Mahmmoud A.

Mahdi

Internet Protocol Security (IPSec):

Protects networks by securing IP packets through

encryption and through the enforcement of trusted communication.

You can manage IPSec through:

Local Security Policy.

Group Policy.
Command-line tools.

Configure IPSec.

IP Security (IPSec) is a means to protect network data by ensuring its authenticity, its confidentiality.

IPSec is Essentially a way to provide security for data sent between two computers on an IP network. IPSec Protects data between two IP addresses by providing the following services:

1.

Data Authentication:
Data origin authentication
You can configure IPSec to ensure that each packet you receive from a trusted party in fact originates from that party and is not spoofed.

Data integrity
You can use IPSec to ensure that data is not altered in transit.

Anti-replay protection
You can configure IPSec to verify that each packet received is unique and not duplicated.

2.

Encryption
You can use IPSec to encrypt network data so that the data is unreadable if captured in transit.

In Windows Server 2008 and Windows Vista, IPSec is enforced either by:
1. IPSec Policies By default attempt negotiate both authentication and encryption services. 2. Connection security rules By default attempt to negotiate only authentication services.

Define how a computer or group of computers handle IPSec communications Assign an IPSec Policy
To an individual computer by using Local Security Policy
To a group of computers by using Group Policy.

IPSec Policies in GPO

Every IPSec Policy is composed of one or more IPSec Policy rules that determine when and how IP traffic should be protected. Each Policy rule, in turn, is associated with one IP filter list and filter action. IP filter lists contain a set of one or more IP filters that capture IP traffic for an IPSec Policy. IP filters define a source or destination address, address range, computer name, TCP/UDP port, or server type (DNS, WINS, DHCP, default gateway).

IPSec Policies, rules, filters, and filter actions

1.
2.

Does every IPSec Policy rule have an IP filter list? In terms of its function within an IPSec Policy, what does a filter action do? Quick Check Answer:
1. Yes, even if the list has only one IP filter. 2. A filter action determines whether the traffic

captured by an IP filter in a given policy rule is permitted, blocked, encrypted, or authenticated.

Used to configure IPSec settings for connections between computers.

Like IPSec Policies Connection security rules evaluate network traffic and then block, allow, or negotiate security for messages based on the criteria you establish. Unlike IPSec Policies Connection security rules do not include filters or filter actions.

The filtering capabilities in connection security rules are not as powerful as those of IPSec Policies. Connection security rules:
Do not apply to types of IP traffic, such as IP traffic

that passes over port 23 Apply to all IP traffic originating from or destined for certain IP addresses, subnets, or servers on the network.

A Connection Security Rule

First: authenticates the computers defined in the rule

before they begin communication. Then: it secures the information sent between these two authenticated computers.
If you have configured a Connection Security Rule that requires security for a given connection and the two computers in question cannot authenticate each other, the connection is blocked.

By default, connection security rules provide only data authentication security (data origin authentication, data integrity, and anti-replay security). Configure connection security rules for any computer in the Windows Firewall with Advanced Security (WFAS) console or the WFAS node in Server Manager.

Defining connection security rules in Group Policy

Exporting connection security rules:

By using the Export Policy and Import Policy

functions in the WFAS console, you can create one set of connection security rules and export them to other computers or GPOs.

After two computer negotiate an IPSec connection

The data sent between those computers is secured in what is known as

Security for an SA is provided by the two IPSec protocols

These protocols provide data integrity, and anti-replay protection for

a Security Association (SA).

the entire IP packet in an SA. 1. Authentication Header (AH)

Provides data origin authentication, data integrity, and anti-replay protection for the entire IP packet.

2.

Encapsulating Security Payload (ESP).

Provides data encryption, data origin authentication, data integrity, and antireplay protection for the ESP payload.

To secure data within any SA, you can use:

AH alone. ESP alone. AH and ESP together.

You need to know the basic difference between AH and ESP for the 70-642 exam. If you need encryption, use ESP if you just need to authenticate the data origin or verify data integrity, use AH.

To establish SAs dynamically between IPSec peers, the Internet Key Exchange (IKE) protocol is used. To ensure successful and secure communication

IKE performs a two-phase negotiation operation, each

with its own SAs.

Phase 1: main mode negotiation.
Used to secure the second IKE negotiation phase.

Phase 2: quick mode negotiation.

Used to protect application traffic.

The steps for establishing an IPSec connection:

1. Set up a main mode SA.

2. Agree upon the terms of communication and

encryption algorithm. 3. Create a quick mode SA. 4. Send data.

1.

IPSec by default operates in transport mode

Used to provide end-to-end security between computers. Used in most IPSec-based VPNs, for which the Layer Two Tunneling Protocol (L2TP)protocol is used to tunnel the IPSec connection through the Public network.

2.

When a particular VPN gateway is not compatible with L2TP/IPSec VPNs, use IPSec in tunnel mode instead.
With tunnel mode, an entire IP packet is protected and then encapsulated with an additional, unprotected IP header.

IPSec requires a shared authentication mechanism between communicating computers. Three methods to authenticate the hosts communicating through IPSec:
1. Kerberos

2. Certifications
3. Preshared key

1.

Kerberos (Active Directory)

The easiest way to configure authentication for IPSec is to implement IPSec within a single Active Directory forest. When the two IPSec endpoints can be authenticated by Active Directory, the security foundation for IPSec requires no configuration beyond joining the hosts to the domain.

2.

Certificates

If you need to implement IPSec in a production environment (Kerberos not available). Each host must obtain and install a computer certificate from a public or private certification authority (CA)

3.

Preshared Key

Is a password shared by peers and used both to encrypt and decrypt data. Preshared keys do not provide the same level of authentication that certificates and Kerberos do. Preshared keys for IPSec are stored in plaintext on each computer or in Active Directory, which reduces the security of this solution. It is recommended that you use preshared keys only in nonproduction environments such as test networks.

You need to understand IPSec authentication mechanism for the 70-642 exam. Remember that Kerberos authentication is preferable in an Active Directory environment. Outside of an Active Directory environment, a certificate infrastructure is your best option.

In Group Policy, three IPSec Policies are predefined. You can configure an IPSec Policy for a domain or OU by assigning any one of the following predefined policies:
Client (Respond Only)
Assign this policy to a computer through a GPO, that computer will never initiate a request to establish an IPSec communications channel with another computer

Server (Request Security)

Assign this policy to a computers for which encryption is preferred but not required.

Secure Server (Require Security)

Assign this policy to intranet servers that require secure communications.

To assign an IPSec Policy within a GPO

Select the IP Security Policies node. Right-click the chosen policy in the Details pane.

Choose Assign from the shortcut menu.

You can assign only one IPSec Policy to a computer at a time.

If Group Policy assigns an IPSec Policy to a computer, the

computer ignores any IPSec Policy assigned in its Local Security Policy.

Know the three predefined IPSec Policies.

1. 2.
3. 4. 5.

Open Local Security Policy or a GPO. In the console tree below Security Settings

Right-click the IP Security Policies node.

6.

Choose Create IP Security Policy. Configure the policy through its properties. Add rules to the policy by Clicking the Add button in the Rules tab in the Properties dialog box for the policy. This procedure launches the Create IP Security Rule Wizard.

To create and configure rules, use the Create IP Security Rule Wizard. The five main pages of the Create IP Security Rule Wizard
1. Tunnel Endpoint page: Configure this page only when you want to use IPSec in tunnel mode. 2. Network Type page: Use this page if you want to limit the rule to either the local area network or remote access connections.

3. IP Filter List page: In Group Policy, two IP filter lists are predefined IPSec Policy Rules.
All ICMP Traffic. All IP Traffic.

To create a new IP filter list, click the Add button on the IP Filter List page.

What is ICMP traffic?

ICMP (Internet Control Message Protocol) is a

messaging feature of IP that allows Ping and Tracert to function. ICMP traffic typically refers to Ping and Tracert traffic.

To create a new IP filter to add to the new IP filter list you are creating, click the Add button in the IP Filter List dialog box. In turn launches the IP Filter Wizard
Define IP traffic according source and destination. Create a mirrored filter. Matches the source and destination with the exact

opposite addresses.

For example: you can easily configure a filter that captures POP3 traffic sent to and from the local address. To configure your filter as a mirrored filter, leave the Mirrored check box selected on the first page of the IP Filter Wizard.

4. Filter Action page:

In Group Policy, the following three IP filters are predefined for the IPSec Policy rules:
Permit: this filter action permits the IP packets to pass through unsecured. Request Security (Optional): this filter action permits the IP packets to pass through unsecured but requests that clients negotiate security (preferable encryption). Require Security: this filter action triggers the local computer to request secure communications from the client source of the IP packets. If security methods (including encryption) cannot be established, the local computer will stop communicating with that client.

To create a new filter action, click the Add button on the Filter Action page of the Security Rule Wizard. This procedure launches the Filter Action Wizard.

5. Authentication Method page By default, IPSec rules rely on Active Directory service and the Kerberos protocol to authenticate clients.

1.

Browse to & expand

Computer Configuration\Policies\Windows Setting\Security Setting\ Windows Firewall With Advanced Security\Windows Firewall With Advanced Security-LDAP://address.

1. 2. 3.

Select and right-click the connection security rules node. From the shortcut menu, Choose New Rule. This procedure, which launches the New Connection Security Rule Wizard.

1.

Rule Type page:

Allows you to create any of five rule types, these five rule types are the following:
a) Isolation rule: A general rule used to authenticate all traffic for select network profiles.
The three profiles defined are Domain, Private, and Public.

You can use an Isolation rule to configure domain isolation. This term simply means that you can use connection security rules to block traffic from computers originating from outside the local Active Directory domain.

b) Authentication Exemption rule:

Used to exempt specific computers or a group or range of IP addresses (computers) from being required to authenticate themselves. Allows you to authenticate the communications between IP addresses or sets of addresses, including specific computers and subnets.

c) Server-To-Server rule:

d) Tunnel rule:

Used to configure IPSec tunnel mode for VPN gateways.

Used to create a rule that requires special settings or a combination of features from the various rule types.

e) Custom rule:

2.

Endpoints page
Used to specify the remote computers with which you want to negotiate an IPSec connection.

3.

Requirements page
Used to specify whether authenticated communication exemption for the specified endpoints.

4.

Authentication Method page

Allows you to specify the method by which computer endpoints are authenticated. The first option is Default.

5.

Profile page
Allows you to limit the local network location types to which the rule will apply. The profiles you can enable for the rule are Domain, Private, and Public.

6.

Name page
Allows you to name the new Connection Security Rule and (Optionally) to provide a description.

In the WFAS node of a GPO or in the WFAS console. To access these settings:
1. Open the properties of the Windows Firewall

With Advanced Security node. 2. In the properties dialog box that opens, click the IPSec Settings tab.

Clicking the Customize button opens the Customize IPSec Settings dialog box. Set new default parameters for
key negotiation (exchange).
Data production. Authentication method.

Example:
To configure data encryption for connection

security rules
1. Select Advanced in Data Protection area. 2. Click Customize
opens the Customize Data Protection Settings dialog box.

3. Select the Require Encryption For All Connection security rules that use these Settings check box. 4. Click OK.

Contact Me: qursaan@gmail.com