CIS2153.gif (14009 bytes)

Resource Page   CIS 2153 Syllabus    Chapter Lesson Notes: 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

More IPSec Notes

Chapter 7 Lesson Notes

Configuring and Troubleshooting IPSec

  1. Overview of IP Security

Elements of IPSec:

      1. Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols
      2. Cryptographic Key Management Protocols
      3. SPD (Security Policy Database)
      4. Security Associations (SA)

        5. IPSec Terminology

    1. Basics of Encryption
      1. A (Very) Brief History of Cryptography:

        2. Cryptography, or secret writing, dates back 4000 years to the origins of Egyptian hieroglyphics and Chinese ideographs.

      2. The Origins of Encryption:

        3. Encryption developed in order to control access to information. Early communication was oral, which made it difficult to limit and direct information and keep it from eavesdroppers. When written language evolved, ways were found to disguise it in order to control who got what information (knowledge is power). .

      3. Simple Encoding Methods:

        4. Methods of encryption ranged over time from simple (transposing letters or changing the alphabetic sequence by a few letters, as shown in Table 7-1 on page 461) to the highly complex codes of today.

      4. Added Complexity Increases Security

        5. The more complex the algorithm/process/encryption is, the less vulnerable it is to hacking.

      5. Modern Encryption Methods

        6. To solve "the code," one needs an algorithm, or secret key. When the same key is used to both encrypt and decrypt the data, it is a symmetric key encryption method.

      6. Secret Key Encryption

        7. The key is called a shared secret, which poses problems if you want to send data to more than one person. This introduced asymmetric encryption, which is popularly used in public key encryption.

      7. Public Key Encryption

        8. Public key encryption uses these three methods:

        1. Confidential data exchange, where the sender has a public key and the receiver uses a private key
        2. Authenticated data exchange, where the sender has a private key and the receiver has a different private key
        3. Confidential data exchange combined with authenticated data exchange
      8. Key Generation

        9. The Diffie-Hellman algorithm creates a secret key between communicating pairs that is known only to them.

      9. Data Encryption Standards

        10. DES (Data Encryption Standard), the standard for the U.S. Government, is a widely used encryption method today that operates on 64-bit blocks of data. Triple DES processes each 64-bit block of data three times, which increases the complexity.

      10. Cipher Block Chaining (CBC)

      DES can be combined with CBC (Cipher Block Chaining), which prevents identical messages from looking the same.

    2. IPSec Standards
      1. RFCs

        2. IPSec is a collection of open standards and was developed by the Internet Task Force (IETF) to ensure secure IP network communication. These standards are changed through RFCs (Requests for Comments).

      2. IPSec Resources can be found at www.cs.arizona.edu/xkernel/www/ipsec/ipsec.html, and a newsletter is available by sending a request to ipsec-request@lists.tislabs.com.
    3. IPSec Architecture

      4. IPSec operates at the network layer of the OSI Model and remains transparent to protocols that lie above the transport layer.

      1. Transport vs. Tunnel Mode - IPSec can operate in Transport or Tunnel mode.
        1. Transport mode is between two clients. These clients must use TCP/IP as their network protocol.
        2. Tunnel mode connects a gateway to a gateway, where the host and destination computers themselves do not employ IPSec and can use any LAN protocol supported by IPSec.
    4. IPSec Protocols
      1. AH (Authentication Header) protocol guarantees data integrity (it protects data from being changed) and authentication but does not encrypt data or provide confidentiality. HMAC (Hash-based Message Authentication Code) algorithms are used to sign the entire packet, which protects the source, destination address, and data. See Figure 7-2 on page 469.
      2. ESP, or Encapsulating Security Payload protocol, offers confidentiality, authentication, integrity, and anti-replay. Microsoft considers ESP the answer to high security needs. See Figure 7-2 on page 469.
    5. Security Negotiation

      6. Security Negotiation is responsible for ensuring that the sending and receiving computers use the same security method.

      1. Security Associations (SAs)

SAs define IPSec secured links between the following:

    • remote nodes and the network
    • two networks
    • two computers on a LAN
        1. Security Association Types

          2. Two types of SAs are possible:

          1. soft SA if the active security policies are set to permit unsecured communications with computers that are not IPSec-capable
          2. hard SA, which is used when active policies are compatible
        2. Number of Security Associations

          3. A separate SA is used for outgoing and incoming messages, requiring at least two SAs for each IPSec connection.

        3. Security Parameters Index (SPI)

An SPI tracks and uniquely identifies each SA.

      1. Key Exchange
        1. PHASE I: Key exchange is divided into these two sub-phases:
          1. Establishment of the ISAKMP SA (Internet Security Association Key Management Protocol)
          2. IPSec SA: (The four steps for establishing the ISAKMP SA are listed on page 472.)
        2. PHASE 2: The IPSec Security Association sets the encryption algorithm, the hash algorithm, and the authentication method.
      2. Data Protection

Data Protection is handled in Windows 2000 through DES or the stronger triple DES (3DES). 3DES must be installed using the High Encryption Pack, and if the computer does not have the High Encryption Pack installed and receives a policy with 3DES settings, it will revert to DES.

    1. How IPSec Works
      1. IPSec Authentication

        2. IPSec Authentication methods include Kerberos v5, Public Key certificates, and preshared keys.

        1. Kerberos v5

          2. Default security type for Windows2000: computers that share this security method and belong to a trusted domain will use this method.

        2. Public Key Certificates

          3. Using public keys and a trusted third party, individuals can be sure of communicating with the real party.

        3. Preshared Keys

        Predefined keys allow two parties to communicate authentically, but IPSec must be configured for this method to work.

      2. The ISAKMP Service – Internet Security Association Key Management protocol.

The ISAKMP Service combines with session key protocols like Oakley, a leading key management method, to centralize the management of security associations, which reduces connection time. ISAKMP + Oakley = IKE (Internet Key Exchange)

      1. The IPSec Driver

        2. The IPSec driver first checks the IP filter list in the policy that is active, then notifies the ISAKMP service to begin security negotiations.

      2. IPSec Packet Handling

        3. IPSec Packet Handling involves the four steps found on page 477.

      3. IPSec Filter List

        4. IPSec Filter Lists define IP addresses and types of IP traffic. This allows an administrator to define what filters to watch for. Each IP packet is checked against the filter list.

        1. IP Filters

          2. IP Filters include inbound filters (applied to incoming IP packets) and outbound filters (applied to those packets sent out onto the network). When the Filters list has a match, a security negotiation is triggered. Filters settings include the following:

          1. Source/destination address
          2. Protocol
          3. Source/destination port for TCP or UDP
    1. IPSec and SNMP

      2. When SNMP (Simple Network Management Protocol) is running, IPSec blocks messages unless you configure a rule in your current active IPSec policy to prevent this.

    2. IPSec and L2TP

Secure VPNs are possible in Windows 2000 thanks to L2TP (the Layer Two Tunneling Protocol). Windows NT 4.0 supported only the PPTP for virtual private networking.

      1. When to Use L2TP

        2. Use L2TP when providing a secure link between remote clients and a corporate network or when providing a secure connection for a company’s offices located at multiple sites.

      2. How L2TP Security Works

        3. Encryption and encapsulation provide data security when L2TP over IPSec is used, which involves putting one data structure within another structure so that the first data structure is temporarily hidden. This creates a tunnel effect; thus L2TP’s name.

        1. Two-Tiered Encapsulation

          2. Two-Tiered Encapsulation occurs when packets are encapsulated twice by L2TP, then once by IPSec. Two types of encapsulation are

          1. L2TP encapsulation

            2. This process takes the PPP frame and encapsulates it.

          2. IPSec encapsulation (see page 480)

          The L2TP packet created above is then wrapped by IPSec.

        2. Encryption - Encryption is performed on the L2TP message by IPSec.

    II.  Enabling and Configuring IPSec

    1. IPSec Policies

      2. Microsoft has implemented policy-based administration of IPSec. By using an MMC snap-in, you can configure the IPSec policies.

    2. Factors to Consider

      3. Balance accessibility with security

      1. Evaluating Security Needs

        2. Considerations for policy content should include the type of information typically sent over the network and how sensitive it is. Also, consider how vulnerable or open you are to public or other network attacks, and do not discount possible attacks from within the company.

      2. Evaluating Potential Security Threats

        3. The stereotypical "hacker" may not be your most dangerous threat. Discuss list on page 485 to help determine more likely threats.

      3. Designing and Implementing IP Security Policies
        1. Policies are intertwined with Active Directory and Group Policy.
        2. Create a policy to deploy IPSec.
    3. IPSec Policy Properties
      1. There are three built-in IPSec Policies, as follows:
        1. Client policy (respond only)

          2. When active, it allows the client to communicate with servers that require IPSec communications. This does not mean that the client requires IPSec; just that it is available to it.

        2. Server policy (request security)

          3. This allows the server to use IPSec with a client if the client has IPSec available. If the client does not have IPSec available, then the server will communicate insecurely.

        3. Secure server (require security)

If a server cannot establish a secure connection with a client, then the client connection will be denied.

      1. Creating Custom Policies

        2. To create custom policies, perform the seven steps on pages 490-491, and see Figure 7-3 on page 490. The Properties dialog box for an existing security policy is shown in Figure 7-4 on page 491.

        1. For an individual computer – Local Security Policy tool in Administrative Tools
        2. For all W2K computers in a domain – domain Security Policy tool in Administrative tools.
        3. For all domain controllers in a domain – Domain Controller Security Policy tool in Administrative Tools.
        4. For all W2K computers in a particular OU – use Active Directory Users and computers to configure a Group Policy object that enables IPSec on all of the computers in the OU.
    1. Configuring IPSec Policy Components
      1. Configuring Filter Rules
        1. IP Filter rules are created to specify how and when communication is to be secured through a list of filters and a collection of security actions.
        2. How to add and edit rules is outlined on page 492, and in Figure 7-5 on page 493.
      2. Configuring Filters and Filter Lists

        3. How to add and edit filters is outlined on pages 494-495 and Figures 7-6 and 7-7 on pages 494 and 495.

      3. Filter Actions

        4. Filter actions define the type of security and the methods under which security is established. The primary methods are:

        1. Permit— The Permit option blocks negotiation for IP security. Use this when you do not want to secure any traffic which uses this rule.
        2. Block—blocks all traffic from computers specified in the IPFilter list.
        3. Negotiate Security—allows the computer to use a list of security methods to determine security levels for the communication.
        4.  
    2. Configuring IPSec Authentication

      3. Follow the steps on page 497, using Figures 7-8, 7-9, 7-10 on pages 497 and 498, and to configure IPSec authentication.

    3. Configuring Connection Types – For each IPSec rule, you must identify connection types which apply to the rule.
      1. All Network Connections applies to communications sent over any of the configured network connections.
      2. Local Area Network (LAN) applies to communications sent over the LAN connection(s).
      3. Remote Access applies to communications sent over remote access or dial-up connections.
      4. Use the steps outlined on page 499 to specify IPSec connection types for an IPSec rule. (See Figure 7-11 on page 500.)
    4. Configuring IPSec Tunneling

      5. Configuring IPSec Tunneling requires two separate IPSec rules to define the endpoints. See Figure 7-12 on page 500.

    5. Configuring Advanced Settings

The Advanced button in the General tab will allow you to set Key Exchange settings, as shown in Figures 7-13, 7-14, and 7-15 on pages 501 and 502.

   III.  Managing, Monitoring, and Troubleshooting IPSec

    1. Managing IPSec

      2. The following IPSec settings can be achieved using the context menu shown in Figure 7-16 on page 504. You may need to refresh the policy list to see the effect of any changes.

      1. Testing Policy Integrity

        2. This provides verification that the changes made to the policy settings have been properly propagated.

      2. Restoring Predefined IPSec Policies

        3. Overwrite custom changes with the predefined policies.

      3. Exporting and Importing IPSec Policies
      4. Refreshing the IPSec Policy List

        5. As changes are made they may not be immediately refreshed, so a screen refresh may be done.

      5. Deleting IPSec Policies
      6. Renaming IPSec Policies
    2. Using IPSec Monitor
      1. Using IPSec Monitor shows the active security associations on local and remote computers.
      2. The monitor’s display refreshes every 15 seconds by default.
      3. Perform Exercise 7-3 on page 506: Accessing the IPSec Monitor.
    3. IPSec Policy Agent Entries in the System and Security logs
      1. The System Log

        2. The System Log aids in troubleshooting Policy Agent, as in the Event 279 (Informational) or event 284 (Error) into the System Log.

      2. Security Log

      The Security Log lists messages pertaining to ISAKMP/Oakley.

    4. Common Troubleshooting Scenarios
      1. IPSec Communications are not working as expected:
        1. Use IPSec Monitor to verify that IPSec is enabled and that a policy is assigned.
        2. Check that the network connection is working properly.
      2. No Security Associations Indicated in IPSec Monitor (see Figure 7-17 on page 509).
        1. You may need to restart IPSec Policy Agent.
      3. Security Negotiations Fail
        1. Check the authentication methods on both computers and ensure they are compatible.
        2. Check the security method(s) specified on both computers: there must be at least one common security method.
        3. If tunneling mode is being used, make certain that the tunnel endpoint settings are correct.
      4. Accidental Deletion of the IPSec Files
        1. Reinstall the IPSec files by removing and installing the TCP/IP protocols.
1