How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine

Reload this page IPSec (Internet Protocol Security)

This page describes the IPSec protocol.


Topics this page:

  • Protocols 
  • Processing Steps 
  • Configuring IPSec 
  • Security Policies 
  • Your comments???

  •  

    Site Map List all pages on this site 
    About this site About this site 
    Go to first topic Go to Bottom of this page


    Go to top of page The IPSec Protocol

      The security template named "High Secure" configures IPSec to be used on a network.

      IPSec [RFC 2404] can be used alone to secure intranet traffice or with ESP for authentication and L2TP (never PPP) for tunneling to create a VPN (albeit with higher overhead).

      IPSec operates at the Transport OSI layer 3another page on this site (above the Network layer 2)another page on this sitetransparent to applications. Its 3 components:

      1. AH (Authentication Header) [RFC 2402] are not encrypted for confidentiality, but both IP packet 51 headers and payloads are signed with a HMAC (Hash Message Authentication Code).

        AH maintains two SA's - inbound and outbound.

      2. ESP (Encapsulated Security Payload) [RFC 2406] performs both Authentication and (optionally) DES-CBC or 3DES Encryptionanother page on this site IP packet 50. So ESP packet data is not visible to Netmon.

        ESP maintains two SA's - inbound and outbound.

      3. For key management, IPSec ensures data integrity using two Mechanisms: manual keying for a VPN with a small number of sites and IKE for automated key management of VPNs covering a large number of sites or supporting many remote users.

        IKE (Internet Key Exchange) [RFC 2409] builds Security Associations (SAs) through UDP port 500 with Internet key exchanges using SPI unique identification numbers. It uses two protocol phases:

        1. ISAKAMP (Internet Security Association and Key Management Protocol) [RFC 2408] defines the framework for a logical Security Association (SA) agreement on Protocols between two clients, one direction at a time. It uses IANA-defined identifiers ("Magic Numbers") to crate a shared secret key.

        2. Oakley Key Determination Protocol [RFC 2412] uses the DH key exchange algorithm, which combines public information with secret information to generate a shared secret over an unsecured namespace. Oakley also supports PFS (Perfect Forward Secrecy) so keys can't be regenerated. It has two modes:

          1. Main mode - New key generation material and new encryption key
          2. Quick mode - Already have key generation material and need new encryption key

          To enable Oakley logging, use regedit to add "Debug" REG_DWORD value 1 on HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\ PolicyAgent\Oakley

        Each SA vector defines the source and destination IP, and whether it's inbound or outbound. A SA bundle is formed when two protocols travel through a session pipe.

     

     
    Go to Top of this page.
    Next topic this page

      Go to top of page IPSec Processing Steps

    1. A consumer sends a message to a service provider.
    2. The consumer's IPSec driver attempts to match the outgoing packet's address or the packet type against the IP Filter.
    3. The IPSec driver notifies ISAKMP to initiate security negotiations with the service provider.
    4. The service provider's ISKAMP receives the security negotiations request.
    5. Both principals initiate a key exchange, establishing an ISAKMP SA and a shared secret key.
    6. Both principals negotiate the security level for the information exchange, establishing both IPSec SAs and keys.
    7. The consumer's IPSec driver transfers packets to the appropriate connection type for transmission to the service provider.
    8. The provider receives the packets and transfers them to the IPSec driver.
    9. The provider's IPSec uses the inbound SA and key to check the digital signature and begin decryption.
    10. The provider's IPSec driver transfers decrypted packets to the OSI Transport layer for further processing.

     


    Go to Top of this page.
    Next topic this page

    Go to top of page Configuring IPSec

      To avoid setting up IPSec on a non-sensitive machine (end-user terminal server box) is first install a network VPN with IPSec 3DES.

      To configure IPSec on Windows 2000 Pro or Server, from the MMCanother page on this site, File, add the IPSec Policy Management snap-in because it isn't installed in Windows 2000.

      Access can be limited by IP filter or IPSec policy native to the OS, the listening port can be changed in the registry: 187623

      Windows 2000 negotiates based on IP Security Policies :

      • Client (Respond Only) — Communicate normally (unsecured). Use the default response rule to negotiate with servers that request security. Only the requested protocol and port traffic with that server is secured.
      • Secure Server (Require Security) — For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients.
      • Server (Request Security) — For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request.

      To view currently active assigned policy, open the Group Policy MMC console and view TCP/IP settings because work on IPSec was originally done beginning in 1992 by IEEE for IPv6. It's been adapted as RFC 2401 for real work with IPv4. Microsoft jointly developed IPSec for Windows 2000 with CISCO. The name appears only if the computer is running local IPSec policy. But if the computer is running policy assigned through Group Policy, the name is unavailable and cannot be edited.

      There are soft and hard SAs. To invoke a configured hard SA, first reset an SA: first stop (not merely Refresh) traffic to the server.

      IPSec Logging goes to the Security Log. You can change the local Audit Policy to include what you want logged. Some packets (licensing info and print job acknowledgments) are not encrypted: 275727

      tool To map local client drives into the session and copy files over the encrypted session, use the RDPClip and Drmapsrv utilities from the resource kit: 309825 However, they don't work with the Advanced client (the XP version, runable on W2K): 278139


    Go to Top of this page.
    Next topic this page

    Set this at top of window. IPSec (Internet Procotol Security) Policies

      Part of Domain policies:

      PolicyDescription Recommended Default
      Client (Respond Only) Communicate unsecured. Only the requested protocol and port traffic with that server is secured. This is the default response rule to negotiate with servers that request security.
      Secure (Request Secuirty) For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request.
      Secure Server (Require Secuirty) For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients.


    Go to Top of this page.
    Next topic this page

    Portions ©Copyright 1996-2010 Wilson Mar. All rights reserved. | Privacy Policy |

    Related:

  • IT Security Countermeasures
  • ITSec Pro Certs
  • Vulnerabilities
  • Cryptography & Encryption
  • Kerberos
  • Why backup?
  • Windows 2000 Install, Configuration, Authentication & Policy Admin
  • Active Directory Trusts

  • How I may help

    Send a message with your email client program


    Your rating of this page:
    Low High




    Your first name:

    Your family name:

    Your location (city, country):

    Your Email address: 



      Top of Page Go to top of page

    Thank you!