Module 9: Configuring IPsec

Module Overview
• Overview of IPsec • Configuring Connection Security Rules • Configuring IPsec NAP Enforcement

Lesson 1: Overview of IPsec
• Benefits of IPsec • Recommended Uses of IPsec • Tools Used to Configure IPsec • What Are Connection Security Rules? • Demonstration: Configuring General IPsec Settings

Benefits of IPsec
IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network

• IPsec has two goals: to protect IP packets and to defend against network attacks • Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other

• IPsec secures network traffic by using encryption and data signing • An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

Recommended Uses of IPsec
Recommended uses of IPsec include:
• Authenticating and encrypting host-to-host traffic • Authenticating and encrypting traffic to servers • L2TP/IPsec for VPN connections • Site-to-site tunneling • Enforcing logical networks

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Tools Used to Configure IPsec

To configure IPsec, you can use: • Windows Firewall with Advanced Security MMC (used for Windows Server 2008 and Windows Vista) • IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions) • Netsh command-line tool

What Are Connection Security Rules?
Connection security rules involve:
• Authenticating two computers before they begin communications • Securing information being sent between two computers • Using key exchange, authentication, data integrity, and data encryption (optionally)

How firewall rules and connection rules are related:
• Firewall rules allow traffic through, but do not secure that traffic • Connection security rules can secure the traffic, but creating a connection security rule does not allow traffic through the firewall

Demonstration: Configuring General IPsec Settings
In this demonstration, you will see how to configure General IPsec settings in Windows Firewall with Advanced Security

Lesson 2: Configuring Connection Security Rules
• Choosing a Connection Security Rule Type • What Are Endpoints? • Choosing Authentication Requirements • Authentication Methods • Determining a Usage Profile • Demonstration: Configuring a Connection Security Rule

Choosing a Connection Security Rule Type
Rule Type
Isolation Authentication Exemption

Description
Restricts connections based on authentication criteria that you define
• Exempts specific computers, or a group or range of IP

addresses, from being required to authenticate which this computer must communicate before authentication occurs

• Grants access to those infrastructure computers with

Server-to-Server

Authenticates two specific computers, two groups of computers, two subnets, or a specific computer and a group of computers or subnet Provides secure communications between two peer computers through tunnel endpoints (VPN or L2TP IPsec tunnels) Enables you to create a rule with special settings

Tunnel

Custom

What Are Endpoints?
ESP Transport Mode

IP HDR

Data

IP HDR

ESP HDR

Encrypted Data

ESP TRLR

ESP Auth

ESP Tunnel Mode

IP HDR

Data

New IP HDR

ESP HDR

Encrypted IP Packet

ESP TRLR

ESP Auth

Choosing Authentication Requirements
Option Description

Request Authentication for inbound and Ask that all inbound/outbound traffic be outbound connections authenticated, but allow the connection if authentication fails Require authentication for inbound connections and request authentication for outbound connections
• Require inbound be authenticated or it

will be blocked

• Outbound can be authenticated but will

be allowed if authentication fails

Require authentication for inbound and outbound connections

Require that all inbound/outbound traffic be authenticated or the traffic will be blocked

Authentication Methods
Method Default Computer and User (Kerberos V5) Key Points Use the authentication method configured on the IPsec Settings tab You can request or require both the user and computer authenticate before communications can continue; domain membership required

Computer (Kerberos Request or require the computer to authenticate using V5) Kerberos V5 Domain membership required User (Kerberos V5) Request or require the user to authenticate using Kerberos V5; domain membership required

Computer certificate • Request or require a valid computer certificate, requires at least one CA
• Only accept health certificates: Request or require a valid

health certificate to authenticate, requires IPsec NAP

Advanced

Configure any available method; you can specify methods for First and Second Authentication

Determining a Usage Profile
Security Settings can change dynamically with the network location type Windows supports three network types, and programs can use these locations to automatically apply the appropriate configuration options: • Domain: selected when the computer is a domain member • Private: networks trusted by the user (home or small office network) • Public: default for newly detected networks, usually the most restrictive settings are assigned because of the security risks present on public networks

The network location type is most useful on portable computers which are likely to move from network to network

Demonstration: Configuring a Connection Security Rule
In this demonstration, you will see how to configure a Connection Security rule

Lesson 3: Configuring IPsec NAP Enforcement
• IPsec Enforcement for Logical Networks • IPsec NAP Enforcement Processes • Requirements to Deploy IPsec NAP Enforcement

IPsec Enforcement for Logical Networks
HRA VPN 802.1X DHCP NPS proxy NAP administration server Network policies NAP health policies Connection request policies SHVs

SHAs NAP agent NAP ECs

Non-compliant NAP client

NAP enforcement servers

NPS servers Certificate services E-mail servers NAP policy servers

SHAs NAP agent NAP ECs

Non-NAP capable client

Remediation servers

Secure servers

Compliant NAP client

Restricted Network

Boundary Network

Secure Network

IPsec NAP Enforcement Processes
IPsec NAP Enforcement includes: • Policy validation • NAP enforcement • Network restriction • Remediation • Ongoing monitoring of compliance
VPN Server Active Directory IEEE 802.1X Devices

Health Registration Authority

Internet Perimeter Network
DHCP Server

Intranet

NAP Health Policy Server

Restricted Network
Remediation Servers NAP Client with limited access

Requirements to Deploy IPsec NAP Enforcement
Requirements for deploying IPsec NAP Enforcement:

   

Active Directory Active Directory Certificate Services Network Policy Server Health Registration Authority

Lab: Configuring IPsec NAP Enforcement
• Exercise 1: Preparing the Network Environment for IPsec

NAP Enforcement Enforcement

• Exercise 2: Configuring and Testing IPsec NAP

Logon information

Virtual machines User name Password

NYC-DC1, NYC-CL1, NYC-CL2

Administrator Pa$$w0rd

Estimated time: 60 minutes

Lab Review
• What would the implication be if you installed the

Certificate Server as an Enterprise CA, as opposed to a Standalone CA, and you have workgroup computers that need to be NAP compliant? Exemption be useful in a Connection Security Rule?

• Under what circumstances would Authentication

Module Review and Takeaways
• Review Questions • Common Misconceptions About IPsec • IPsec Benefits • Tools

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.