module 9: configuring ipsec. module overview overview of ipsec configuring connection security rules...

22
Module 9: Configuring IPsec

Upload: nelson-atkins

Post on 12-Jan-2016

249 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Module 9: Configuring IPsec

Page 2: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Module Overview

• Overview of IPsec

• Configuring Connection Security Rules

• Configuring IPsec NAP Enforcement

Page 3: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Lesson 1: Overview of IPsec

• Benefits of IPsec

• Recommended Uses of IPsec

• Tools Used to Configure IPsec

• What Are Connection Security Rules?

• Demonstration: Configuring General IPsec Settings

Page 4: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Benefits of IPsec

IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network

IPsec is a suite of protocols that allows secure, encrypted communication between two computers over an unsecured network

• IPsec has two goals: to protect IP packets and to defend against network attacks

• Configuring IPsec on sending and receiving computers enables the two computers to send secured data to each other

• IPsec secures network traffic by using encryption and data signing

• An IPsec policy defines the type of traffic that IPsec examines, how that traffic is secured and encrypted, and how IPsec peers are authenticated

Page 5: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Recommended Uses of IPsec

Recommended uses of IPsec include:

• Authenticating and encrypting host-to-host traffic

• Authenticating and encrypting traffic to servers

• L2TP/IPsec for VPN connections

• Site-to-site tunneling

• Enforcing logical networks

Page 6: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Tools Used to Configure IPsec

To configure IPsec, you can use:

• Windows Firewall with Advanced Security MMC(used for Windows Server 2008 and Windows Vista)

• IP Security Policy MMC (Used for mixed environments and to configure policies that apply to all Windows versions)

• Netsh command-line tool

Page 7: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

What Are Connection Security Rules?

Connection security rules involve:

• Authenticating two computers before they begin communications

• Securing information being sent between two computers

• Using key exchange, authentication, data integrity, and data encryption (optionally)

How firewall rules and connection rules are related:

• Firewall rules allow traffic through, but do not secure that traffic

• Connection security rules can secure the traffic, but creating a connection security rule does not allow traffic through the firewall

Page 8: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Demonstration: Configuring General IPsec Settings

In this demonstration, you will see how to configure General IPsec settings in Windows Firewall with Advanced Security

Page 9: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Lesson 2: Configuring Connection Security Rules

• Choosing a Connection Security Rule Type

• What Are Endpoints?

• Choosing Authentication Requirements

• Authentication Methods

• Determining a Usage Profile

• Demonstration: Configuring a Connection Security Rule

Page 10: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Choosing a Connection Security Rule Type

Rule Type Description

Isolation Restricts connections based on authentication criteria that you define

Authentication Exemption

• Exempts specific computers, or a group or range of IP addresses, from being required to authenticate

• Grants access to those infrastructure computers with which this computer must communicate before authentication occurs

Server-to-ServerAuthenticates two specific computers, two groups of computers, two subnets, or a specific computer and a group of computers or subnet

TunnelProvides secure communications between two peer computers through tunnel endpoints (VPN or L2TP IPsec tunnels)

Custom Enables you to create a rule with special settings

Page 11: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

What Are Endpoints?

EncryptedIP Packet

ESPTRLR

ESPAuth

ESPHDR

NewIP HDR

IP HDR Data

ESP Tunnel Mode

ESP Transport Mode

EncryptedData

ESPTRLR

ESPAuth

ESPHDRIP HDR

IP HDR Data

Page 12: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Choosing Authentication Requirements

Option Description

Request Authentication for inbound and outbound connections

Ask that all inbound/outbound traffic be authenticated, but allow the connection if authentication fails

Require authentication for inbound connections and request authentication for outbound connections

• Require inbound be authenticated or it will be blocked

• Outbound can be authenticated but will be allowed if authentication fails

Require authentication for inbound and outbound connections

Require that all inbound/outbound traffic be authenticated or the traffic will be blocked

Page 13: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Authentication Methods

Method Key Points

Default Use the authentication method configured on the IPsec Settings tab

Computer and User (Kerberos V5)

You can request or require both the user and computer authenticate before communications can continue; domain membership required

Computer (Kerberos V5)

Request or require the computer to authenticate using Kerberos V5

Domain membership required

User (Kerberos V5) Request or require the user to authenticate using Kerberos V5; domain membership required

Computer certificate

• Request or require a valid computer certificate, requires at least one CA

• Only accept health certificates: Request or require a valid health certificate to authenticate, requires IPsec NAP

Advanced Configure any available method; you can specify methods for First and Second Authentication

Page 14: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Determining a Usage Profile

Windows supports three network types, and programs can use these locations to automatically apply the appropriate configuration options:

• Domain: selected when the computer is a domain member

• Private: networks trusted by the user (home or small office network)

• Public: default for newly detected networks, usually the most restrictive settings are assigned because of the security risks present on public networks

Security Settings can change dynamically with the network location typeSecurity Settings can change dynamically with the network location type

The network location type is most useful on portable computers which are likely to move from network to networkThe network location type is most useful on portable computers which are likely to move from network to network

Page 15: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Demonstration: Configuring a Connection Security Rule

In this demonstration, you will see how to configure a Connection Security rule

Page 16: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Lesson 3: Configuring IPsec NAP Enforcement

• IPsec Enforcement for Logical Networks

• IPsec NAP Enforcement Processes

• Requirements to Deploy IPsec NAP Enforcement

Page 17: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

IPsec Enforcement for Logical Networks

SHAsNAP agentNAP ECs

RestrictedNetwork

BoundaryNetwork

Secure Network

Non-NAP capable client

Non-compliant NAP client

NAP enforcement servers

Remediation servers

Compliant NAP client

Secure servers

NPS servers

HRAVPN802.1XDHCPNPS proxy

SHAsNAP agentNAP ECs

NAP administration serverNetwork policiesNAP health policiesConnection request policiesSHVs

Certificate servicesE-mail serversNAP policy servers

Page 18: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

IPsec NAP Enforcement includes:

• Policy validation

• NAP enforcement

• Network restriction

• Remediation

• Ongoing monitoring of compliance

IPsec NAP Enforcement Processes

Intranet

Remediation Servers

InternetNAP Health

Policy Server DHCP Server

Health Registration Authority

IEEE 802.1X

Devices

Active Directory

VPN Server

Restricted Network

NAP Client with limited access

Perimeter Network

Page 19: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Requirements to Deploy IPsec NAP Enforcement

Requirements for deploying IPsec NAP Enforcement:

Active Directory

Active Directory Certificate Services

Network Policy Server

Health Registration Authority

Page 20: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Lab: Configuring IPsec NAP Enforcement

• Exercise 1: Preparing the Network Environment for IPsec NAP Enforcement

• Exercise 2: Configuring and Testing IPsec NAP Enforcement

Logon information

Virtual machines NYC-DC1, NYC-CL1, NYC-CL2

User name Administrator

Password Pa$$w0rd

Estimated time: 60 minutes

Page 21: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Lab Review

• What would the implication be if you installed the Certificate Server as an Enterprise CA, as opposed to a Standalone CA, and you have workgroup computers that need to be NAP compliant?

• Under what circumstances would Authentication Exemption be useful in a Connection Security Rule?

Page 22: Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement

Module Review and Takeaways

• Review Questions

• Common Misconceptions About IPsec

• IPsec Benefits

• Tools