Module 9: Configuring Ipsec

Module 9: Configuring IPsec

Module Overview • Overview of IPsec • Configuring Connection Security Rules • Configuring IPsec NAP Enforcement

Lesson 1: Overview of IPsec • Benefits of IPsec • Recommended Uses of IPsec • Tools Used to Configure IPsec • What Are Connection Security Rules? • Demonstration: Configuring General IPsec Settings

Benefits of IPsec IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network

• IPsec has two goals: to protect IP packets and to defend against network attacks • Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other

• IPsec secures network traffic by using encryption and data signing • An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

Recommended Uses of IPsec Recommended uses of IPsec include: • Authenticating and encrypting host-to-host traffic • Authenticating and encrypting traffic to servers • L2TP/IPsec for VPN connections • Site-to-site tunneling • Enforcing logical networks

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Tools Used to Configure IPsec

To configure IPsec, you can use: • Windows Firewall with Advanced Security MMC (used for Windows Server 2008 and Windows Vista) • IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions) • Netsh command-line tool

What Are Connection Security Rules? Connection security rules involve: • Authenticating two computers before they begin communications • Securing information being sent between two computers • Using key exchange, authentication, data integrity, and data encryption (optionally)

How firewall rules and connection rules are related: • Firewall rules allow traffic through, but do not secure that traffic • Connection security rules can secure the traffic, but creating a connection security rule does not allow traffic through the firewall

Demonstration: Configuring General IPsec Settings In this demonstration, you will see how to configure General IPsec settings in Windows Firewall with Advanced Security

Lesson 2: Configuring Connection Security Rules • Choosing a Connection Security Rule Type • What Are Endpoints? • Choosing Authentication Requirements • Authentication Methods • Determining a Usage Profile • Demonstration: Configuring a Connection Security Rule

Choosing a Connection Security Rule Type Rule Type

Description

Isolation

Restricts connections based on authentication criteria that you define

Authentication Exemption

• Exempts specific computers, or a group or range of IP

addresses, from being required to authenticate

• Grants access to those infrastructure computers with

which this computer must communicate before authentication occurs

Server-to-Server

Authenticates two specific computers, two groups of computers, two subnets, or a specific computer and a group of computers or subnet

Tunnel

Provides secure communications between two peer computers through tunnel endpoints (VPN or L2TP IPsec tunnels)

Custom

Enables you to create a rule with special settings

What Are Endpoints? ESP Transport Mode

Data

IP HDR

IP HDR

ESP HDR

Encrypted Data

ESP TRLR

ESP Auth

ESP Tunnel Mode

IP HDR

New IP HDR

ESP HDR

Data

Encrypted IP Packet

ESP TRLR

ESP Auth

Choosing Authentication Requirements Option

Description

Request Authentication for inbound and Ask that all inbound/outbound traffic be outbound connections authenticated, but allow the connection if authentication fails Require authentication for inbound connections and request authentication for outbound connections

• Require inbound be authenticated or it

will be blocked

• Outbound can be authenticated but will

be allowed if authentication fails

Require authentication for inbound and outbound connections

Require that all inbound/outbound traffic be authenticated or the traffic will be blocked

Authentication Methods Method

Key Points

Default

Use the authentication method configured on the IPsec Settings tab

Computer and User (Kerberos V5)

You can request or require both the user and computer authenticate before communications can continue; domain membership required

Computer (Kerberos Request or require the computer to authenticate using V5) Kerberos V5 Domain membership required User (Kerberos V5)

Request or require the user to authenticate using Kerberos V5; domain membership required

Computer certificate • Request or require a valid computer certificate, requires at least one CA • Only accept health certificates: Request or require a valid

health certificate to authenticate, requires IPsec NAP

Advanced

Configure any available method; you can specify methods for First and Second Authentication

Determining a Usage Profile Security Settings can change dynamically with the network location type Windows supports three network types, and programs can use these locations to automatically apply the appropriate configuration options: • Domain: selected when the computer is a domain member • Private: networks trusted by the user (home or small office network) • Public: default for newly detected networks, usually the most restrictive settings are assigned because of the security risks present on public networks

The network location type is most useful on portable computers which are likely to move from network to network

Demonstration: Configuring a Connection Security Rule In this demonstration, you will see how to configure a Connection Security rule

Lesson 3: Configuring IPsec NAP Enforcement • IPsec Enforcement for Logical Networks • IPsec NAP Enforcement Processes • Requirements to Deploy IPsec NAP Enforcement

IPsec Enforcement for Logical Networks HRA VPN 802.1X DHCP NPS proxy

SHAs NAP agent NAP ECs

Non-compliant NAP client

Non-NAP capable client

Restricted Network

NAP administration server Network policies NAP health policies Connection request policies SHVs

SHAs NAP agent NAP ECs

NPS servers

NAP enforcement servers

Certificate services E-mail servers NAP policy servers

Remediation servers

Boundary Network

Secure servers

Secure Network

Compliant NAP client

IPsec NAP Enforcement Processes IPsec NAP Enforcement includes: • Policy validation • NAP enforcement

VPN Server Active Directory

• Network restriction

IEEE 802.1X Devices

• Remediation • Ongoing monitoring of compliance

Health Registration Authority

Internet Perimeter Network

DHCP Server

Intranet

NAP Health Policy Server

Restricted Network Remediation Servers

NAP Client with limited access

Requirements to Deploy IPsec NAP Enforcement Requirements for deploying IPsec NAP Enforcement:



Active Directory



Active Directory Certificate Services



Network Policy Server



Health Registration Authority

Lab: Configuring IPsec NAP Enforcement • Exercise 1: Preparing the Network Environment for IPsec

NAP Enforcement

• Exercise 2: Configuring and Testing IPsec NAP

Enforcement

Logon information

Virtual machines

NYC-DC1, NYC-CL1, NYC-CL2

User name

Administrator

Password

Pa$$w0rd

Estimated time: 60 minutes

Lab Review • What would the implication be if you installed the

Certificate Server as an Enterprise CA, as opposed to a Standalone CA, and you have workgroup computers that need to be NAP compliant?

• Under what circumstances would Authentication

Exemption be useful in a Connection Security Rule?

Module Review and Takeaways • Review Questions • Common Misconceptions About IPsec • IPsec Benefits • Tools

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.