CN2140 Server IIKemtis KunanuraksapongMSIS with DistinctionMCT, MCITP, MCTS, MCDST, MCP, A+

Agenda•Chapter 9: Security Data Transmission

and Authentication•Exercise•Lab•Quiz

Security Network Traffic with IPSec•IP Security (IPSec) suite of protocols

▫Two transport layer protocols (TCP and UDP) Checksum

▫Provides one single security standard that use series of cryptographic algorithm to use across the network

•Two principle goals:▫To protect the contents of IP packets▫To provide a defense against network attacks

through packet filtering and the enforcement of trusted communication

Security Network Traffic with IPSec•Reduce or prevent the following attacks:

▫Packet sniffing▫Data modification▫Identity spoofing▫Man-in-the-middle attacks▫Denial of service attacks (DoS)

IPSec•An architectural framework that provides

cryptographic security services for IP packets

•IPSec is an end-to-end security technology▫The medium forward packet as regular

packet▫Only both parties know that there is

encryption•Both sides has to set the same IPSec

policy

IPSec•Security features

▫IP packet filtering▫Network layer security▫Peer authentication

Verify the identity of the peer• Anti-Replay

• A sequence number on each packet• Key management

• Secret key• See the list on page 206

IPSec Modes•Transport mode

▫When you require packet filtering and when you require end-to-end security

▫Both hosts must support IPSec using the same authentication protocols and must have compatible IPSec filters

•Tunnel mode▫For site-to-site communications that cross

the Internet (or other public networks). ▫Tunnel mode provides gateway-to-

gateway protection

IPSec Protocols•Using a combination of individual

protocols▫The Authentication Header (AH) protocol▫The Encapsulating Security Payload (ESP)

protocol

Authentication Header (AH)•Provides authentication, integrity, and

anti-replay for the entire packet (both the IP header and the data payload carried in the packet)

•Does not encrypt the data, but protected from modification

•Uses keyed hash algorithms to sign the packet for integrity

Encapsulating Security Payload (ESP)•Provides confidentiality, authentication,

integrity, and anti-replay•ESP in transport mode does not sign the

entire packet; only the IP payload (not the IP header) is protected

•ESP can be used alone or in combination with AH

IPSec Security Association•The combination of security sets mutually

agreed to by communicating peers•Contains the information needed to determine

▫The security services and protection mechanisms▫Secret keys

•Two types of SAs are created when IPSec peers communicate securely:▫The ISAKMP SA (Internet Security Association

and Key Management Protocol)▫The IPSec SA.

ISAKMP SA (Main mode SA)•The ISAKMP SA is created by negotiating

the cipher suite▫A collection of cryptographic algorithms

•Used to encrypt data used for protecting future ISAKMP traffic

•Exchanging key generation material•Identifying and authenticating each IPSec

peer

IPSec SA (Quick mode SA)•To protect data sent between the IPSec

peers•The packet is protected by ISAKMP SA•Each session has 3 Sas

▫The ISAKMP SA▫The inbound IPSec SA▫The outbound IPSec SA

Inbound of A is the outbound of B

Internet Key Exchange (IKE)•IKE combines ISAKMP and the Oakley

Key Determination Protocol▫To generate secret key material, which

based on Diffie-Hellman key exchange algorithm

Dynamic Rekeying•The determination of new keying material

through a new Diffie-Hellman exchange on a regular basis▫480 minutes or 8 hours by default▫Or the number of data sessions created

with the same set of keying material

IPSec Policies•Security rules that define

▫The desired security level, Hashing algorithm, Encryption algorithm, Key length

▫The addresses, Protocols, DNS names, Subnets

▫Connection types to which these security settings will apply

•Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in

IPSec Policies• IPSec policies are hierarchical and are

organized as follows:▫Each IPSec policy consists of one or more IP

Security Rules▫Each IP Security Rule includes a single IP Security

Action that is applied to one or more IP Filter Lists▫Each IP Filter List contains one or more IP Filters

• Only one IPSec policy can be active on any one computer at a given time▫If you wish to assign a new IPSec policy to a

particular computer, you must first un-assign the existing IPSec policy

Creating a IPSec Policy• Select the option to create a new IPSec policy

▫ This will prompt you to launch the IP Security Rule wizard

• Assign your new IPSec policy to a single computer or a group of computers

▫ Use Console to add IP Security Policy Management Snap-in (For 2000, XP, 2003)

Local computer The AD Domain of which this computer is a members Another AD Domain Another Computer

Windows Firewall with IPSec Policies•For Vista and newer, if you want to deploy

IPSec policies (Connection Security Rules)

Connection Security Rules•Windows Server 2008 comes with four

pre-configured Connection Security Rule templates:▫Isolation rule▫Authentication exemption rule▫Server-to-Server rule▫Tunnel rule

Connection Security Rules•Isolation rule

▫To restrict inbound and outbound connection based on certain sets of criteria Inbound vs outbound authentication

requirements Authentication method Profile (Domain, private, public) Name

Connection Security Rules•Authentication exemption rule

▫To make an exception of authentication to computer(s) Exempt computers (IP, Range of IP, Subnet) Profile Name

Connection Security Rules•Server-to-Server rule

▫To secures traffic between two servers or two groups of servers Endpoints (IP/Range of IP/Subnet) Authentication requirements Authentication method Profile Name

Connection Security Rules•Tunnel rule

▫Same as Server-to-server, but secure only between two tunnel endpoints Endpoint computers Local tunnel computer Remote tunnel computer Authentication method Profile Name

IPSec Driver• IPSec driver is a middle man that match the

policy with the inbound and outbound rules▫ Main mode negotiation initiate the connection

between endpoints▫ Quick mode negotiation determine the type of

connection

IPSec Policy Agent•Retrieve information about IPSec policies•Pass the information to other IPSec

components that require it in order to perform security functions

•The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008

Deploying IPSec• IPSec policies can be deployed using local

policies, Active Directory, or both▫For AD, LSDOU still apply. OU’s IPSec will apply

last and override all other IPSec• Three built-in IPSec policies on GPO:

▫Client (Respond Only) policy On computers that normally do not send secured data

▫The Server (Request Security) policy Can be used on any computer (client or server) that

needs to initiate secure communications▫The Secure Server (Require Security) policy

Does not send or accept unsecured transmissions

Monitoring IPSec•IP Security Monitor•RSoP•Event Viewer•netsh command-line utility•Windows Firewall with Advanced Security

Network Authentication•The default authentication protocol in an

AD network is the Kerberos v5 protocol•NT LAN Manager (NTLM) authentication

▫A legacy authentication protocol▫LM Authentication – the weakest. Since

Win 95▫NTLM Authentication▫NTLMv2 Authentication – the strongest.

Win 2k and later

Windows Firewall•A stateful firewall is a firewall that can

track and maintain information based on the status of a particular connection

•The default configuration of the Windows Firewall will block all unsolicited inbound traffic;▫Attempts to access the computer from a

remote network host that has not been specifically authorized by the administrator of the local server

Windows Firewall•You can turn on, on with block all

incoming connections, off•You also can add exception rules/ports as

needed•For scopes, you have to modify from MMC

Snap-in▫Any computer▫My network (subnet only)▫A specific range of IP Addresses

Assignment•Summarize the chapter in your own word

▫At least 75 words▫Due BEFORE class start on Thursday

•Lab 9▫Due BEFORE class start on Monday