CN2140 Server II
description
Transcript of CN2140 Server II
![Page 1: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/1.jpg)
CN2140 Server IIKemtis KunanuraksapongMSIS with DistinctionMCT, MCITP, MCTS, MCDST, MCP, A+
![Page 2: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/2.jpg)
Agenda•Chapter 9: Security Data Transmission
and Authentication•Exercise•Lab•Quiz
![Page 3: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/3.jpg)
Security Network Traffic with IPSec•IP Security (IPSec) suite of protocols
▫Two transport layer protocols (TCP and UDP) Checksum
▫Provides one single security standard that use series of cryptographic algorithm to use across the network
•Two principle goals:▫To protect the contents of IP packets▫To provide a defense against network attacks
through packet filtering and the enforcement of trusted communication
![Page 4: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/4.jpg)
Security Network Traffic with IPSec•Reduce or prevent the following attacks:
▫Packet sniffing▫Data modification▫Identity spoofing▫Man-in-the-middle attacks▫Denial of service attacks (DoS)
![Page 5: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/5.jpg)
IPSec•An architectural framework that provides
cryptographic security services for IP packets
•IPSec is an end-to-end security technology▫The medium forward packet as regular
packet▫Only both parties know that there is
encryption•Both sides has to set the same IPSec
policy
![Page 6: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/6.jpg)
IPSec•Security features
▫IP packet filtering▫Network layer security▫Peer authentication
Verify the identity of the peer• Anti-Replay
• A sequence number on each packet• Key management
• Secret key• See the list on page 206
![Page 7: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/7.jpg)
IPSec Modes•Transport mode
▫When you require packet filtering and when you require end-to-end security
▫Both hosts must support IPSec using the same authentication protocols and must have compatible IPSec filters
•Tunnel mode▫For site-to-site communications that cross
the Internet (or other public networks). ▫Tunnel mode provides gateway-to-
gateway protection
![Page 8: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/8.jpg)
IPSec Protocols•Using a combination of individual
protocols▫The Authentication Header (AH) protocol▫The Encapsulating Security Payload (ESP)
protocol
![Page 9: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/9.jpg)
Authentication Header (AH)•Provides authentication, integrity, and
anti-replay for the entire packet (both the IP header and the data payload carried in the packet)
•Does not encrypt the data, but protected from modification
•Uses keyed hash algorithms to sign the packet for integrity
![Page 10: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/10.jpg)
Encapsulating Security Payload (ESP)•Provides confidentiality, authentication,
integrity, and anti-replay•ESP in transport mode does not sign the
entire packet; only the IP payload (not the IP header) is protected
•ESP can be used alone or in combination with AH
![Page 11: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/11.jpg)
IPSec Security Association•The combination of security sets mutually
agreed to by communicating peers•Contains the information needed to determine
▫The security services and protection mechanisms▫Secret keys
•Two types of SAs are created when IPSec peers communicate securely:▫The ISAKMP SA (Internet Security Association
and Key Management Protocol)▫The IPSec SA.
![Page 12: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/12.jpg)
ISAKMP SA (Main mode SA)•The ISAKMP SA is created by negotiating
the cipher suite▫A collection of cryptographic algorithms
•Used to encrypt data used for protecting future ISAKMP traffic
•Exchanging key generation material•Identifying and authenticating each IPSec
peer
![Page 13: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/13.jpg)
IPSec SA (Quick mode SA)•To protect data sent between the IPSec
peers•The packet is protected by ISAKMP SA•Each session has 3 Sas
▫The ISAKMP SA▫The inbound IPSec SA▫The outbound IPSec SA
Inbound of A is the outbound of B
![Page 14: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/14.jpg)
Internet Key Exchange (IKE)•IKE combines ISAKMP and the Oakley
Key Determination Protocol▫To generate secret key material, which
based on Diffie-Hellman key exchange algorithm
![Page 15: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/15.jpg)
Dynamic Rekeying•The determination of new keying material
through a new Diffie-Hellman exchange on a regular basis▫480 minutes or 8 hours by default▫Or the number of data sessions created
with the same set of keying material
![Page 16: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/16.jpg)
IPSec Policies•Security rules that define
▫The desired security level, Hashing algorithm, Encryption algorithm, Key length
▫The addresses, Protocols, DNS names, Subnets
▫Connection types to which these security settings will apply
•Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in
![Page 17: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/17.jpg)
IPSec Policies• IPSec policies are hierarchical and are
organized as follows:▫Each IPSec policy consists of one or more IP
Security Rules▫Each IP Security Rule includes a single IP Security
Action that is applied to one or more IP Filter Lists▫Each IP Filter List contains one or more IP Filters
• Only one IPSec policy can be active on any one computer at a given time▫If you wish to assign a new IPSec policy to a
particular computer, you must first un-assign the existing IPSec policy
![Page 18: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/18.jpg)
Creating a IPSec Policy• Select the option to create a new IPSec policy
▫ This will prompt you to launch the IP Security Rule wizard
• Assign your new IPSec policy to a single computer or a group of computers
▫ Use Console to add IP Security Policy Management Snap-in (For 2000, XP, 2003)
Local computer The AD Domain of which this computer is a members Another AD Domain Another Computer
![Page 19: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/19.jpg)
Windows Firewall with IPSec Policies•For Vista and newer, if you want to deploy
IPSec policies (Connection Security Rules)
![Page 20: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/20.jpg)
Connection Security Rules•Windows Server 2008 comes with four
pre-configured Connection Security Rule templates:▫Isolation rule▫Authentication exemption rule▫Server-to-Server rule▫Tunnel rule
![Page 21: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/21.jpg)
Connection Security Rules•Isolation rule
▫To restrict inbound and outbound connection based on certain sets of criteria Inbound vs outbound authentication
requirements Authentication method Profile (Domain, private, public) Name
![Page 22: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/22.jpg)
Connection Security Rules•Authentication exemption rule
▫To make an exception of authentication to computer(s) Exempt computers (IP, Range of IP, Subnet) Profile Name
![Page 23: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/23.jpg)
Connection Security Rules•Server-to-Server rule
▫To secures traffic between two servers or two groups of servers Endpoints (IP/Range of IP/Subnet) Authentication requirements Authentication method Profile Name
![Page 24: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/24.jpg)
Connection Security Rules•Tunnel rule
▫Same as Server-to-server, but secure only between two tunnel endpoints Endpoint computers Local tunnel computer Remote tunnel computer Authentication method Profile Name
![Page 25: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/25.jpg)
IPSec Driver• IPSec driver is a middle man that match the
policy with the inbound and outbound rules▫ Main mode negotiation initiate the connection
between endpoints▫ Quick mode negotiation determine the type of
connection
![Page 26: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/26.jpg)
IPSec Policy Agent•Retrieve information about IPSec policies•Pass the information to other IPSec
components that require it in order to perform security functions
•The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008
![Page 27: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/27.jpg)
Deploying IPSec• IPSec policies can be deployed using local
policies, Active Directory, or both▫For AD, LSDOU still apply. OU’s IPSec will apply
last and override all other IPSec• Three built-in IPSec policies on GPO:
▫Client (Respond Only) policy On computers that normally do not send secured data
▫The Server (Request Security) policy Can be used on any computer (client or server) that
needs to initiate secure communications▫The Secure Server (Require Security) policy
Does not send or accept unsecured transmissions
![Page 28: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/28.jpg)
Monitoring IPSec•IP Security Monitor•RSoP•Event Viewer•netsh command-line utility•Windows Firewall with Advanced Security
![Page 29: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/29.jpg)
Network Authentication•The default authentication protocol in an
AD network is the Kerberos v5 protocol•NT LAN Manager (NTLM) authentication
▫A legacy authentication protocol▫LM Authentication – the weakest. Since
Win 95▫NTLM Authentication▫NTLMv2 Authentication – the strongest.
Win 2k and later
![Page 30: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/30.jpg)
Windows Firewall•A stateful firewall is a firewall that can
track and maintain information based on the status of a particular connection
•The default configuration of the Windows Firewall will block all unsolicited inbound traffic;▫Attempts to access the computer from a
remote network host that has not been specifically authorized by the administrator of the local server
![Page 31: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/31.jpg)
Windows Firewall•You can turn on, on with block all
incoming connections, off•You also can add exception rules/ports as
needed•For scopes, you have to modify from MMC
Snap-in▫Any computer▫My network (subnet only)▫A specific range of IP Addresses
![Page 32: CN2140 Server II](https://reader035.fdocuments.in/reader035/viewer/2022062521/56816743550346895ddbf771/html5/thumbnails/32.jpg)
Assignment•Summarize the chapter in your own word
▫At least 75 words▫Due BEFORE class start on Thursday
•Lab 9▫Due BEFORE class start on Monday