled, the entire communication is allowed to be unsecured. This policy, which can be used on workstations and servers alike, provides a medium level of IPSec security. If desired, you can opt to use this policy on a workstation computer as well.

  • Secure Server (Require Security) This policy is implemented on computers that require highly secure communications, such as servers transmitting sensitive data. The filters in this policy require all outbound communication to be secured, allowing only the initial inbound communication request to be unsecured. This policy has a rule to require security for all IP traffic, a rule to permit ICMP traffic, and the default response rule to respond to requests for security from other computers. This policy, typically used only on servers, provides the highest level of IPSec security on a network. This policy can also be used on workstation computers if you want. Non IPSec-enabled computers cannot establish any communications with computers using this policy. If desired, you can opt to use this policy on a workstation computer as well.

You can opt to either use one of the preconfigured policies that comes with Windows Server 2003 or create your own policy. You can also modify the preconfigured policies to suit your needs if you want. Before we can go any further into our discussion about IPSec, we first need to create the tools that allow us to manage IPSec on a local computer. Step by Step 8.1 helps you to create your own IPSec management console.

Step By Step

8.1. Creating the IPSec Management Console

1.

Open a blank MMC by clicking Start, Run. Then type mmc to open a blank MMC, as shown in Figure 8.4.

Figure 8.4. The MMC provides a powerful, flexible framework from which to manage Windows Server 2003.


2.

In your new console, click the File menu and select Add/Remove Snap-in. The Add/Remove Snap-in dialog box opens, as shown in Figure 8.5.

Figure 8.5. You can add snap-ins to your console to customize its management features.


3.

Click the Add button to open the Add Standalone Snap-in dialog box, as shown in Figure 8.6.

Figure 8.6. Windows Server 2003 comes with several dozen snap-ins from which you can choose.


4.

Scroll down the list, select IP Security Monitor, and click the Add button.

5.

Select IP Security Policy Management and click the Add button. You are prompted to choose the scope that the snap-in will manage, as shown in Figure 8.7.



Figure 8.7. Many MMC snap-ins can be targeted at several different levels of management.


6.

For this example, choose Local Computer from the Select Computer or Domain page. Notice that you have the option to select the Active Directory domain of which this computer is part, another Active Directory domain, or another computer. Click Finish to complete the addition of the IP Security Policy Management snap-in to your console.

7.

Click Close on the Add Standalone Snap-in dialog box.

8.

Click OK on the Add/Remove Snap-in dialog box. Your completed IPSec management console is shown in Figure 8.8.

Figure 8.8. Your completed IPSec management console contains the tools you need to manage and monitor IP security.


9.

Save your newly created console by clicking File, Save. Enter a suitable name, such as Local IPSec Management Console, and click Save. By default, the console is saved in the Administrative Tools folder of the currently logged-in user.

Armed with your newly created IPSec management console, you can now get down to work configuring and managing IPSec. At this point, you may want to do one of two things: implement a preconfigured IPSec policy or create one of your own. We explore the latter in the next Step by Step. You can accomplish the former by right-clicking the desired policy in the right pane of the console window, as seen in Figure 8.9, and selecting Assign from the context menu. Note that you can have only one IPSec policy assigned at a time.

Figure 8.9. Assigning an IPSec policy to the local computer is a quick task.


You can verify that the policy is now assigned to the computer by examining the Active Policy node of the IP Security Monitor, as shown in Figure 8.10.

Figure 8.10. The IP Security Monitor can be used to display many bits of useful information about IPSec.


We examine the use of the IP Security Monitor console later in this chapter. For now, we need to look at the process to create a custom IPSec policy.

Understanding IPSec Policy Components

After you've decided to use IPSec on your network, you may realize that the preconfigured IPSec policies do not provide exactly the solution for which you are looking. You can opt to either customize an existing policy or create a new one from scratch. I prefer to create policies from scratch to ensure that I have complete control over every piece of the puzzle, and that's exactly what IPSec can turn out to be if not treated with caution and respectone large puzzle that you are left to piece together.

Before we start to actually create our own IPSec policy, let's take a few moments to examine the parts that make up an IPSec policy by dissecting the Secure Server (Require Security) policy. From within your IPSec management console, double-click this policy to open its Properties dialog box, as shown in Figure 8.11. It has two tabs: Rules and General. Let's look at the Rules tab first.

Figure 8.11. Examining the properties of a preconfigured IPSec policy can help us learn what makes up such a policy.


The Rules Tab

The IP Security Rules window lists all the IP security rules that are active for that policy. Selecting a rule and clicking the Edit button opens the Edit Rule Properties dialog box, as shown in Figure 8.12. The five tabs on the Edit Rule Properties dialog box contain the configuration settings for this particular rule.

Figure 8.12. The IP Filter List tab of the Edit Rule Properties dialog box.


Edit Rule PropertiesIP Filter List Tab

The IP Filter List tab shows all IP filters configured for the selected rule. An IP filter contains source and destination IP addresses that apply to this rule. Each IP address can be of an individual computer or of a network subnet. If this tab identifies a network communication that has a participant listed in an IP filter, a particular filter action that is specific for that connection is applied. Selecting the All IP Traffic filter for editing opens the dialog box shown in Figure 8.13. From here, you can specify many items, including the source and destination IP addresses to which this filter applies.

Figure 8.13. You can edit the filter properties to specify the source and destination computers to which they apply.


Edit Rule PropertiesFilter Action Tab

The Filter Action tab of the Edit Rule Properties dialog box, which is shown in Figure 8.14, contains actions that specify the type of security and methods by which security is established.

Figure 8.14. The Filter Action tab defines the types of security and methods by which security is established.


Filter actions, as seen in Figure 8.15, define the type of security and methods by which security is established. The default methods are Permit, Block, and Negotiate security. The Permit option passes the traffic without the requirement for security. This action is appropriate if you never want to secure traffic to which a rule applies. The Block action silently blocks all traffic from computers specified in the IP filter list. The Negotiate Security action specifies that the computer is to use a list of security methods to negotiate the appropriate security for the communication.

Figure 8.15. You can specify exactly what the computer will do when a filter action is processed.


If the Negotiate security action is selected, both computers must make an agreement on the security parameters to be used, meaning that they both must support at least one common set of security parameters from those in the list. The list entries are processed in order of preference from top to bottom. The first security method shared by both computers is used.

Edit Rule PropertiesAuthentication Methods Tab

From the Authentication Methods tab, which is shown in Figure 8.16, you can configure what method will be used to authenticate both sides of the communication. You can choose from Kerberos (the default setting), a digital certificate, or a shared secret (string) that will be used to protect the key exchange process. You can configure more than one method and also choose the order of precedence for your configured methods. Using the shared secret is not recommended because this static entry can be compromised.

Figure 8.16. You can specify Kerberos, digital certificate, or shared secret as the authentication method.


Edit Rule PropertiesTunnel Setting Tab

From the Tunnel Setting tab, which is shown in Figure 8.17, you can have the rule apply to a tunnel by specifying an endpoint or not have it apply to a tunnel (transport mode) at all.

Figure 8.17. The Tunnel Setting tab allows you to configure a tunnel endpoint if required.


Edit Rule PropertiesConnection Type Tab

The Connection Type tab, as shown in Figure 8.18, determines for which types of connections the rule will be applied: LAN, Remote Access, or All Network Connections.

Figure 8.18. The Connection Type tab allows you to specify which connections are affected by the policy.


The General Tab

While the Rules tab contains all of the configuration settings that control how the policy behaves in regard to allowing or denying traffic to pass, the General tab contains the configuration settings that define how the IPSec policy, as a whole, behaves once it has been assigned (see Figure 8.19).

Figure 8.19. The General tab allows you to control the behavior of the IPSec policy itself.


On the General tab, you see some of the same basic items that you'll see on a lot of General tabs throughout Windows: the name and description of the policy. That's where the similarities end. You also have the options on the General tab to configure the interval at which the computer will check for updates and changes to the security policy. The default setting of 180 minutes is usually acceptable.

Clicking the Settings button at the bottom of the General tab opens the Key Exchange Settings dialog box, which is shown in Figure 8.20. In the Key Exchange Settings dialog box, you can configure for Master Key Perfect Forward Secrecy, which improves security of the keying process. Additionally, you can change the defaults provided for key generation.

Figure 8.20. You can configure advanced IKE properties from the Key Exchange Settings dialog box.


Clicking the Methods button on the Key Exchange Settings dialog box opens the Key Exchange Security Methods dialog box, as seen in Figure 8.21. If you want to configure the methods used to protect the identities, you can accomplish that task from here. Note that by default the new 2048-bit Diffie-Hellman key exchange method is not used. You can select it by adding or editing a security method, as shown in Figure 8.22.

Figure 8.21. Customizing the key exchange security methods can increase security.


Figure 8.22. Using the new 2048-bit Diffie-Hellman key exchange method. Ironically, the General tab has options that are so advanced for configuring an IPSec policy that it should instead be called the Advanced tab. Don't take these configuration settings for granted when creating a custom IPSec policy.


Creating Customized IPSec Policies

You can create two basic types of IPSec policies: those that specify a tunnel and those that do not specify a tunnel. Tunneling is commonly used in the creation of a VPN and is called tunnel mode. Not using a tunnel, called transport mode, is commonly used between subnets or computers on an intranet. Step by Step 8.2 shows how to create a new IPSec policy that operates in transport mode between two subnets (192.160.11.0 and 192.168.12.0) in the same intranet of the company Que Publishing. These two subnets represent the Accounting and Payroll departments, respectively, and they need to pass only secured traffic between their subnets.

Step By Step
8.2. Creating a Custom Transfer Mode IPSec Policy

1.

Open the IPSec management console that you created in Step by Step 8.1.

2.

Right-click IP Security Policies and select Create IP Security Policy from the context menu.

3.

Dismiss the opening page of the IP Security Policy Wizard by clicking Next.

4.

In the IP Security Policy Name dialog box, enter a descriptive name for the new policy. For this example, use Accounting to Payroll Security Policy, as shown in Figure 8.23. Optionally, you can enter the Description text as well. Click Next after entering the required information.

Figure 8.23. You should enter a policy name and description that will make sense later.


5.

In the Requests for Secure Communication dialog box, as shown in Figure 8.24, deselect Activate the Default Response Rule option. You will configure this policy entirely by yourself. Click Next to continue.

Figure 8.24. Removing the opportunity for unsecured communications to occur with the new rule.


6.

You are now at the end of the wizard portion of the creation process. Ensure that the Edit Properties option is selected, as shown in Figure 8.25, and click Finish to begin editing the policy's properties.

Figure 8.25. The completion of the wizard is not the completion of the policy creation process.


7.

The Accounting to Payroll Security Policy Properties dialog box opens, as shown in Figure 8.26.



Figure 8.26. Your new IPSec policy requires some configuration to complete.


8.

On the Rules tab, ensure that the Use Add Wizard option is selected; then click the Add button to start the Security Rule Wizard to create a new filter list and action.

9.

Click Next to dismiss the opening page of the Security Rule Wizard.

10.

In the Tunnel Endpoint dialog box, which is shown in Figure 8.27, select This Rule Does Not Specify a Tunnel (recall that this IPSec policy is being created to secure communications between two subnets on the same intranet). Click Next to continue.

Figure 8.27. You can create a rule for either transport mode or tunnel mode.


11.

In the Network Type dialog box, which is shown in Figure 8.28, select the network connections to which this rule applies. For this example, select All Network Connections and click Next to continue.

Figure 8.28. Selecting All Network Connections ensures that all communications by the server are secured using the new policy.


12.

The IP Filter List dialog box, which is shown in Figure 8.29, shows that no IP filters are configured for this rule. Click the Add button to create a filter that meets your requirements.

Figure 8.29. You must configure an IP filter for this rule to work properly.


13.

From the IP Filter List dialog box, which is shown in Figure 8.30, you need to configure the IP filter properties for this rule. Enter a descriptive name such as Accounting to Payroll security in the name box and a description, if you like. Ensure that the Use Add Wizard option is selected and click the Add button.



Figure 8.30. The process to configure an IP filter begins with the IP Filter List dialog box.


14.

The IP Filter Wizard opens to start the process of configuring the IP filter. Click Next to dismiss the opening page of the wizard.

15.

In the IP Filter Description and Mirrored property dialog box, which is shown in Figure 8.31, enter a description of the filter. Ensure that the mirrored option is selected. This option allows the rule to automatically match packets with the exact opposite source and destination addresses to ensure that machines from the destination subnet are also included in the incoming filter. Click Next to continue.

Figure 8.31. Allowing the IP filter to be mirrored saves you work.


16.

In the IP Traffic Source dialog box, select the A Specific IP Subnet option and configure the IP Address and Subnet mask options as required. Recall that we are creating a policy between the 192.168.11.0 and 192.168.12.0 subnets. Enter 192.168.11.0 and the subnet mask of 255.255.255.0, as shown in Figure 8.32, and click Next to continue.



Figure 8.32. Be sure to specify the correct source address and subnet mask.


17.

In the IP Traffic Destination dialog box, select the A Specific IP Subnet option and configure the IP address and Subnet mask options as required. Enter 192.168.12.0 and the subnet mask of 255.255.255.0, as shown in Figure 8.33, and click Next to continue.

Figure 8.33. Be sure to specify the correct destination address and subnet mask.


18.

In the IP Protocol Type dialog box, which is shown in Figure 8.34, you can configure which IP protocol types you want to be included in the filter. We want the filter to apply to all types, so leave the default selection of Any and click Next to continue.



Figure 8.34. You can configure the filter to be very specific about the types of protocols to which it applies.


19.

The Completing the IP Filter Wizard dialog box opens, as shown in Figure 8.35. Deselect the Edit properties option and click Finish.

Figure 8.35. The IP filter has been created, but much work still remains.


20.

Back at the IP Filter List dialog box, as shown in Figure 8.36, you can see your newly created IP filter. Click OK to close the filter and complete the creation process. If you click Cancel, your newly created filter will be lost, so be careful.



Figure 8.36. The new IP filter is listed on the IP Filter List dialog box.


21.

Select the Accounting to Payroll security filter from the list on the IP Filter List dialog box, as shown in Figure 8.37, and click Next to continue with the Security Rule Wizard.

Figure 8.37. You need to select the filter for use after creating it.


22.

In the Filter Action dialog box, which is shown in Figure 8.38, select a filter action. Ensure that the Use Add Wizard option is selected and click Add to start the Filter Action Wizard.

Figure 8.38. You now need to configure the action that the filter will take.


23.

The Filter Action Wizard starts. Dismiss its opening dialog box by clicking Next.

24.

In the Filter Action Name dialog box, enter a descriptive name and description for the filter. Click Next to continue.

25.

In the Filter Action General Options dialog box, which is shown in Figure 8.39, select Negotiate Security and click Next to continue.



Figure 8.39. Instructing the filter action to negotiate security between communication computers.


26.

In the Communicating with Computers That Do Not Support IPSec dialog box, which is shown in Figure 8.40, you are asked whether you want to allow unsecured communications. In this case, such communications are not allowed because all communications must be secured. Ensure that the Do Not Communicate with Computers That Do Not Support IPSec option is selected and click Next to continue.

Figure 8.40. Ensure that you do not allow unsecured communications to occur.


27.

In the IP Traffic Security dialog box, which is shown in Figure 8.41, select Custom to specify what security methods are to be used. Click Settings to edit the security settings.



Figure 8.41. You can specify custom settings or use the standard settings provided.


28.

The Custom Security Method Settings dialog box, which is shown in Figure 8.42, opens. From here, you can specify the settings you want. Ensure that both the AH and ESP check boxes are selected. Configure the desired integrity and encryption algorithms. Do not configure settings for the session key at this time. Click OK to accept your settings.

Figure 8.42. You can specify the encryption and integrity algorithms to be used in your filter action.


29.

Back at the IP Traffic Security dialog box, click Next to continue.

30.

In the Completing the IP Security Filter Action Wizard dialog box, which is shown in Figure 8.43, ensure the Edit Properties option is selected and click Finish.



Figure 8.43. The Filter Action Wizard is completed, but the filter still requires a bit more configuration.


31.

Back at the filter action Properties dialog box, which is shown in Figure 8.44, ensure the Use Session Key Perfect Forward Secrecy (PFS) option is selected and click OK. Selecting session key PFS ensures that the master key keying material cannot be used to generate more than one session key, which adds both security and overhead to the connection. Do not click Cancel unless you want to scrap your newly configured filter action. Click OK.



Figure 8.44. Selecting to use perfect forward secrecy to increase the security of the session key.


32.

Back at the Filter Action dialog box, which is shown in Figure 8.45, select the newly created filter and click Next to continue.

Figure 8.45. The filter action is configured, so it's time to move on.


33.

In the Authentication Method dialog box, which is shown in Figure 8.46, select the primary authentication method this rule will use. The default selection of Kerberos v5 should be used in most cases. You can add additional authentication methods after the rule has been configured. Click Next to continue.



Figure 8.46. Specify the preferred authentication method; Kerberos v5 is preferred.


34.

From the Completing the Security Rule Wizard dialog box, ensure that the Edit Properties option is deselected and click Finish to complete the rule creation process.

35.

Finally, you are back to the policy Properties dialog box. You still have some additional configuration that you can complete, however. On the General tab, you can configure the interval at which the computer will check for updates and changes to the security policy, as shown in Figure 8.47. The default setting of 180 minutes is usually acceptable.

Figure 8.47. Configuring the policy update interval.


36.

You can modify the settings used for the IKE process by clicking the Settings button at the bottom of the General tab.

37.

In the Key Exchange Settings dialog box, which is shown in Figure 8.48, you can configure for Master Key Perfect Forward Secrecy, which improves security of the keying process. Additionally, you can change the defaults provided for key generation.

Figure 8.48. You can configure advanced IKE properties from the Key Exchange Settings dialog box.


38.

If you want to configure the methods used to protect the identities, click the Methods button. The Key Exchange Security Methods dialog box opens, as shown in Figure 8.49. Note that by default the new 2048-bit Diffie-Hellman key exchange method is not used. You can select it by adding or editing a security method, as shown in Figure 8.50.

Figure 8.49. Customizing the key exchange security methods can increase security.




Figure 8.50. Using the new 2048-bit Diffie-Hellman key exchange method.


39.

Click OK as required to return to the policy Properties dialog box.

40.

Click OK to close the policy Properties dialog box. Your new IPSec policy is now configured and ready to use. Assign it as previously discussed at the end of the "Configuring and Implementing IPSec" section of this chapter.

IPSec can be deployed at any level within your organization. Thus far, we have examined it only from the point of view of a local computer. You can just as easily apply it via Group Policy using the Active Directory Users and Computers console, as shown in Figure 8.51.

Figure 8.51. You can easily apply IPSec at the domain or OU level using Group Policy.


With the task of implementing IPSec out of the way, you are now left to monitor and troubleshoot it, as we examine in the next section.

Challenge

You are the system and network administrator of Axioms Publishing, a small publishing company. The company is located in a single building in Memphis, Tennessee, with each department on its own IP subnet. From time to time, the marketing and sales departments need to share confidential information about forthcoming books and promotions. This information needs to be protected from other users accessing the information while it is in transit across the network.

The information in question is stored on two different servers, a database server and a file server, both of which are running on Windows Server 2003. These two servers perform no other function but to store and serve up this confidential information. The servers are patched with the latest Service Pack and security updates and have been hardened to disable unneeded services. These servers are located on a separate IP subnet all by themselves and are physically secured inside the company's data center. The servers are also located in their own OU, named Confidential Servers, within Active Directory.

The workstations that the marketing and sales department use to access these servers, however, are not special purpose and are used by their users for day-to-day tasks, such as reading email, browsing the Internet, and accessing files and databases on other servers in your network. All marketing and sales department workstations are located in their own organizational units, named Marketing Computers and Sales Computers, respectively.

The CIO has asked you to ensure that these confidential resources be securely accessed only by users in the sales and marketing departments. All other users in the company must not be able to make a connection to either of these servers.

Your task is to implement the required IPSec solution for Axioms Publishing.

Try to complete this exercise on your own, listing your conclusions on a sheet of paper. After you have completed the exercise, compare your results to those given here.

Answers

When you're implementing a very specific IPSec solution, you want to first ensure that you understand the requirements and the scope for the solution. Because you've already got a good network and OU structure in place, you can simply build off of that to implement your solution.

At first, you might be tempted to create and assign custom IPSec policies that secure all traffic between these networks. If the workstations used by the marketing and sales departments had no other communications with the subnet on which the servers were located, then you could rightfully do just that. However, because the workstations are general-purpose computers and need to communicate securely (via IPSec) only when they are accessing the two servers in question, a different approach is required.

You should first create and link a new Group Policy Object to the Marketing Computers OU. In this new GPO, you should assign the Client (Respond Only) IPSec policy. This will cause all computers in the OU to attempt unsecured communications first and switch to IPSec-secured communications if requested, as will be the case when the servers require IPSec-secure communications. You should next link this GPO to the Sales Computers OU as well, thus making sure that those computers will behave the same way in regard to IPSec usage.

The next task for you to perform is to create and link a new GPO to the Confidential Servers OU. In this new GPO, you should assign the Secure Server (Require Security) policy. This will require that all communications to and from the server be IPSec secured.

Once these new Group Policy Objects are in place, you should start to see SAs forming and secure communications occurring between the servers and the workstations. The workstations should also be able to successfully communicate to non-IPSec-secured computers and servers, both inside and outside your network.





MCSA(s)MCSE 70-291(c) Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
MCSA/MCSE 70-291: Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure (Exam Prep)
ISBN: 0789736497
EAN: 2147483647
Year: 2006
Pages: 196
Authors: Will Schmied

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net