Lesson 9

Securing Data Transmission and Authentication

Securing Network Traffic with IPSec

Whether you have a public or private presents on the internet securing your organizations data is a core requirement. We deploy measures to secure the network perimeter and secure access to resources; however, securing the actual IP (Internet Protocol) is often overlooked. Both the TPC and UDP contain a checksum in the header of each packet, which is a mathematical value to provide the integrity of each packet. However because this is a well know algorithm a malicious user can intercept these packet, view and modify its contents, recomputed the checksums and then forward the packet to its destination without the sender or receiver knowing.

The IPSec suite of protocols was developed and is now the standard method of providing security services for IP packets. It has two principle goals Proper protection of the content of IP packets and provides a defense against network attacks through packet filtering and the enforcement of trusted communication. Both of these goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management.

IPSec has a number of features that can significantly reduce or prevent the following attacks:
• Packet Sniffing – IPSec includes mechanisms that provide data confidentiality by encrypting the payload of IP packets.
• Data Modification – IPSec uses cryptography-based keys that are shared only by the sender and receivers to create a cryptographic checksum for each IP packet that is secured using IPSec to protect the integrity of the data.
• Identity Spoofing – IPSec allows the exchange and verification of entities without exposing that information to interpretation by the attacker. This process is known as mutual authentication is used to establish trust between the communicating systems.
• Man in the middle attacks – IPSec protects against these through a combinations of mutual authentication and the use of shared cryptography-based keys to confirm the integrity of each packet as well as the identity of the sender and receiver.
• Denial of service attacks – IPSec uses IP packet filtering methodology as the basis for determining whether communications is allowed, secured, or blocked. This is determination is based on the IP address ranges, IP protocols, or even specific TCP and UDP ports.

IPSec is an architectural framework the provided cryptographic security services for IP packets. It is and end-to-end security technology. This meaning that the only nodes aware of the presence of IPSec are the two hosts using IPSec to communicate with each other.

IPSec can be deployed to protect data transmissions in the following scenarios:
• LAN –Client/server and peer-to-peer.
• WAN – Router to Router and gateway to gateway.
• Remote Access – Dial-up clients and Internet access from private networks.

IPSec has many security features the following are some of these:
• Automatic security associations
• IP Packet Filtering
• Network Layer security
• Peer Authentication
• Data origin Authentication
• Data integrity
• Data confidentiality
• Anti-reply
• Key management

You can configure IPSec to use the following two modes:
• Transport mode – Used when you require packet filtering and when you require end to end security. Both host must support IPSec using the same authentication protocols and must have compatible IPSec filters.
• Tunnel mode - Used for site-to-site communications that cross the internet (or other public networks). Tunnel mode provides gateway-to-gateway protection.
IPSec Protocol suite provides security using a combination of individual protocols. The following are the protocols work independently or in tandem, depending on the need for confidentiality and authentication:
• AH (Authentication Header) provides authentication, integrity and anti-reply for the entire packet. It doesn’t provide confidentiality and doesn’t encrypt the data. Therefore the data can be read however it can’t be modified. It uses keyed hash algorithms to sign the packet.
• ESP (Encapsulating Security Payload) provides confidentiality (in addition to authentication, integrity and anti-reply) for the IP payload.

IPSEC Security Associations (SAS) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. The association determines how the traffic is to be secured and with which secrete keys. The following are the two types of associations:
• ISAKMP SA (Main Mode) is used to protect IPSec security negotiations.
• IPSec SA (Quick Mode) is used to protect data sent between the IPSec peers.

When an IPSec session is established between two hosts the following must be tracked by the three different associations (SA):
• ISAKMP SA
• Inbound IPSec SA
• Outbound IPSec SA

To identify a specific SA for tracking purposes, a 32-bit number known as the SPI (Security Parameters Index) is used.

IKE (Internet Key Exchange) is a standard that defines a mechanism to establish SAs.

IKE Combines ISAKMP and the Oakley Key Determination Protocol to generate secret key material.

IPSec Policies are the security rules defining security levels, hashing and encryption algorithms and key length. These rules also define the addresses, protocols, DNS names, subnets, or connection types. These policies can be configures to meet the security requirements at the user, group, application, domain, site or for the entire network (organization).

These components of the IPSec policy are as follows:
• Tunnel setting – The IP address of the endpoint.
• Network type – The type of connection affected by the IPSec policy.
• IP filter – A subset of network traffic based on IP address, port and transport protocols.
• IP filter list – The concatenation of one or more IP filters, which define a range of network traffic.
• Filter action – how the IPSec should secure network traffic.
• Authentication method – One of the security algorithms and types used for authentication and key exchange.

Windows Server 2008 the following are the four pre-configured Connections Security Roles or you can create a customized set of security:
• Isolation rule allows you to restrict inbound and outbound connections based on certain sets of criteria, such as membership in a particular AD domain.
• Authentication Exception rule allows you to specify one or more computers that do not need to be authenticated in order to pass traffic: for example, defining a DHCP server that should not have and Isolation connection security rule applied to it.
• Server-to-Server rule secures traffic between two servers or two groups of servers.
• Tunnel rule is similar to the server-to-server rule; however it will secure traffic only between tunnel end points, not between the actual hosts that will be sending and receiving secured traffic.
The IPSEC Driver stores all current quick mode SAs in a database. The IPSec uses the SPI field to match the correct SA with the correct packet.

The Security Negotiation Process this process is divided into the two following types of negotiations:

Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations.
Quick mode negotiation must occur to determine the type of traffic to be secured and how it will be secured. A quick mode negotiation is also done when a quick mode SA expires.

The IPSEC Policy Agent Service purpose is to retrieve information about the IPSecs policies and to pass this information to other IPSec components that require it in order to perform security functions.

Deploying IPSec can be deployed using local policies, AD or both. Each method has its advantages and disadvantages.

Managing and Monitoring IPSec Windows Server 2008 provides several tools to manage and monitor IPSec, including IP Security Monitor, RSoP, Event Viewer, and the netsh command line utility.

Network Authentication is another common issue while securing the network authentication process. By default Kerberos v5 is the protocol used in AD, however there are situations in which the NTLM authentication protocols come into play. The following are the available versions of NTLM authentication and their strength:

• LM Authentication is the weakest form used in the earliest days of windows networking Windows NT, 95 and 98. Passwords were easily hatched through the use of packet sniffers.
• NTLM Authentication is the middle of the road that improved upon the security of LM authentication.
• NTLMv2 Authentication is the strongest and further improved and required additional software to be installed on 95 and 98 workstations. Windows 2000 and later this is built in by default.

Windows Firewall

The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.