The IP Security (IPsec) protocol is a standard that
provides cryptographic security services for IP traffic. IPsec is an
end-to-end security solution. The only two nodes aware of IPsec traffic
on the network are the two peers communicating with each other. IPsec
packets are forwarded by routers like any other packet on the network.
As you probably recall, IPsec provides the following properties:
Peer authentication. IPsec verifies the identity of a peer computer before data is sent.
Data origin authentication.
Each IPsec packet has an encrypted checksum in the form of a keyed
hash. It ensures that only one computer could have sent the packet,
preventing a malicious user from masquerading as the sender.
Data integrity.
The IPsec protocol protects the contents of the packet through the
encrypted checksum. The receiver of the data can verify the data is
unmodified by checking the checksum value. A malicious intruder would
be unable to properly modify both the packet’s data and it
cryptographic checksum.
Data confidentiality. IPsec
uses secret key encryption techniques that protect the data being sent
in the packet. If the packet is intercepted, only the packet’s
encrypted contents can be viewed.
Anitreplay.
Each protected packet has a sequence number that prevents an intruder
from getting in the middle of the communications and modifying packet
data.
Key management.
IPsec provides a secure way of deriving initial keying data and to
periodically change the keys used for secure communications to prevent
the key from being discovered through any other method than brute force.
IPsec
does not provide nonrepudiation security service for data, meaning that
the sender can later deny having sent the packet. IPsec uses a shared
secret key, called a symmetric key, and since two peers share a key,
nonrepudiation is not provided by IPsec.
IPsec
can operate in either transport mode or tunnel mode. The transport mode
protects communications between hosts and it encrypts the User Datagram
Protocol/Transmission Control Protocol (UDP/TCP) protocol header and
original data but not the IP header itself. In tunnel mode, IPsec
protects host-to-network communications like that in virtual private
networks (VPN). Since IPsec changes the IP packet, the original version
of Network Address Translation did not support IPsec. However, the
newer version, Network Address Translation–Traversal (NAT–T) is used.
It allows IPsec traffic to pass through NAT–T compatible servers that
are configured to allow traffic on UDP port 4500. All versions of
Windows that support IPsec also support NAT–T.
IPsec
supports numerous authentication and encryption standards, so two
IPsec-capable computers might not support the same sets of standards.
And, not all computers can support IPsec. So, before an IPsec
connection can be made, whether in transport or tunnel mode, an IPsec
negotiation is established to determine if the IPsec supported by the
two end points (host-to-host or host-to-server) are supporting the same
standards.
IPsec provides security by enveloping the data (the IP payload)
in an additional header or trailer that provides data origin
authentication, data integrity, data confidentiality, and antireplay
protection. The IPsec protocol uses two elements, the authentication
header (AH) and the encapsulating security payload (ESP) header and
trailer. Applying the AH or ESP to an IP datagram transforms the packet
into a secure datagram. As a result, AH and ESP sometimes are referred
to as transforms. ESP
is widely supported and is therefore the preferred IPsec protocol, but
AH is the fallback protocol if both hosts cannot support ESP. Let’s
look briefly at the AH and ESP protocols.
IPsec Authentication Header (AH)
The
Authentication Header protocol provides data origin authentication,
data integrity, and antireplay protection for the entire IP datagram.
It does not
provide data confidentiality (for that, use ESP, discussed in the next
section). AH can be used in transport or tunnel mode. The packet format
for both is shown in Figure 1. Notice that when AH is used in transport mode (Figure 10.19A),
the AH header is added just after the IP header. The IP header is
modified to indicate the presence of AH (the Protocol field is set to
51). This packet type is forwarded by routers just as any other
standard IP packet would be. However, firewalls look for the
modification of the IP header and might not allow this traffic through
due to the modification of the Protocol field in the IP header. For
that reason, some firewalls might need to be configured to forward data
in which the IP header Protocol field is set to 51.
In Figure 10.19B,
the tunnel mode for AH is shown. In this case, the IP packet is
included without modification and the entire packet is authenticated,
including the new IP header, the AH header, and the original IP header
and payload. This added header allows the packet to pass through
firewalls more easily but it does generate more network traffic by
adding to the packet size.
A
security association (SA) is the combination of security services used
by communicating peers. This typically includes security services,
protection methods, and cryptographic keys. The SA contains the
information needed to negotiate a secure communications between peers.
Two types of SAs are created when IPsec peers communicate in a secure
mode: ISAKMP SA and IPsec SA.
The Internet Security Association and Key Management Protocol (ISAKMP) SA also is known as the main mode SA and is used to protect IPsec security negotiations themselves. The IPsec SA also is known as the quick mode
security association (SA). The IPsec SA cipher information is protected
by the ISAKMP SA. In IPsec packets, no information about the type of
traffic or the protection mechanisms is sent as plaintext. Recall that
for a pair of IPsec peers, there are always two IPsec SAs—one for
inbound and one for outbound traffic. The inbound SA for one IPsec peer
is the outbound SA for the other IPsec peer.
|
IPsec Encapsulating Security Payload (ESP)
Encapsulating
Security Payload (ESP) provides both a header and a trailer for an IP
datagram that secures the packet. ESP provides data origin
authentication, data integrity, antireplay, and data confidentiality
protection for the ESP-encapsulated portion of the packet. Figure 2 shows the format of the ESP header in transport mode and Figure 3 shows the ESP header in tunnel mode. We’ve also included what the packet looks like if you use both AH and ESP, shown in Figure 2,
though typically ESP is used as the default method of security the
packet unless you have reason to use AH, which does not provide data
confidentiality.
Now
that we’ve refreshed your skills on the format of the IPsec AH and ESP
data, let’s get back to the practical IPsec skills needed to configure
a Windows Server 2008 computer network.
Configuring IPsec in Windows Server 2008
IPsec
is configured via Group Policy in Active Directory as well as through
Windows Firewall with Advanced Security. In Windows Firewall with
Advanced Security, IPsec inbound and outbound traffic rules can be
configured along with connection security rules. In this section, we’ll
look briefly at IPsec in Group Policy and then we’ll take a more
detailed look at the integration of IPsec in Windows Firewall with
Advanced Security since this is a new feature in Windows Server 2008.
In
Windows Server 2003, configuring IPsec and configuring the Windows
Firewall were configured separately and in two different places. This
led to the possibility of conflicting settings. In Windows Server 2008,
IPsec and the Windows Firewall functionality have been combined,
removing the possibility of conflicting settings. IPsec and Windows
Firewall are now configured via the Windows Firewall with Advanced
Security snap-in. Note that the command line options, within the netsh advfirewall
context, can be used for command line configuration of both firewall
and IPsec behavior. Again, the command line options are helpful when
setting up scripting, batch files, or when administering a remote
server—so it’s useful to make note of the commands you’re most likely
to need. You’ll also see some of the more commonly used command line
commands on the Windows Server 2008 exam, so we’re including them when
it seems likely you’ll see it on the exam.
There
are many new improvements to the IPsec implementation in Windows Server
2008. According to the Microsoft Web site, these are:
Integrated firewall and IPsec configuration Simplified IPsec policy configuration Client-to-DC IPsec protection Improved load balancing and clustering server support Improved IPsec authentication New cryptographic support Integration with Network Access Protection Additional configuration options for protected communication Integrated IPv4 and IPv6 support Extended events and performance monitor counters Network Diagnostics Framework support
[Source: http://technet.microsoft.com/en-us/library/bb726965.aspx]
In
the Window Server 2008 exam, expect to see questions that test your
knowledge and understanding of the latest implementation of IPsec. Most
notably, be familiar with how IPsec is integrated into and configured
in the firewall. Also be aware of the Simplified IPsec policy
configuration, which will likely show up on your exam in one form or
another. Finally, be familiar with the integrated IPsec support with
IPv4 and IPv6. Refer to the Microsoft Web site if you need to dig into
the vast detail of IPsec in Windows Server 2008.
|
Creating IPsec Policy
IPsec
policy is created either in Active Directory as a Group Policy or via
the Windows Server 2008’s Windows Firewall with Advanced Security.
Clearly, IPsec settings in these two areas are related but are not
interchangeable. Policy set in Active Directory is applied according to
policies set at the domain level and will take precedence over local
IPsec policy located on a member computer. IPsec policy will be applied
according to AD and Windows Firewall with Advanced Security settings on
a Windows Server 2008 computer.
We
won’t go into too much detail about AD IPsec policy here but we will
discuss IPsec in Windows Firewall with Advanced Security in more detail
later in this chapter. You can open the IP Security Policy Management
console through the MMC snap-in. To open the MMC Console, click Start | Run and type mmc, then click OK. This opens the MMC console from which you can select the IPSecurity Management Snap-in. Right-click IP Security Policies in the left pane then choose Create IP Security Policy from the menu to launch the IPsec Security Policy Wizard.
IPsec Using the Command Line
As
with many other functions in Windows Server 2008 management, you can
configure IPsec policy via the command line. This section briefly
outlines some of the more commonly used IPsec commands. However, you
may want to explore the command line options for IPsec on your own so
you’re familiar with these options. You can configure static mode and
dynamic mode options, as shown in Table 1. You can type netsh ipsec /? to get a full list of command line options related to IPsec.
Table 1. IPsec Command Line Options
IPsec Command | Details |
---|
netsh ipsec static add policy name | Creates an IPsec policy with the specified name. |
netsh ipsec static delete [option] | Deletes the specific IPsec policy. Can be used with the switch all to remove all IPsec policies, filter lists, and filter actions. |
netsh ipsec dynamic set policy name | Sets a policy name immediately. |
netsh ipsec dynamic delete name | Removes a specific policy immediately. |
netsh ipsec dynamic export policy name | Exports all IPsec policies to a specified file. |
netsh ipsec dynamic show all | Used to view IPsec policy and statistics. |
netsh ipsec dynamic set config ipsecdiagnostics 7 | Enables IPsec driver logging of dropped inbound and outbound packets. |
netsh ipsec dynamic set config ipsecloginterval 60 | Used
to change the default interval the IPsec log file writes entries to the
log file. This example sets the interval to 60 seconds. This can be
helpful in troubleshooting IPsec issues/. |
Sometimes
the output of a command line command, such as a “show all” command, can
be quite lengthy and can scroll off the screen making it hard to locate
needed information. You can save the output to a file by using this
sequence of commands. Although the example is used for the netsh ipsec context, this works anywhere in the command line context.
At the netsh command line context, type set filename filename.txt (where filename.txt is the file you want to create). Then, type ipsec static show all. Finally, type set file close. The contents of the ipsec static show all command have been saved to the filename you specified.
Even faster is the command from the standard command line context (not within netsh): netsh ipsec static show all > filename.txt. Saves time, saves your data.
If you want to see the entire output without dumping it to a file, you can use the |more switch so the command would be netsh ipsec static show all |more.
|
IPsec Isolation Policy
Server
and domain isolation is accomplished through configuring IPsec
computers to require protection for inbound traffic (or attempts at
inbound traffic) and to request but not require protection for outbound
traffic. Trusted computers in an isolation scenario use fallback to
clear to initiate communication with hosts on their intranets that are
not IPsec-enabled. However, beginning in Windows Server 2003 (and
continued in Windows Server 2008), the Simple Policy Update changes the
IPsec negotiation process. IPsec negotiation failures will still
fallback to clear but because negotiation falls back to clear, it’s
possible for two peers using IPsec who cannot validate each others’
credentials to allow unsecured communication with non-IPsec aware
computers (if this setting is enabled) or to accept unsecured
communication but always respond using IPsec (if the setting is
enabled).