When the network appears to be running smoothly, you
might be tempted to kick off your shoes, put your feet on the desk, lace
your hands behind your neck, and breathe a deep sigh of relief.
However, now is the time to monitor network security protocol
activity—if you don’t know what normal traffic looks like, how will you
recognize the abnormal? How will you know when there are problems you
must resolve and whether attacks are underway? How will you be able to
use your diagnostic tools to find out why something is not happening
correctly and what you must do to fix it? If some problems are masked by
the resiliency of your network, it is far better to find them now,
before they become downtime or disaster.
This is the perfect
time to learn to use those utilities and tools that might help when your
network goes down; when the VP of Marketing cannot log on to the
domain; when no connection can be made to the Accounting database; when
the boss is on line 2 and everyone else is standing around looking
expectantly at you.
This lesson provides
information on the tools available to monitor network security
protocols. It tells you how to use them, and in doing so provides
insight into the protocols themselves.
Understanding IPSec
IPSec is a complex protocol that you can use for the following tasks:
Authenticate and encrypt traffic between two computers
Block specific traffic from entering or leaving a computer
Allow specific traffic to enter or leave a computer
The
specifics of the protocol and how it works are defined in a large
number of Internet Engineering Task Force (IETF) Requests for Comments
(RFC). These RFCs detail the standards by which the protocol should be
implemented, and, if published in book form, would fill hundreds of
pages.
See Also
To
make an exhaustive study of IPSec, you can read these RFCs: 3457, 3456,
3281, 3193, 2857, 2709, 2451, and approximately 22 more; you can obtain
copies at http://www.ietf.org. |
However, you do not need
to know the intimate details to understand the basics of how IPSec
works, to implement an IPSec policy in Windows Server 2003, and to
monitor its activity to ensure that it is protecting traffic. Several
tools are available to help you do so, including these:
A brief overview of IPSec will assist your work.
Understanding How IPSec Works
You can think of IPSec policies as a collection of packet filters that enforce security policy on IP traffic. Each filter
describes some network protocol action. If traffic leaving or arriving
at the device (a computer or other IP network device) on which the
policy is active matches one of the filters, the traffic is either
blocked, allowed, or, before it can proceed, an IPSec connection is
negotiated between the sending and receiving devices.
Filters can be the
receipt or initialization of a specific protocol, a connection request
from or to a specific device, or another action that can be determined
by protocol, port, IP address, or range. These filters are defined in
the IPSec policy in a rule. Example filters might include the following:
All traffic from IP address 192.168.5.77
All traffic to IP address 192.168.5.101
All traffic on port 23, telnet’s default port
Traffic from 192.168.6.99 on port 23
Filters are combined into filter lists, which are, in turn, part of rules. Each rule also defines a filter action
and potentially extensive configuration information that defines the
specifics to be used for negotiating an IPSec connection. Filter actions
are Block, Allow, or Negotiate Security. Each rule can have only one
filter action, but a policy can be made up of many rules.
For example, if the
result required is that only telnet sessions that originate from a
specific computer will be accepted and must be encrypted, two rules
should be written: one to block all telnet traffic and the other to
negotiate telnet traffic from that specific computer. When an IPSec
policy is evaluated, the more specific rule will take precedence. If the
telnet traffic originates with the specified computer, the
communication is negotiated, and, assuming the policy configuration
matches where necessary, allowed to proceed. If the traffic originates
from any other IP address, because no specific rule exists for the
address, the more general rule is triggered and the communication will
be blocked.
|
IPSec is natively
available and can be used to protect network communications for
Microsoft Windows 2000, Microsoft Windows XP Professional, and Windows
Server 2003. A legacy client is available for Microsoft Windows NT 4,
Microsoft Windows 98, and Microsoft Windows Millennium Edition (Me). You
can download the legacy client from http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp. New features for IPSec include the following:
The IP
Security Monitor snap-in improves on the Ipsecmon.exe tool in Windows
2000. (New in Windows XP Professional and Windows Server 2003.) A stronger cryptographic master key is introduced, Diffie-Hellman 2048-bit. The
Netsh command-line management tool provides convenience, plus many
configuration possibilities that are not available from the IP Security
Policy Management snap-in. Computer
startup security (or stateful filter), if configured, is activated at
startup and manages network traffic during startup. It allows only the
outbound traffic that the computer initiates during startup, inbound
traffic sent in response to the outbound traffic, and DHCP traffic. The persistent policy is applied if the local policy or the Active Directory directory service IPSec policy cannot be applied. Only
Internet Key Exchange (IKE) traffic is exempt from traffic filters.
This restriction is required in order to establish secured
communication. Certain restrictions determine which computers are allowed to connect by domain, by certificate origin, or by computer group. The
name of the certificate authority (CA) can be excluded from certificate
requests to prevent exposure of information on computer trust
relationships such as domain, CA, and company. Logical addressing is applied for local IP configuration—such as DHCP server, DNS, and WINS—to accommodate dynamic addressing. IPSec
functionality over NAT lets Encapsulation Security Payload (ESP)
packets pass through Network Address Translations (NATs) that allow User
Datagram Protocol (UDP) traffic. Integration
with Network Load Balancing has improved, which is good for load
balancing IPSec-based virtual private network (VPN) services. Support is provided for the Resultant Set Of Policy (RSoP) snap-in to view existing IPSec policy assignments.
|
Negotiation Configuration
Negotiation
is the process that determines which IPSec subprotocol will be used,
and what specifics, such as key strength and cryptographic algorithms,
will be used. Next is a list of the basic choices available to you when
you configure an IPSec policy. You can make these choices by using the
IPSec wizards, by editing a policy in the IP Security Policies snap-in
or in Group Policy, or by using the Netsh command-line tool. Additional
options are available when you configure policy using the Netsh command.
The exercises at the end of this lesson show you how to use the
provided wizards to write a policy, and you also learn how to find these
elements in the GUI. In the exercises using Netsh, simply set them in
the commands.
Authentication How the computers involved prove their identity.
Connection type Where the policy is active.
Diffie-Hellman group The size of the prime numbers used in the Diffie-Hellman master key calculation.
Filters
Each filter list can contain many filters. Filters include Protocol,
Source Port, Source IP Address, Source Mask, Source DNS Name,
Destination Port, Destination DNS, Destination IP Address, and
Destination Mask.
Filter Actions What happens when the filter is triggered.
IKE encryption protocol How IKE packets are encrypted.
IKE integrity protocols How IKE packets are protected to ensure data has not been changed during transport.
IKE security method How IKE is negotiated.
IP Security Rules Many rules can be defined.
IP Filter Lists Many filter lists can be defined.
Master Key Perfect Forward Security If selected, the master key will be recalculated for every sessions.
Tunnel Setting Whether the traffic uses a tunnel.
Note
Many
people have trouble understanding filter actions. They especially have
trouble distinguishing between Request Security and Require Security. Require Security,
if chosen, accepts unsecured communication but always responds using
IPSec. If the client cannot speak IPSec, then the conversation ends
there. It is as if you speak only English and another person speaks only
Spanish. You ask a question and the other person responds, but you
cannot understand. Request Security
is different. Although the computer responds to a non-IPSec request by
using IPSec, if the other computer does not answer using IPSec, the
first one drops back and does not use IPSec. The communication can
continue. |
