Post on 07-Apr-2018
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
1/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementing IPSec in aImplementing IPSec in a
Windows 2003 NetworkWindows 2003 Network
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
2/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSec
Uses and PlanningUses and Planning
Windows 2003 IPSec componentsWindows 2003 IPSec components
Implementation and best practices of IPSecImplementation and best practices of IPSec
Troubleshooting and referencesTroubleshooting and references
What will not be covered in this discussionWhat will not be covered in this discussion
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
3/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSec The history of IPSecThe history of IPSec
Security properties of communicationsSecurity properties of communications
The need for IPSecThe need for IPSec
Benefits of IPSecBenefits of IPSec
Windows 2003 IPSec design goalsWindows 2003 IPSec design goals
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
4/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSecHistoryHistory
IPSec original work in 1992 by IEEEIPSec original work in 1992 by IEEE
Originally a new feature for IP version 6Originally a new feature for IP version 6
Adapted for IP version 4Adapted for IP version 4
RFCRFC--based; currently in draft formbased; currently in draft form
Windows 2003 IPSec jointly developed with CiscoWindows 2003 IPSec jointly developed with Cisco
Systems, Inc. and MicrosoftSystems, Inc. and Microsoft
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
5/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSecSecurity PropertiesSecurity Properties
NonNon--repudiationrepudiation AntiAnti--replayreplay
IntegrityIntegrity
ConfidentialityConfidentiality
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
6/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSecThe Need for IPSec (part 1)The Need for IPSec (part 1)
EavesdroppingEavesdropping
Data modificationData modification
Identity spoofing (IP address spoofing)Identity spoofing (IP address spoofing)
PasswordPassword--based attacksbased attacks
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
7/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSecThe Need for IPSec (part 2)The Need for IPSec (part 2)
Compromised Key attackCompromised Key attack
Sniffer attackSniffer attack
Application layer attackApplication layer attack
Denial of service attacksDenial of service attacks
ManMan--inin--thethe--middle attacksmiddle attacks
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
8/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSecBenefits of IPSecBenefits of IPSec
Provides endProvides end--toto--end protectionend protection
Provides defense against attacks internal to the networkProvides defense against attacks internal to the network
Transparent to applicationsTransparent to applications
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
9/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Transparent to usersTransparent to users
Can be configured to specific users and groupsCan be configured to specific users and groups
Protects against attacks previously mentionedProtects against attacks previously mentioned
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
10/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Introduction to IPSecIntroduction to IPSecWindows 2003 Design GoalsWindows 2003 Design Goals
To protect IP packetsTo protect IP packets
To provide a defense against network attacksTo provide a defense against network attacks
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
11/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSec
IPSec as a protocolIPSec as a protocol
Authentication Headers (AH)Authentication Headers (AH)
Encapsulated Security Payload (ESP)Encapsulated Security Payload (ESP)
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
12/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Internet Key Exchange (IKE)Internet Key Exchange (IKE)
1.1. ISAKMPISAKMP
2. Oakley2. Oakley
Cryptographic algorithmsCryptographic algorithms
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
13/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecIPSec as a ProtocolIPSec as a Protocol
IPSec is a protocol not a serviceIPSec is a protocol not a service
Two protocols with unique headers on each IP packetTwo protocols with unique headers on each IP packet
1.1. Authentication Headers (AH)Authentication Headers (AH)
2.2. Encapsulated Security Payload (ESP)Encapsulated Security Payload (ESP)
RFC 2401RFC 2401
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
14/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecAuthentication HeadersAuthentication Headers
Provides the following Security PropertiesProvides the following Security Properties
1.1. AuthenticationAuthentication
2.2. IntegrityIntegrity
3.3. AntiAnti--replayreplay
Does not encrypt the dataDoes not encrypt the data
Data is readable but cannot be alteredData is readable but cannot be altered
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
15/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Both the IP header and data are signedBoth the IP header and data are signed
Uses the HMAC algorithmsUses the HMAC algorithms
RFC 2402RFC 2402
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
16/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecEncapsulated Security PayloadEncapsulated Security Payload
Provides the following Security propertiesProvides the following Security properties
1.1. AuthenticationAuthentication
2.2. IntegrityIntegrity
3.3. AntiAnti--replayreplay
4. Confidentiality4. Confidentiality
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
17/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Can be used with Authentication HeadersCan be used with Authentication Headers
IP header is not signed unless it is tunneledIP header is not signed unless it is tunneled
Data is signedData is signed
Uses DES and 3DES algorithmsUses DES and 3DES algorithms
RFC 2406RFC 2406
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
18/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecIKEIKE
Internet Key ExchangeInternet Key Exchange
Made up of ISAKMP and OakleyMade up of ISAKMP and Oakley
Standard method for building Security Associations andStandard method for building Security Associations and
Key Exchange ResolutionKey Exchange Resolution
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
19/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecISAKMPISAKMP
Internet Security Association Key Management ProtocolInternet Security Association Key Management Protocol
Used to build a Security Association (SA)Used to build a Security Association (SA)
ISAKMP provides SA negotiationISAKMP provides SA negotiation
RFC 2408RFC 2408
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
20/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecOakleyOakley Oakley Key Determination ProtocolOakley Key Determination Protocol
Oakley is second part to Build SAOakley is second part to Build SA
Provides Key Exchange ServiceProvides Key Exchange Service
RFC 2412RFC 2412
Two modesTwo modes
1.1. Main modeMain mode New key generation material and new encryptionNew key generation material and new encryption
keykey
2.2. Quick modeQuick mode Already have key generation material and needAlready have key generation material and need
new encryption keynew encryption key
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
21/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Uses of IPSecUses of IPSecCryptographic AlgorithmsCryptographic Algorithms
IPSec as a protocolIPSec as a protocol
AHAH -- HMACHMAC--MD5 or HMACMD5 or HMAC--SHASHA
ESPESP -- DES (40 bit), DESDES (40 bit), DES--CBC,CBC, 3DES3DES
DH DiffieDH Diffie--Hellman group for key materialHellman group for key material
IPSec cryptographic related RFCs: 2085, 2104, 2403,IPSec cryptographic related RFCs: 2085, 2104, 2403,
2404, 2405, 2407, 2410, 24512404, 2405, 2407, 2410, 2451
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
22/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Planning for IPSecPlanning for IPSecIn This Section We Will CoverIn This Section We Will Cover
When to use IPSecWhen to use IPSec
When to use AHWhen to use AH
When to use ESPWhen to use ESP
When to use AH and ESPWhen to use AH and ESP
When to not use IPSecWhen to not use IPSec
Authentication methodsAuthentication methods
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
23/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Planning for IPSecPlanning for IPSecWhen to Use AHWhen to Use AH
When a secure connection is neededWhen a secure connection is needed
Must establish authentication of sourceMust establish authentication of source
Data itself is not sensitiveData itself is not sensitive
Risk of packet capturing compromising data is lowRisk of packet capturing compromising data is low
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
24/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Planning for IPSecPlanning for IPSecWhen to Use ESPWhen to Use ESP
When the data itself must be protectedWhen the data itself must be protected
1.1. Financial informationFinancial information
2.2. Proprietary informationProprietary information
3.3. Sensitive informationSensitive information
Use only when data protection is justifiedUse only when data protection is justified
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
25/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Planning for IPSecPlanning for IPSecWhen to Use AH and ESPWhen to Use AH and ESP
When a secure connection is neededWhen a secure connection is needed
Must establish authentication of sourceMust establish authentication of source
When the data itself must be protectedWhen the data itself must be protected
When security of the network offsets the performance ofWhen security of the network offsets the performance ofthe additional processingthe additional processing
Limit implementation to select hostsLimit implementation to select hosts
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
26/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Planning for IPSecPlanning for IPSecWhen Not to Use IPSecWhen Not to Use IPSec Only use if there is a security needOnly use if there is a security need
SNMPSNMP
Security gatewaysSecurity gateways
Input filtersInput filters
Output filtersOutput filters
DHCP, WINS, and DNS ServersDHCP, WINS, and DNS Servers
Domain controllersDomain controllers
DownDown--level clientslevel clients
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
27/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Planning for IPSecPlanning for IPSecAuthentication MethodsAuthentication Methods
Supported IPSec authentication methodsSupported IPSec authentication methods
1.1. Kerberos version 5.0Kerberos version 5.0
2.2. Public Key Certificate AuthoritiesPublic Key Certificate Authorities
3.3. Microsoft Certificate ServerMicrosoft Certificate Server
4.4. PrePre--shared Keyshared Key
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
28/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsIn This Section We Will CoverIn This Section We Will Cover
IPSec Policy Agent serviceIPSec Policy Agent service
Security AssociationsSecurity Associations
Key protectionKey protection
IPSec driverIPSec driver
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
29/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsIPSec Policy Agent Service (part 1)IPSec Policy Agent Service (part 1)
Main TasksMain Tasks
Retrieve the IP Security policyRetrieve the IP Security policy
Deliver policy to IPSec driver and ISAKMPDeliver policy to IPSec driver and ISAKMP
Periodically poll for new policiesPeriodically poll for new policies
Update or replace IPSec/ISAKMP policiesUpdate or replace IPSec/ISAKMP policies
Check for local IP address changes and update theCheck for local IP address changes and update the
IP filtersIP filters
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
30/80
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
31/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Local PolicyLocal Policy
HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\\
CurrentControlSetCurrentControlSet\\ServicesServices\\PolicyAgentPolicyAgent\\
PolicyPolicy\\LocalLocal
PollingPolling
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
32/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsSecurity Associations (part 1)Security Associations (part 1)
Mutually agreed upon key, protocol, and securityMutually agreed upon key, protocol, and security
parameter interface that define the Security levelparameter interface that define the Security levelbetween sender and receiverbetween sender and receiver
Phase I SAPhase I SA ISAKMP SAISAKMP SA
1.1. Policy negotiationPolicy negotiation
2.2. DH exchangeDH exchange
3.3. AuthenticationAuthentication
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
33/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsSecurity Associations (part 2)Security Associations (part 2)
Phase II SAPhase II SA IPSec Driver SAIPSec Driver SA
1.1. Policy negotiationPolicy negotiation
2.2. Session key material refresh or exchangeSession key material refresh or exchange
3.3. SAs and keys passed to IPSec driverSAs and keys passed to IPSec driver
SA lifetimesSA lifetimes
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
34/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsKey ProtectionKey Protection
Key lifetimesKey lifetimes
Perfect Forward Secrecy (PFS)Perfect Forward Secrecy (PFS)
1.1. Phase IPhase I -- master key PFSmaster key PFS
2.2. Phase IIPhase II -- session key PFSsession key PFS
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
35/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Windows 2003 IPSec ComponentsWindows 2003 IPSec ComponentsIPSec DriverIPSec Driver
Responsible forResponsible for
1.1. Stores existing filters and policy IdsStores existing filters and policy Ids
2.2. Checks each IP packet for match to policy filterChecks each IP packet for match to policy filter
3.3. Requests SA negotiations from ISAKMP for newRequests SA negotiations from ISAKMP for new
connectionsconnections
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
36/80
ADVANTAGE PRO Chennais Premier Networking Training Center
4.4. Stores existing SasStores existing Sas
5.5. Implementing IPSec policy as defined in SasImplementing IPSec policy as defined in Sas
6.6. Tracks key time length and number of bytesTracks key time length and number of bytes
transformed to request new keystransformed to request new keys
7.7. Updates SA changes and deletes expired SAsUpdates SA changes and deletes expired SAs
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
37/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSecIn This Section We Will CoverIn This Section We Will Cover
Policies and Policy InheritancePolicies and Policy Inheritance
RulesRules
IP packet filteringIP packet filtering
Filter actionsFilter actions
Connection typesConnection types
AuthenticationAuthentication
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
38/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSecPoliciesPolicies
IP Security Management snapIP Security Management snap--inin
Predefined policiesPredefined policies
Client (respond only)Client (respond only)
Server (request security)Server (request security)
Server (require security)Server (require security)
Policy inheritancePolicy inheritance
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
39/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSec Determine how and when a policy is usedDetermine how and when a policy is used
Provide customization of policy based on source,Provide customization of policy based on source,
destination, and specific IP trafficdestination, and specific IP traffic
Rules are made up of five components:Rules are made up of five components:
1.1. Connection typeConnection type
2.2. Authentication methodsAuthentication methods
3.3. IP filter listIP filter list
4.4. Filter actionFilter action
5.5. Tunnel settingsTunnel settings
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
40/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSecIP Packet FilteringIP Packet Filtering
Determines what packet types the security policy willDetermines what packet types the security policy will
apply toapply to
Set for both incoming and outgoing trafficSet for both incoming and outgoing traffic
Contains the following parametersContains the following parameters
1.1. The source and destination address of the IP packetThe source and destination address of the IP packet
2.2. The protocol being uses to transport packetThe protocol being uses to transport packet
3.3. Source and destination port of the protocolSource and destination port of the protocol
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
41/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSecFilter ActionsFilter Actions DefaultsDefaults
PermitPermit
BlockBlock
Negotiate securityNegotiate security
CustomCustom
Accept unsecuredAccept unsecured -- respond with IPSecrespond with IPSec
Allow unsecured with nonAllow unsecured with non--IPSecIPSec--aware computeraware computer
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
42/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSecConnection TypesConnection Types
Rule propertiesRule properties -- Connection Type tabConnection Type tab
All network connectionsAll network connections
Local area networkLocal area network
Remote accessRemote access
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
43/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Implementation of IPSecImplementation of IPSecAuthentication MethodsAuthentication Methods
KerberosKerberos
CertificatesCertificates
Trusted certificate authorityTrusted certificate authority
Microsoft Certificate ServerMicrosoft Certificate Server
Preshared keyPreshared key
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
44/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSecIn This Section We Will CoverIn This Section We Will Cover Evaluate network dataEvaluate network data
Determine network data flowDetermine network data flow
Design a network security planDesign a network security plan
Configure and test in lab before deployingConfigure and test in lab before deploying
IP filter listsIP filter lists
Things to consider (SNMP, DNS DHCP,WINS, DCs,Things to consider (SNMP, DNS DHCP,WINS, DCs,
and performance)and performance)
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
45/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSecEvaluating Network DataEvaluating Network Data
What types of data travel the networkWhat types of data travel the network
Financial dataFinancial data
HR dataHR data
Legal dataLegal data ProprietaryProprietary
ClassifiedClassified
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
46/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Risk of this information being compromisedRisk of this information being compromised
Some data will require different protectionSome data will require different protection
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
47/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSecDetermining Network Data FlowDetermining Network Data Flow
Once the type of data is determinedOnce the type of data is determined
Where is the data storedWhere is the data stored
How does it route through the networkHow does it route through the network
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
48/80
ADVANTAGE PRO Chennais Premier Networking Training Center
What hosts access the dataWhat hosts access the data
While gathering information, also look atWhile gathering information, also look at
Network speedNetwork speed
BandwidthBandwidth
This will assist in optimization issues laterThis will assist in optimization issues later
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
49/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSecDesigning a Network Security PlanDesigning a Network Security Plan
Evaluate your risk of attacksEvaluate your risk of attacks
Other security measures employedOther security measures employed
Communications ScenarioCommunications Scenario
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
50/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Level of security neededLevel of security needed
Strive for a well balanced deployment of securityStrive for a well balanced deployment of security
measuresmeasures
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
51/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSecIP Filter ListsIP Filter Lists
Filter ListsFilter Lists
Try to use general filtersTry to use general filters
Set up filters for logical network segmentsSet up filters for logical network segments
Filter display order versus filter applied orderFilter display order versus filter applied order
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
52/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Filter ActionsFilter Actions
Rogue computersRogue computers
ESP and custom security methodsESP and custom security methods
RAS and knownRAS and known--key attackskey attacks
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
53/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSecSpecial ServicesSpecial Services
SNMPSNMP
Security gatewaysSecurity gateways
DHCP, DNS, WINSDHCP, DNS, WINS
Domain controllersDomain controllers
DownDown--level clientslevel clients
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
54/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Best Practices for IPSecBest Practices for IPSec IPSec one part of a security foundationIPSec one part of a security foundation
Designed for intranet not perimeterDesigned for intranet not perimeter
Security is a balance ofSecurity is a balance of
Perimeter securityPerimeter security
User access controlUser access control
Physical securityPhysical security
IPSec is endpoint to endpointIPSec is endpoint to endpoint
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
55/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSecTroubleshooting IPSec
System/Security logs and routesSystem/Security logs and routes
Ping and IPSec monitorPing and IPSec monitor
Network monitorNetwork monitor
Policy AgentPolicy Agent
Log filesLog files
Knowledge BaseKnowledge Base
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
56/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSecTroubleshooting IPSecSystem/Security Logs and RoutesSystem/Security Logs and Routes Event ViewerEvent Viewer
System Event logSystem Event log
Security Event logSecurity Event log
Default RoutesDefault Routes
Multiple routes of 0.0.0.0 or lowest metricMultiple routes of 0.0.0.0 or lowest metric
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
57/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSecTroubleshooting IPSecPING and IPSec MonitorPING and IPSec Monitor CommandsCommands
PingPing
IPSec MonitorIPSec Monitor Ipsecmon.exeIpsecmon.exe
Is IPSec enabled on hostIs IPSec enabled on host
Displays current SAs on hostDisplays current SAs on host
Displays whether the SAs are hard or softDisplays whether the SAs are hard or soft
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
58/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSecTroubleshooting IPSec Network MonitorNetwork Monitor Windows 2000 Network Monitor can view AH and ESPWindows 2000 Network Monitor can view AH and ESPpacketspackets
AHAH IP packet 51IP packet 51
ESPESP IP packet 50IP packet 50
ESP packet data is not visibleESP packet data is not visible
ISAKMP/OakleyISAKMP/Oakley UDP port 500UDP port 500
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
59/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSecTroubleshooting IPSecPolicy AgentPolicy Agent
ServicesServices Policy Agent ServicePolicy Agent Service
Start, stop, and restart Policy AgentStart, stop, and restart Policy Agent
Clears out old SasClears out old Sas
Refreshes policies from Active DirectoryRefreshes policies from Active Directory
Allows the restarting of the IPSec driverAllows the restarting of the IPSec driver
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
60/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Policy Agent log filePolicy Agent log file
Ipsecpa.logIpsecpa.log
Broken links in Policy AgentBroken links in Policy Agent
Policy Agent checkPolicy Agent check
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
61/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Troubleshooting IPSecTroubleshooting IPSecLog FilesLog Files Oakley logOakley log
HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\\CCSCCS\\ServicesServices\\
PolicyAgentPolicyAgent\\OakleyOakley
Add REG_DWORD : DebugAdd REG_DWORD : Debug
Value: 1Value: 1
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
62/80
ADVANTAGE PRO Chennais Premier Networking Training Center
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
63/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Network Address Translation (NAT)Network Address Translation (NAT)
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
64/80
ADVANTAGE PRO Chennais Premier Networking Training Center
IntroductionIntroduction
With network address translation (NAT) in WindowsWith network address translation (NAT) in Windows
2003, you can configure your network to share a single2003, you can configure your network to share a single
connection to the Internet.connection to the Internet.
Fewer Internet valid IP addresses are needed.Fewer Internet valid IP addresses are needed.
Improved security because clients are not directly on theImproved security because clients are not directly on the
Internet.Internet.
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
65/80
ADVANTAGE PRO Chennais Premier Networking Training Center
IntroductionIntroduction (2)(2)
Internet Connection Sharing (ICS) is included withInternet Connection Sharing (ICS) is included with
Windows 2003 Professional and higher.Windows 2003 Professional and higher.
Network address translation (NAT) is included withNetwork address translation (NAT) is included with
Windows 2000 Server and higher.Windows 2000 Server and higher.
This presentation focuses on network addressThis presentation focuses on network address
translation.translation.
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
66/80
ADVANTAGE PRO Chennais Premier Networking Training Center
ComponentsComponents
NAT consists of the following three components:NAT consists of the following three components:
TranslationTranslation
AddressingAddressing
Name ResolutionName Resolution
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
67/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Components: TranslationComponents: Translation
NAT translates the IP addresses and TCP/UDP portNAT translates the IP addresses and TCP/UDP port
numbers of packets that are forwarded between thenumbers of packets that are forwarded between the
private network and the Internet.private network and the Internet.
The packets sent out of NAT have a source IP address ofThe packets sent out of NAT have a source IP address of
the NAT machine.the NAT machine.
Therefore, external machines are never aware that NATTherefore, external machines are never aware that NAT
is being used.is being used.
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
68/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Components: AddressingComponents: Addressing
The addressing component is a simplified DHCP serverThe addressing component is a simplified DHCP server
called the DHCP allocator.called the DHCP allocator.
Either the DHCP allocator or an existing DHCP serverEither the DHCP allocator or an existing DHCP server
can be used.can be used.
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
69/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Components: Name ResolutionComponents: Name Resolution
The name resolution component of NAT is the DNSThe name resolution component of NAT is the DNS
Proxy.Proxy.
Either the DNS proxy or an existing DNS server can beEither the DNS proxy or an existing DNS server can be
used.used.
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
70/80
ADVANTAGE PRO Chennais Premier Networking Training Center
NAT ConfigurationNAT Configuration NAT is configured in the Routing and Remote Access service snapNAT is configured in the Routing and Remote Access service snap--
inin
The snapThe snap--inin
IP routingIP routing
RightRight--click General and click New Routing Protocolclick General and click New Routing Protocol
Select Network Address Translation (NAT) and then click OKSelect Network Address Translation (NAT) and then click OK
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
71/80
ADVANTAGE PRO Chennais Premier Networking Training Center
NAT ConfigurationNAT Configuration (2)(2)
After NAT is installed, it is necessary to specify a publicAfter NAT is installed, it is necessary to specify a public
and a private interface.and a private interface.
RightRight--click Network Address Translation (NAT)click Network Address Translation (NAT)
Choose New InterfaceChoose New Interface
Select the external interface and then click OKSelect the external interface and then click OK
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
72/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Specify this interface as the public interface andSpecify this interface as the public interface and
enable Translate TCP/UDP Headersenable Translate TCP/UDP Headers
(recommended)(recommended)
Repeat the process for the internal interface andRepeat the process for the internal interface and
specify this as the private interfacespecify this as the private interface
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
73/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Client ConfigurationClient Configuration
Clients behind NAT:Clients behind NAT:
Configured as DHCP client (discussion with DHCPConfigured as DHCP client (discussion with DHCP
allocator)allocator)
Configured as DHCP client (discussion with DHCPConfigured as DHCP client (discussion with DHCP
server)server)
Statically configured clientsStatically configured clients
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
74/80
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
75/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Static Mapping: Address PoolStatic Mapping: Address Pool
Address Pool:Address Pool:
NAT also gives us the functionality to create a oneNAT also gives us the functionality to create a one--toto--oneone
mapping between external IP address and internal IP addressmapping between external IP address and internal IP address
Add external IP address to Address Pool listAdd external IP address to Address Pool list
Click Reservations and specify the external and internal IPClick Reservations and specify the external and internal IP
addressesaddresses
Also enable Allow incoming sessions to this addressAlso enable Allow incoming sessions to this address
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
76/80
ADVANTAGE PRO Chennais Premier Networking Training Center
NAT EditorsNAT Editors NAT performs TCP port and UDP port translation, in addition to IPNAT performs TCP port and UDP port translation, in addition to IP
address translationaddress translation
If an application stores IP address or port information within its ownIf an application stores IP address or port information within its own
header (like FTP PORT command), a NAT editor is neededheader (like FTP PORT command), a NAT editor is needed
Two editors that Windows 2000 includes are FTP and PPTPTwo editors that Windows 2000 includes are FTP and PPTP
Any service that encrypts these headers wont work (like IPSec)Any service that encrypts these headers wont work (like IPSec)
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
77/80
ADVANTAGE PRO Chennais Premier Networking Training Center
10.0.0.1
10.0.0.4
10.0.0.3
10.0.0.2
PPTP servera
b
c
NAT
204.x.1.10
Internet
Outgoing PPTP Client Through NATOutgoing PPTP Client Through NAT
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
78/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Internet
10.0.0.1
10.0.0.4
10.0.0.3
10.0.0.2
PPTP servera
b
c
NAT
204.x.1.10
Connection request to port1723 from c to source 10.0.0.4, port1025.
10.0.0.4, port 1025
mapped to
204..x.1.10, port 2000
Connection request from c forwarded to source 204.x.1.10, port2000.
Request received and accepted.
During configuration, PPTP serverassigns 192.10.10.2 to cs VPN.
Tunnel established
Outgoing PPTP Client Through NATOutgoing PPTP Client Through NAT
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
79/80
ADVANTAGE PRO Chennais Premier Networking Training Center
Internet
10.0.0.1
10.0.0.4
10.0.0.3
10.0.0.2
PPTP servera
c
NAT
204.x.1.10
Original packet has app data,TCP, UDP, etc., source192.10.10.2.
PPP and GRE headers added.Encapsulated packet has
source 10.0.0.4, destinationPPTP server.
Original packet not touched,source 192.10.10.2.
Encapsulated packets IP
address translated. Source204.x.1.10, destination PPTPserver.
Original packet not touched,source 192.10.10.2.
Encapsulation removed by
PPTP server.
b
Outgoing PPTP Client ThroughOutgoing PPTP Client Through
NATNAT
8/6/2019 MCSE 05 Implementing of a Network Infrastructure 08 Theory
80/80
ALL THE BESTALL THE BEST