SECURITY

Windows Server 2003 : Securing Network Communication - Deploying IPSec

5/16/2013 7:15:20 PM
All versions of Microsoft Windows beginning with Windows 2000 include support for IPSec, as do several non-Microsoft operating systems. IPSec is based on standards published by the Internet Engineering Task Force (IETF), so all IPSec implementations conforming to those standards should be compatible. In Windows operating systems, the administration of IPSec is based on IPSec policies, which specify when and how IPSec should be used to secure network communications.

IPSec Components

The IPSec implementation in Windows Server 2003 consists of the following components:

  • IPSec Policy Agent A service (appearing as IPSEC Services on every computer running Windows Server 2003) that accesses IPSec policy information stored in the Active Directory database or the Windows registry.

  • Internet Key Exchange (IKE) IKE is the protocol that IPSec computers use to exchange information about generating Diffie–Hellman keys and to create a security association (SA). The IKE communication process proceeds in two stages. The first stage, called the Phase 1 SA, includes the negotiation of which encryption algorithm, hashing algorithm, and authentication method the systems will use. The second stage consists of the establishment of two Phase 2 SAs, one in each direction. This stage includes the negotiation of which IPSec protocols, hashing algorithm, and encryption algorithm the systems will use, as well as the exchange of information about authentication and key generation.

  • IPSec Driver Performs the actual preparations that enable secure network communication to take place, including the generation of checksums, the construction of IPSec packets, and the encryption of the data to be transmitted. The driver receives a filter list from the IPSec policy the system is using and compares each outgoing packet to that list. When a packet meets the criteria of the filter list, the IPSec driver initiates the IKE communications process with the destination system, adds the AH and ESP headers to the outgoing packet, and encrypts the data inside, if necessary. For incoming packets, the IPSec driver calculates hashes and checksums as needed and compares them to those in the packet that just arrived.

Planning an IPSec Deployment

Configuring computers running Windows Server 2003 to use IPSec is relatively simple. However, before the actual deployment, you must consider just what network traffic you need to protect and how much protection you want to provide. IPSec is resource intensive in two different ways. First, the addition of AH and ESP headers to each packet increases the amount of traffic on your network. Second, calculating hashes and encrypting data both require large amounts of processor time. Unless you have planned your network design to account for the resources that IPSec needs, using IPSec for all your network traffic simply because you can is usually not a good idea.

Windows Server 2003 IPSec enables you to specify exactly what traffic to protect using IPSec, and what degree of protection to apply. IPSec does this using packet filters. You can specify IP addresses, protocols, and ports when creating a filter, and the system secures all traffic that meets the filter criteria using IPSec.

Another factor to consider when planning an IPSec deployment is support for the protocols on your network’s various computers. Systems running versions of the Windows operating system earlier than Windows 2000 cannot use IPSec. In the case of operating systems other than the Windows operating system, you must determine whether they support IPSec and do your own testing to be sure that the implementations are compatible.

Working with IPSec Policies

The IP Security Policies snap-in for Microsoft Management Console (MMC) is the tool you use to view and manage IPSec policies on a computer running Windows Server 2003. By default, the snap-in is incorporated into the Group Policy Object Editor console, and on member servers, into the Local Security Policy console. You can also add the snap-in to a new MMC console and configure it to manage the policies on any individual computer or Active Directory domain.

You deploy IPSec policies in much the same way as other types of Windows Server 2003 policy settings; you can apply them to individual computers, but for network installations, it is more common to deploy IPSec policies by assigning them to Active Directory sites, domains, or organizational units (OUs). IPSec policies flow down through the Active Directory hierarchy just like other group policy settings. When you apply an IPSec policy to an OU, for example, all the computers in the domain inherit that policy.

Once you have created IPSec policies in the appropriate places, you must then activate them by selecting Assign from the Action menu in the IP Security Policies snap-in. You can view the policy that is currently in effect for any computer on the network, as well as detailed information about IPSec activities, using the IP Security Monitor snap-in.

Using the Default IPSec Policies

When you open the IP Security Policies snap-in (shown Figure 1), you see the three policies that Windows Server 2003 always creates by default. These three policies are as follows, listed in order of increasing security:

Figure 1. The IP Security Policies snap-in


  • Client (Respond Only) Configures the computer to use IPSec only when another computer requests IPSec. The computer using this policy never initiates an IPSec negotiation; it only responds to requests from other computers for secured communications.

  • Server (Request Security) Configures the computer to request the use of IPSec when communicating with another computer. If the other computer supports IPSec, the IPSec negotiation begins. If the other computer does not support IPSec, the systems establish a standard, unsecured IP connection.

  • Secure Server (Require Security) Configures the computer to require IPSec security for all communications. If the computer attempts to communicate with a computer that does not support IPSec, the initiating computer terminates the connection.

These default policies are intended for computers performing different roles. The Client (Respond Only) policy is intended for computers that connect sometimes to secured servers, and sometimes to systems that do not require the security of IPSec. Using the Client (Respond Only) policy, the system incurs the additional overhead generated by IPSec only when necessary. The Server (Request Security) policy is intended for computers that do not require the highest levels of security and might communicate with systems not supporting IPSec. The Secure Server (Require Security) policy is intended for computers working with sensitive data that must be secured at all times. Before implementing this policy, you must make sure all the computers that need to access the secured server support IPSec.

Modifying IPSec Policies

In addition to using the default IPSec policies as they are, you can modify them or create new policies of your own.

Tip

Although you can modify the properties of the default IPSec policies, the best practice is to leave them intact and create new policies of your own using the default policies as models.


IPSec policies consist of three elements, which are as follows:

  • Rules A rule is a combination of an IP filter list and a filter action that specifies when and how the computer should use IPSec. An IPSec policy can consist of multiple rules, as shown in Figure 2.

    Figure 2. The IP Security Rules list

  • IP filter lists A collection of filters that specify what traffic the system should secure with IPSec, based on IP addresses, protocols, or port numbers. You can also create filters using a combination of these criteria, as shown in Figure 3.

    Figure 3. The IP Filter Lists list

  • Filter actions Configuration parameters that specify exactly how IPSec should secure the filtered packets. Filter actions specify whether IPSec should use AH, ESP, or both, as well as what data integrity and encryption algorithms the system should use. (See Figure 4.)

    Figure 4. The Filter Actions list

To help create a new policy, the IP Security Policies snap-in provides wizards for creating rules, filter lists, and filter actions. However, you can elect not to use the wizards and create the policy elements using standard dialog boxes.

Exam Tip

When preparing for the upgrade exams, be sure you are familiar with the components of an IPSec policy and with the functions of each component.


Command-Line Tools

Netsh.exe is a native Windows Server 2003 command-line scripting tool that you can use to display or modify the local or remote network configuration of a computer running Windows Server 2003. You can run Netsh from a batch file or from the command prompt. The Netsh IPSec commands cannot be used on other versions of Windows.

See Also

You can find a complete list of Netsh IPSec commands in the Windows Server 2003 Help And Support Center. You can locate them by clicking Tools on the Help And Support Center home page and then clicking Command Line Reference A-Z. Note that many of the commands look complex, but they can be simplified. If you use the same choices as the command uses for its defaults, the commands you must type in can be reduced. For example, you don’t need to use the word “Kerberos” if that is the form of authentication you want to use. Enter nothing, and the command defaults to using Kerberos authentication.


Netdiag.exe is a command-line tool that you can use to display IPSec information as well as to test and view network configuration. Netdiag is available for Windows Server 2003, Windows 200, and Windows XP. However, it must be installed in a different way for each operating system. For Windows Server 2003, Netdiag is installed with the Windows Server 2003 Support Tools. For Windows 2000, Netdiag is included with the Windows 2000 Resource Kit tools that you can also download from the Microsoft Web site. It is also available on the Windows XP Installation CD-ROM, and is installed by running Setup.exe from the Support\Tools folder.

You can obtain general network diagnostic information (not IPSec-specific) by using the Netdiag command. For example, the Netdiag /v /l command provides the IP configuration and routing configuration for a computer, tests WINS and DSN name resolution, reports the build version of the computer and the hotfixes that are installed, tests the validity of domain membership, verifies that clients can contact domain controllers, and checks trust relationships. All this information can be useful in eliminating general networking problems before attempting to diagnose IPSec issues.

However, although the Netdiag.exe tool is available for Windows Server 2003, the Netdiag /test:ipsec option is removed. Use the Netsh command instead. Because Netsh IPSec context commands will not work with down-level Windows computers, use Netdiag for them. You might want to remotely examine the IPSec policy of a computer running Windows XP or Windows 2000 that is communicating, or attempting to communicate, with Windows Server 2003. In this case, use a Remote Desktop session and the Netdiag tool.

Practice: Creating an IPSec Policy

In this practice, you use the IP Security Policies snap-in to view the properties of the default IPSec policies and create a new policy of your own.

Exercise 1: Creating an MMC Console and Viewing the Default Policies

In this exercise, you create an MMC console containing the IP Security Policies snap-in and use it to view the default IPSec policies on your server.

1.
Log on to Windows Server 2003 as Administrator.

2.
Click Start, and then click Run. The Run dialog box appears.

3.
In the Open text box, type mmc and then click OK. The Console1 window appears.

4.
From the File menu, select Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears.

5.
Click Add. The Add Standalone Snap-in dialog box appears.

6.
Scroll down the Available Standalone Snap-ins list, select IP Security Policy Management, and then click Add. The Select Computer Or Domain dialog box appears.

7.
With the default Local Computer option selected, click Finish.

8.
Click Close to close the Add Standalone Snap-in dialog box. The IP Security Policies On Local Computer snap-in now appears in the Add/Remove Snap-in dialog box.

9.
Click OK to close the Add/Remove Snap-in dialog box. The snap-in you selected now appears in the scope pane of the MMC console.

10.
Click the IP Security Policies on Local Computer heading in the scope pane. The three default IPSec policies described earlier in this lesson appear in the details pane.

11.
Select the Secure Server (Require Security) policy in the details pane and, from the Action menu, select Properties. The Secure Server (Require Security) Properties dialog box appears.

Notice that the Rules tab in the Secure Server (Require Security) Properties dialog box contains three rules, one applying to all IP traffic, one for all ICMP traffic, and one that is dynamic.

12.
Select All IP Traffic from the IP Security Rules list, and then click Edit. The Edit Rule Properties dialog box appears.

Notice that the All IP Traffic option is selected in the IP Filter List tab.

13.
Click the Filter Action tab.

Notice that the Require Security option is selected in the Filter Actions list.

14.
Click the Authentication Methods tab.

Notice that the policy is configured to use Kerberos for authentication.

15.
Click OK to close the Edit Rule Properties dialog box.

16.
Click OK to close the Secure Server (Require Security) Properties dialog box.

Exercise 2: Creating a New IPSec Policy

In this exercise, you use the IP Security Policies snap-in to create a new IPSec policy on the computer.

1.
In the console you created in Exercise 1, select the IP Security Policies On Local Computer heading in the scope pane and, from the Action menu, select Create IP Security Policy. The IP Security Policy Wizard appears.

2.
Click Next. The IP Security Policy Name page appears.

3.
In the Name text box, type Web Server Security and then click Next. The Requests For Secure Communication page appears.

4.
Click Next to accept the default Activate The Default Response Rule setting. The Default Response Rule Authentication Method page appears.

The default authentication method for Active Directory systems is Kerberos V5 protocol, but on this page, you could elect to use a digital certificate or a preshared key in the form of a character string that you supply to all the computers involved in secured communications.

5.
Click Next to accept the default Active Directory Default (Kerberos V5 Protocol) option. The Completing The IP Security Policy Wizard page appears.

6.
Make sure the Edit Properties check box is selected, and then click Finish. The Web Server Security Properties dialog box appears.

7.
In the Rules tab, make sure that the Use Add Wizard check box is selected and then click Add. The Security Rule Wizard appears.

8.
Click Next. The Tunnel Endpoint page appears.

On this page, you specify whether you want IPSec to run in transport mode or tunnel mode. To use tunnel mode, you must specify the IP address of the system functioning as the tunnel endpoint. This is usually a router that provides a WAN connection to a remote site.

9.
Click Next to accept the default This Rule Does Not Specify A Tunnel option. The Network Type page appears.

This page enables you to specify whether you want the rule to apply to local area network (LAN) traffic only, remote access traffic only, or both.

10.
Click Next to accept the default All Network Connections option. The IP Filter List page appears.

11.
Click Add. The IP Filter List dialog box appears.

12.
In the Name text box, type All Web Traffic and then click Add. The IP Filter Wizard appears.

13.
Click Next. The IP Filter Description And Mirrored Property page appears.

14.
Click Next to accept the default Mirrored. Match Packets With The Exact Opposite Source And Destination Addresses check box. The IP Traffic Source page appears.

15.
In the Source Address list, select Any IP Address and then click Next. The IP Traffic Destination page appears.

16.
In the Destination Address list, select My IP Address and then click Next. The IP Protocol Type page appears.

17.
In the Select A Protocol Type list, select TCP and then click Next. The IP Protocol Port page appears.

18.
Click the To This Port option, type 80 in the text box provided, and then click Next. The Completing The IP Filter Wizard page appears.

19.
Click Finish. The new IP filter you created appears in the IP Filters list. Click OK to close the IP Filter List dialog box.

20.
In the IP Filter List page of the Security Rule Wizard, select the All Web Traffic filter option you just created, and then click Next. The Filter Action page appears.

21.
Make sure the Use Add Wizard check box is selected, and then click Add. The Filter Action Wizard appears.

22.
Click Next. The Filter Action Name page appears.

23.
In the Name text box, type Maximum Security and then click Next. The Filter Action General Options page appears.

24.
Click the Negotiate Security option, and then click Next. The Communicating With Computers That Do Not Support IPSec page appears.

25.
Click Next to accept the default Do Not Communicate With Computers That Do Not Support IPSec option. The IP Traffic Security page appears.

26.
Click the Custom option, and then click Settings. The Custom Security Method Settings dialog box appears.

27.
Select the Data And Address Integrity Without Encryption (AH) check box to activate the IP Authentication Header protocol, and then click OK to return to the IP Traffic Security page.

28.
Click Next. The Completing The IP Security Filter Action Wizard page appears.

29.
Click Finish to return to the Filter Action page in the Security Rule Wizard.

30.
Select the Maximum Security filter action option you just created, and then click Next. The Authentication Method page appears.

31.
Click Next to accept the default Active Directory Default (Kerberos V5 Protocol) option. The Completing The Security Rule Wizard page appears.

32.
Clear the Edit Properties check box, and then click Finish.

33.
Click OK to close the Web Server Security Properties dialog box.

34.
The new Web Server Security policy you created now appears in the IP Security Policies On Local Computer snap-in.

35.
Click the Web Server Security policy in the details pane and, from the Action menu, select Assign.

36.
Close the IP Securities Policies On Local Computer snap-in.
Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8