Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | nelson-atkins |
View: | 230 times |
Download: | 0 times |
Module 9: Configuring IPsec
Module Overview
• Overview of IPsec
• Configuring Connection Security Rules
• Configuring IPsec NAP Enforcement
Lesson 1: Overview of IPsec
• Benefits of IPsec
• Recommended Uses of IPsec
• Tools Used to Configure IPsec
• What Are Connection Security Rules?
• Demonstration: Configuring General IPsec Settings
Benefits of IPsec
IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network
IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network
• IPsec has two goals: to protect IP packets and to defend against network attacks
• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other
• IPsec secures network traffic by using encryption and data signing
• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated
Recommended Uses of IPsec
Recommended uses of IPsec include:
• Authenticating and encrypting host-to-host traffic
• Authenticating and encrypting traffic to servers
• L2TP/IPsec for VPN connections
• Site-to-site tunneling
• Enforcing logical networks
Tools Used to Configure IPsec
To configure IPsec, you can use:
• Windows Firewall with Advanced Security MMC(used for Windows Server 2008 and Windows Vista)
• IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions)
• Netsh command-line tool
What Are Connection Security Rules?
Connection security rules involve:
• Authenticating two computers before they begin communications
• Securing information being sent between two computers
• Using key exchange, authentication, data integrity, and data encryption (optionally)
How firewall rules and connection rules are related:
• Firewall rules allow traffic through, but do not secure that traffic
• Connection security rules can secure the traffic, but creating a connection security rule does not allow traffic through the firewall
Demonstration: Configuring General IPsec Settings
In this demonstration, you will see how to configure General IPsec settings in Windows Firewall with Advanced Security
Lesson 2: Configuring Connection Security Rules
• Choosing a Connection Security Rule Type
• What Are Endpoints?
• Choosing Authentication Requirements
• Authentication Methods
• Determining a Usage Profile
• Demonstration: Configuring a Connection Security Rule
Choosing a Connection Security Rule Type
Rule Type Description
Isolation Restricts connections based on authentication criteria that you define
Authentication Exemption
• Exempts specific computers, or a group or range of IP addresses, from being required to authenticate
• Grants access to those infrastructure computers with which this computer must communicate before authentication occurs
Server-to-ServerAuthenticates two specific computers, two groups of computers, two subnets, or a specific computer and a group of computers or subnet
TunnelProvides secure communications between two peer computers through tunnel endpoints (VPN or L2TP IPsec tunnels)
Custom Enables you to create a rule with special settings
What Are Endpoints?
EncryptedIP Packet
ESPTRLR
ESPAuth
ESPHDR
NewIP HDR
IP HDR Data
ESP Tunnel Mode
ESP Transport Mode
EncryptedData
ESPTRLR
ESPAuth
ESPHDRIP HDR
IP HDR Data
Choosing Authentication Requirements
Option Description
Request Authentication for inbound and outbound connections
Ask that all inbound/outbound traffic be authenticated, but allow the connection if authentication fails
Require authentication for inbound connections and request authentication for outbound connections
• Require inbound be authenticated or it will be blocked
• Outbound can be authenticated but will be allowed if authentication fails
Require authentication for inbound and outbound connections
Require that all inbound/outbound traffic be authenticated or the traffic will be blocked
Authentication Methods
Method Key Points
Default Use the authentication method configured on the IPsec Settings tab
Computer and User (Kerberos V5)
You can request or require both the user and computer authenticate before communications can continue; domain membership required
Computer (Kerberos V5)
Request or require the computer to authenticate using Kerberos V5
Domain membership required
User (Kerberos V5) Request or require the user to authenticate using Kerberos V5; domain membership required
Computer certificate
• Request or require a valid computer certificate, requires at least one CA
• Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPsec NAP
Advanced Configure any available method; you can specify methods for First and Second Authentication
Determining a Usage Profile
Windows supports three network types, and programs can use these locations to automatically apply the appropriate configuration options:
• Domain: selected when the computer is a domain member
• Private: networks trusted by the user (home or small office network)
• Public: default for newly detected networks, usually the most restrictive settings are assigned because of the security risks present on public networks
Security Settings can change dynamically with the network location typeSecurity Settings can change dynamically with the network location type
The network location type is most useful on portable computers which are likely to move from network to networkThe network location type is most useful on portable computers which are likely to move from network to network
Demonstration: Configuring a Connection Security Rule
In this demonstration, you will see how to configure a Connection Security rule
Lesson 3: Configuring IPsec NAP Enforcement
• IPsec Enforcement for Logical Networks
• IPsec NAP Enforcement Processes
• Requirements to Deploy IPsec NAP Enforcement
IPsec Enforcement for Logical Networks
SHAsNAP agentNAP ECs
RestrictedNetwork
BoundaryNetwork
Secure Network
Non-NAP capable client
Non-compliant NAP client
NAP enforcement servers
Remediation servers
Compliant NAP client
Secure servers
NPS servers
HRAVPN802.1XDHCPNPS proxy
SHAsNAP agentNAP ECs
NAP administration serverNetwork policiesNAP health policiesConnection request policiesSHVs
Certificate servicesE-mail serversNAP policy servers
IPsec NAP Enforcement includes:
• Policy validation
• NAP enforcement
• Network restriction
• Remediation
• Ongoing monitoring of compliance
IPsec NAP Enforcement Processes
Intranet
Remediation Servers
InternetNAP Health
Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
Requirements to Deploy IPsec NAP Enforcement
Requirements for deploying IPsec NAP Enforcement:
Active Directory
Active Directory Certificate Services
Network Policy Server
Health Registration Authority
Lab: Configuring IPsec NAP Enforcement
• Exercise 1: Preparing the Network Environment for IPsec NAP Enforcement
• Exercise 2: Configuring and Testing IPsec NAP Enforcement
Logon information
Virtual machines NYC-DC1, NYC-CL1, NYC-CL2
User name Administrator
Password Pa$$w0rd
Estimated time: 60 minutes
Lab Review
• What would the implication be if you installed the Certificate Server as an Enterprise CA, as opposed to a Standalone CA, and you have workgroup computers that need to be NAP compliant?
• Under what circumstances would Authentication Exemption be useful in a Connection Security Rule?
Module Review and Takeaways
• Review Questions
• Common Misconceptions About IPsec
• IPsec Benefits
• Tools