Tuesday, January 17, 2012

Configuring IPSec

Even though you can encrypt your data stored on your hard drive, how do you protect the data while it is in transmission? IPSec can do this. 
IPSec (Internet Protocol Security) is a set of protocols that give you a level of encryption between two computers while it is being transferred over an unsecured network.  IPSec uses security services and digital certificates with public and private keys. As stated in Mark Russinovich's and David Solomon's Windows Internals Book:
Internet Protocol Security (IPSec), which is integrated with the Windows TCP/IP stack, helps to protect unicast (IPSec itself supports multicast, but the Windows implementation does not) IP data against attacks such as eavesdropping, sniffer attacks, data modification, IP address spoofing, and man-in-th-middle attacks (when the identity of the remote machine can be verified, like a VPN). You can use IPSec to provide defense-in-depth against network-based attacks from untrusted computers; certain attacks that can result in the denial-of-service of applications, services, or the network; data corruption, data theft, and user-credential theft; and the administrative control over servers, other computers, and the network. IPSec helps defend against network-based attacks through cryptography-based security services, security protocols, and dynamic key management.
IPSec was originally designed to secure traffic over public networks. However, IPSec is being used increasingly on private networks. Windows Server 2008 provides enhancements to the IPSec rules.
Benefits of IPSec
  • Protects IP packets and defends against network attacks. Defends against vulnerabilities in upper-layer protocols and applications. IPSec is integrated at the Internet layer of the TCP/IP protocol suite. Applications that use TCP/IP pass the data to IP in the Internet layer, where IPSec can secure it. 
  • Configuring IPSec on sending and receiving computers forces both parties to identify themselves and enables the computers to send secured data.
  • IPSec secures network traffic and enables confidentiality by encryption and authenticates by data signing (authentication headers- AH). IPSec cryptographic protections for IP-based traffic is based on your choice of AH or ESP without encryption, or ESP with encryption
  • An IPSec policy defines the traffic type.
  • IPSec examines how traffic is secured and encrypted, as well as how IPSec peers are authenticated.
Note: All IPSec traffic moves over UDP port 500 and IPSec is configured within the policies of local computers. A copy of the current policy is maintained in a cache in the local registry. Local security connection rules are stored in the local system registry. 
  • Encapsulating Security Payload (ESP), encrypts data with one of several available algorithms.
  • Authentication Header (AH), signs traffic, but does not encrypt it.


Recommended uses of IPSec
  • Authenticating and encrypting traffic host-to-host and to servers
  • L2TP/IPSec for VPN connections (L2TP does not use tunnel mode.  L2TP provides encapsulation for an entire packet and the resulting IP packet payload is protected with ESP and encryption.)
  • Encryption for site-to-site tunneling communications
  • Enforce a logical network (isolating a group of computers or servers in order to authenticate that group)
Note: You do not want to use IPSec to secure communications between domain members and their domain controllers. This reduces network performance because of the encryption and the additional authentication required. You do not want to secure all network traffic unless you are running a highly secure environment. 


Question: You have a network that includes a server named PCRepairNorthShore and it runs Windows Server 2008 R2. PCRepairNorthShore has a file share named SecureNumbers and SecureNumbers contain employee confidential files. An audit reveals the files are being transferred across the network in clear text. You need to ensure the files are encrypted. What should you do?


Answer: Configure an IPSec policy that encrypts traffic between PCRepairNorthShore and the client computers that have access to the file. IPSec can be used for authentication and encryption. 


IPSec Configuration Tools
  • MMC snap-in Windows Firewall with Advanced Security (WFAS). Provides the security and policy configuration settings for IPSec, configured through Group Policy locally or in an Active Directory domain. 
  • Windows Server 2008 and Windows Vista desktops
  • MMC IP Security Policy. For mixed environments and to configure policies that apply to all Windows versions
  • Netsh command-line tool. With Netsh, you can create scripts to automatically configure Windows Firewall with Advanced Security settings, create rules, monitor connections, and display configuration and status of Windows Firewall with Advanced Security. The Netsh snap-in  can be used to store local connection security rules or Active Directory connection security rules, and modify connection security rules on remote computers. 
  • At the command prompt, type Netsh advfirewall
  • Type help to get a full list of available commands
  • Type netsh advfirewall consec command to manage connection security rules
  • Type netsh advfirewall monitor command to monitor IPSec information for local and remote computers
  • Group Policy. You can configure Group Policy settings for Windows Firewall with Advanced Security, with profile settings, rules, and computer connection security rules.


Connection Security Rules (IPSec policies)
  • Authenticate two computers before communication has begun.
  • Secure the information that is sent between the two computers using Encapsulating Security Payload (ESP) or Authentication Header (AH).
  • Use key exchange, authentication, data integrity, and data encryption. Data encryption protects the data from eavesdropping and tampering by unauthorized persons. Date integrity only protects the data from tampering.
Note: Firewall and connection rules are related, but there is a difference between the two rules:
  • Firewall rules allow traffic through the firewall, but do not actually secure the traffic. The firewall typically ask where is the data coming from, where is it going, what port and application is it using, and is this allowed?
  • Connection security rule secures the data traffic using IPSec, but does not allow the traffic through the firewall, so we still need to configure the firewall after we set up the connection security rule. 

Windows Vista and Windows Server 2008 both support Authenticated Internet Protocol (AuthIP), an enhanced version of the Internet Key Exchange (IKE) protocol. Both AuthIP and IKE are protocols used to determine keying material and negotiate security parameters for communications protected using
Internet Protocol security (IPsec). AuthIP provides simplified IPsec policy configuration and maintenance in many configurations and offers additional flexibility for IPsec peer authentication. This article describes the protocol details of AuthIP and coexistence behaviors between IPsec peers that support either both AuthIP and IKE or only IKE.
The Cable Guy - The Authenticated Internet Protocol

Question: You need to configure secure access for an Active Directory member server that is running Windows Server 2008. When client computers connect to the server, they must use IPSec.  You want to use Authenticated IP (AuthIP) to authenticate the client connections. You are required to configure the server to require current anti-virus protections before clients can connect. What should you do to accomplish this?
Answer: Configure a Network Access Policy (NAP) to require clients have the required anti-virus protections. Configure AuthIP to require a client health certificate. Clients that meet the required anti-virus qualifications can be issued a health certificate which can then be used for AuthIP authentication. 




Demo – How to Configure General IPSec Settings
Windows Firewall
  1. Start  | Administrative Tools | Windows Firewall with Advanced Security
  2. In the Windows Firewall with Advanced Security dialog box, in the Actions window on the right-hand side, select Properties
  3. On the IPSec Settings tab, you can select IPSec defaults to Customize, or you can select IPSec exemptions
  4. If you choose to Customize, you can modify the Key exchange method, Data protection, or Authentication Method.
  5. Click OK. Click OK.
MMC
  1. Start | Run | MMC
  2. File | Add/Remove Snap-in
  3. Under Available snap-ins:, select IP Security Policy Manager, click the Add button
  4. In the Select Computer or Domain window, select Local computer and click Finish
  5. Click OK
  6. Under the Console Root, right-click IP Security Policy, and click on Create IP Security Policy…
  7. The IP Security Policy Wizard displays
  8. Click Next
  9. In the Name: field, we will call it Block ICMP, to prevent people from pinging the server
  10. Click Next
  11. In the Requests for Secure Communication, you can Activate the default response rule (earlier versions of Windows only)
  12. Click Next
  13. Click Finish click Finish and the Block ICMP Properties dialog box is launched
  14. From here, you can choose the standard Default response rule for Kerberos authentication, if desired
  15. We will choose Add
  16. The Welcome to the Create IP Security Rule Wizard displays 
  17. Click Next
  18. The Tunnel Endpoint page displays. We are using transport mode, not a tunnel endpoint, so Click Next
  19. On the Network Type page, select All network connections (includes LAN and remote access). Click Next
  20. On the IP Filter List page, click Edit
  21. Click Add to add a New IP Filter List
  22. The Welcome to the IP Filter Wizard page displays
  23. Click Next
  24. On the IP Filter Description and Mirrored property page, type in a Description, “ICMP Filter”
  25. Click Next
  26. On the IP Traffic Source page, in the drop-down box, you choose the source of the IP traffic, Any IP Address
  27. Click Next
  28. On the IP Traffic Destination page, you choose the destination of the IP traffic, Any IP Address
  29. Click Next
  30. On the IP Protocol Type page, select the protocol type in the Select a protocol type drop-down box, ICMP
  31. Click Next
  32. Click Finish to complete the IP Filter Wizard
  33. You see the new IP Filter List for the ICMP protocol displayed in a dialog box
  34. Click OK
  35. On the IP Filter List page that displays, select New IP Filter List
  36. Click Next
  37. The Filter Action dialog box displays
  38. Click Edit
  39. The New Filter Action Properties dialog box displays (this controls what happens if the criteria of the ICMP rule is met)
  40. Select Block on the Security Methods tab
  41. On the General tab, you can type in a Name: and Description
  42. Click OK
  43. Select the New Filter Action
  44. Click Next
  45. Click Finish
  46. On the Block ICMP Properties page, you see the New IP Filter List displayed
  47. Click OK
  48. Notice under the Policy Assigned page, the policy is not assigned (until the policy is assigned, the server can be pinged.)
  49. You can test this, by going to a client machine, to the command prompt, and type:
  50. Ping –t servername
  51. This ping command will ping the server, until you stop it. Leave the client machine while it is pinging and go enable the rule on the server to see what happens to the client machine.
  52. On the MMC IP Security Policies console we just left, right click the Block ICMP policy, and select Assign
  53. Notice under the Policy Assigned page, the policy is now assigned Yes
  54. Now, when you return to the client machine, you will see the ping blocked by IPSec security policy rule. The Request timed out.


Configuring Connection Security Rules


These rules determine if the machine will be able to talk to other machines and how and when computers authenticate using IPSec. 
Rule Type
Description
Isolation
Restrict the connection based on the authentication rules you define.
Authentication Exemption
  • Exempt certain computers, or groups of IP addresses, from the authentication requirement.
  • Grant access to the computers that this computer must communicate with before authentication occurs, for example, a DHCP server.
Server-to-Server
Authenticate two computers, two computer groups, two subnets, or a specific computer and a group of computers or subnet.
Tunnel
Provides secure communications between two peer computers through tunnel endpoints or gateways (VPN or L2TP IPSec tunnels)
Custom
Allows you to create your own customized rule with your own settings



What are Tunnel Endpoints in IPSec?
  • ESP Transport Mode. Individual host computers communicating with their peers using IPSec.
  • ESP Tunnel Mode. An end-to-end tunnel solution. For example, you have a branch office you have to connect to over the Internet, you can have a secure VPN tunnel using IPSec to encrypt the data over that tunnel. 

ESP encrypts packets and applies a new unencrypted header for faster routing. The header data’s authenticity is not guaranteed. The header contains the address of the destination tunnel endpoint. After the packet reaches the destination tunnel endpoint, the header is removed and the destination machine information is exposed.


Choosing Authentication Requirements
Option
Description
Request Authentication for inbound and outbound connections
Ask all inbound and outbound traffic to be authenticated, but allow the connection if authentication fails
Require authentication for inbound connections and request authentication for outbound connections
  • Require inbound traffic to be authenticated or it will be blocked
  • Outbound traffic can be authenticated but allowed if authentication fails
Require authentication for inbound and outbound connections
Require all inbound and outbound traffic be authenticated or the traffic is blocked



Authentication Methods
Method
Key Points
Default
This is the setting authentication method default indicated on the IPSec Settings tab
Computer and User (Kerberos V5)
Request or require both user and computer to authenticate before communications can continue (they must have a Kerberos V5 session ticket); domain membership is required
Computer (Kerberos V5)
Request or require the computer to authenticate before communications can continue (they must have a Kerberos V5 session ticket); domain membership is required
User (Kerberos V5)
Request or require the user to authenticate before communications can continue (they must have a Kerberos V5 session ticket); domain membership is required
Computer certificate
  • Request or require a valid computer certificate; requires at least one Certificate Authority (CA)
  • Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPSec NAP
Advanced
Configure any available method, as well as specify methods for First and Second Authentication



Determining a Usage Profile
Security settings can change dynamically with the network location type.
Windows supports three network types:
The network location type is useful on portable computers which will usually move from network to network, and programs use these locations to automatically apply the appropriate configuration options:
  • Domain: The computer is a domain member
  • Private: Trusted networks (home or small office network)
  • Public: This is the default for a new detected network, usually the restrictive settings are assigned because of security risks present in a public network.


Demo – Configure a Connection Security Rule
  1. Start | Administrative Tools | Windows Firewall with Advanced Security
  2. Highlight Connection Security Rules
  3. Right-click and select New Rule…
  4. On the Rule Type page, we will choose Server-to-server
  5. Click Next
  6. On the Endpoints page, Which computers are in Endpoint 1?
  7. Select These IP addresses:
  8. Click Add
  9. In the IP Address dialog box, enter The IP address or subnet: or This IP address range: or Predefined set of computers:
  10. Click OK
  11. On the Endpoints page, Which computers are in Endpoint 2?
  12. Select These IP addresses:
  13. Click Add
  14. In the IP Address dialog box, enter The IP address or subnet: or This IP address range: or Predefined set of computers:
  15. Click OK
  16. On the Requirements dialog box, When do you want authentication to occur? Select one of the authentication requirements pertaining to inbound and outbound connections. We will choose Require authentication for inbound and outbound connections
  17. Click Next
  18. On the Authentication Method page, What authentication method would you like to use? Select the method you would like, Computer certificate, Preshared Key (not recommended), or Advanced.
  19. Click Next
  20. On the Profile page, When does the rule apply? Select either Domain, Private, or Public (you may select one, two, or all of them)
  21. Click Next
  22. In the Name dialog box, give the New Connection Security Rule a name.
  23. Click Finish.
  24. You can now see this rule is enabled and you can see the endpoints and authentication mode.
Make sure the rule is in effect
  1. Go to the command prompt
  2. Ping servername
  3. The ping times out because you don’t have a connection rule on the other endpoint.
  4. Now, do a persistent ping, ping –t servername
  5. While it is pinging, go to the other computer to input the other connection rule.


Demo – Configure a Connection Security Rule 
  1. Start | Administrative Tools | Windows Firewall with Advanced Security
  2. Highlight Connection Security Rules
  3. Right-click and select New Rule…
  4. On the Rule Type page, we will choose Server-to-server
  5. Click Next
  6. On the Endpoints page, Which computers are in Endpoint 1? (Very important to reverse the endpoint IP addresses on this rule)
  7. Select These IP addresses:
  8. Click Add
  9. In the IP Address dialog box, enter The IP address or subnet: or This IP address range: or Predefined set of computers:
  10. Click OK
  11. On the Endpoints page, Which computers are in Endpoint 2?
  12. Select These IP addresses:
  13. Click Add
  14. In the IP Address dialog box, enter The IP address or subnet: or This IP address range: or Predefined set of computers:
  15. Click OK
  16. On the Requirements dialog box, When do you want authentication to occur? Select one of the authentication requirements pertaining to inbound and outbound connections. We will choose Require authentication for inbound and outbound connections
  17. Click Next
  18. On the Authentication Method page, What authentication method would you like to use? Select the method you would like, Computer certificate, Preshared Key (not recommended), or Advanced.
  19. Click Next
  20. On the Profile page, When does the rule apply? Select either Domain, Private, or Public (you may select one, two, or all of them)
  21. Click Next
  22. In the Name dialog box, give the New Connection Security Rule a name.
  23. Click Finish.
  24. You can now see this rule is enabled and you can see the endpoints and authentication mode.
  25. Now, when you go to the command prompt, you will see it is now able to ping the server and view the shared resources.


Configuring IPSec NAP Enforcement
IPSec breaks our network down into three logical networks. What effect does that have on our clients trying to access our network?
How is our system health policy defined and used within our IPSec?


IPSec Enforcement for Logical Networks
  • Restricted Network. A set of computers that do not have a health certificate, such as non-compliant NAP client computers or non-NAP capable computers, such as Windows XP, or MACs, or Unix-based computers.
  • Boundary Network. A set of computers with health certificates, but don’t require the incoming connection attempts to use IPSec authentication. The Boundary Network will have Remediation servers that can patch non-compliant NAP clients. So, if we were to require these computers to use IPSec, the Remediation computers would not be able to patch the non-compliant computers.
  • Secure Network. A set of computers with a health certificate and that require incoming connection attempts use health certificates for IPSec authentication.


IPSec NAP Enforcement Processes
  • The Enforcement Client (EC) component located on the NAP client with limited access sends its current health state with the Health Registration Authority (HRA).
  • The HRA sends the client health information to the NAP Health Policy Server.
  • The NAP Health Policy Server evaluates the health information of the NAP client to determine compliance.
  • The NAP Health Policy Server sends the results back to the HRA.
  • If the NAP client is not compliant, the results include health remediation instruction and the HRA tells the client how to correct its health state. The client cannot talk to other NAP enabled computers, but, it can communicate with the Remediation servers to correct its current health state. The Remediation servers can send it anti-virus updates and system updates, etc., to bring its health state up to the required level.
  • If the NAP client is compliant, the HRA obtains a health certificate for the NAP client, and the NAP client can now initiate IPSec protected communication with other compliant computers using its health certificate for IPSec authentication. 


Requirements to Deploy IPSec NAP Enforcement
Note: If the local computer does not have HRA installed, you also need to configure the following:
  • Install NPS on the computer that is running HRA.
  • Configure NPS on the remote HRA NPS server as a RADIUS proxy to forward connection requests to the local NPS server.


Create an IPSec Negotiation Policy
  1. Start | Administrative Tools | Local Security Policy
  2. Right-click the IP Security Policies on Local Computer node, then click Create IP Security Policy
  3. Welcome to the IP Security Policy Wizard displays
  4. Click Next
  5. In the Name box, click SecureFileSharing. In the Description field, type Policy to encrypt SMB click Next
  6. In the Completing the IP Security Policy Wizard dialog box, select the Edit properties box, click Finish
  7. In the SecureFileSharing dialog box, click Add
  8. In the Welcome to the Create IP Security Rule Wizard box, click Next
  9. In the Tunnel Endpoint dialog box, click This rule does not specify a tunnel
  10. In the Network Type dialog box, click All network connections, and click Next
  11. In the IP Filter List dialog box, click Add
  12. A new dialog box, also call IP Filter List, displays. In the Name field, enter SMBTCP, and press Add
  13. On the Welcome to the IP Filter Wizard dialog box, click Next
  14. In the Description field, type SMB IPsec Filter, click Next
  15. In the IP Traffic Source dialog box, select Any IP Address, click Next
  16. In the IP Traffic Destination dialog box, select Any IP Address, click Next
  17. In the IP Protocol Type dialog box, click TCP in the drop down box, and click Next
  18. In the IP Protocol Port dialog box, select From this port, type 445, then select To any Port, and click Next
  19. In the Completing IP Filter Wizard dialog box, click Finish and then OK
  20. In the IP Filter List dialog box, click Add
  21. A new dialog box, also call IP Filter List, displays. In the Name field, enter SMBUDP, and press Add
  22. On the Welcome to the IP Filter Wizard dialog box, click Next
  23. In the Description field, type SMB IPsec Filter, click Next
  24. In the IP Traffic Source dialog box, select Any IP Address, click Next
  25. In the IP Traffic Destination dialog box, select Any IP Address, click Next
  26. In the IP Protocol Type dialog box, click UDP in the drop down box, and click Next
  27. In the IP Protocol Port dialog box, select From this port, type 445, then select To any Port, and click Next
  28. In the Completing IP Filter Wizard dialog box, click Finish and then OK
  29. In the IP Filter List dialog box, select SecureSMBTCP, click Next
  30. In the Filter Action box, click Add
  31. In the Filter Action Wizard box, click Next
  32. In the Filter Action Name dialog box, type SecureTransmissionFilter and click Next
  33. In the Filter Action General Options dialog box, select Negotiate Security, and click Next
  34. In the Communicating with Computers that do not support IPsec dialog box, select Do not allow unsecured communications, and click Next
  35. In the IP Traffic Security dialog box, select Integrity and Encryption, and click Next
  36. On the Completing the IP Security Filter Action Wizard screen, click Finish
  37. In the Filter Action dialog box, select SecureTransmissionFilter, and click Next
  38. On the Authentication Method dialog box, select Active Directory default (Kerberos V5 Protocol), and click Next
  39. On the Completing the Security Rule Wizard screen, click Finish
  40. In the SecureFileSharing Properties dialog box, click OK
  41. To export the policy, in the Local Security Policy MMC console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies
  42. In the Save As box, type in a file location, and click Save

To enable remote IPsec monitoring, enableremotemgmt Registry key.
Enable and Disable NAP Enforcement Clients

1 comment:

  1. This is a great article, and a great topic to explore. Thanks for sharing.

    ReplyDelete

"Comment As:" anonymous if you would rather not sign into an account!