1 / 32

CN2140 Server II

CN2140 Server II. Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS , MCDST, MCP, A+. Agenda. Chapter 9: Security Data Transmission and Authentication Exercise Lab Quiz. Security Network Traffic with IPSec. IP Security (IPSec) suite of protocols

terry
Download Presentation

CN2140 Server II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

  2. Agenda • Chapter 9: Security Data Transmission and Authentication • Exercise • Lab • Quiz

  3. Security Network Traffic with IPSec • IP Security (IPSec) suite of protocols • Two transport layer protocols (TCP and UDP) • Checksum • Provides one single security standard that use series of cryptographic algorithm to use across the network • Two principle goals: • To protect the contents of IP packets • To provide a defense against network attacks through packet filtering and the enforcement of trusted communication

  4. Security Network Traffic with IPSec • Reduce or prevent the following attacks: • Packet sniffing • Data modification • Identity spoofing • Man-in-the-middle attacks • Denial of service attacks (DoS)

  5. IPSec • An architectural framework that provides cryptographic security services for IP packets • IPSec is an end-to-end security technology • The medium forward packet as regular packet • Only both parties know that there is encryption • Both sides has to set the same IPSec policy

  6. IPSec • Security features • IP packet filtering • Network layer security • Peer authentication • Verify the identity of the peer • Anti-Replay • A sequence number on each packet • Key management • Secret key • See the list on page 206

  7. IPSec Modes • Transport mode • When you require packet filtering and when you require end-to-end security • Both hosts must support IPSec using the same authentication protocols and must have compatible IPSec filters • Tunnel mode • For site-to-site communications that cross the Internet (or other public networks). • Tunnel mode provides gateway-to-gateway protection

  8. IPSec Protocols • Using a combination of individual protocols • The Authentication Header (AH) protocol • The Encapsulating Security Payload (ESP) protocol

  9. Authentication Header (AH) • Provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet) • Does not encrypt the data, but protected from modification • Uses keyed hash algorithms to sign the packet for integrity

  10. Encapsulating Security Payload (ESP) • Provides confidentiality, authentication, integrity, and anti-replay • ESP in transport mode does not sign the entire packet; only the IP payload (not the IP header) is protected • ESP can be used alone or in combination with AH

  11. IPSec Security Association • The combination of security sets mutually agreed to by communicating peers • Contains the information needed to determine • The security services and protection mechanisms • Secret keys • Two types of SAs are created when IPSec peers communicate securely: • The ISAKMP SA (Internet Security Association and Key Management Protocol) • The IPSec SA.

  12. ISAKMP SA (Main mode SA) • The ISAKMP SA is created by negotiating the cipher suite • A collection of cryptographic algorithms • Used to encrypt data used for protecting future ISAKMP traffic • Exchanging key generation material • Identifying and authenticating each IPSec peer

  13. IPSec SA (Quick mode SA) • To protect data sent between the IPSec peers • The packet is protected by ISAKMP SA • Each session has 3 Sas • The ISAKMP SA • The inbound IPSec SA • The outbound IPSec SA • Inbound of A is the outbound of B

  14. Internet Key Exchange (IKE) • IKE combines ISAKMP and the Oakley Key Determination Protocol • To generate secret key material, which based on Diffie-Hellman key exchange algorithm

  15. Dynamic Rekeying • The determination of new keying material through a new Diffie-Hellman exchange on a regular basis • 480 minutes or 8 hours by default • Or the number of data sessions created with the same set of keying material

  16. IPSec Policies • Security rules that define • The desired security level, Hashing algorithm, Encryption algorithm, Key length • The addresses, Protocols, DNS names, Subnets • Connection types to which these security settings will apply • Windows Server 2008 has integrated management of IPSec into the Windows Firewall with Advanced Security MMC snap-in

  17. IPSec Policies • IPSec policies are hierarchical and are organized as follows: • Each IPSec policy consists of one or more IP Security Rules • Each IP Security Rule includes a single IP Security Action that is applied to one or more IP Filter Lists • Each IP Filter List contains one or more IP Filters • Only one IPSec policy can be active on any one computer at a given time • If you wish to assign a new IPSec policy to a particular computer, you must first un-assign the existing IPSec policy

  18. Creating a IPSec Policy • Select the option to create a new IPSec policy • This will prompt you to launch the IP Security Rule wizard • Assign your new IPSec policy to a single computer or a group of computers • Use Console to add IP Security Policy Management Snap-in (For 2000, XP, 2003) • Local computer • The AD Domain of which this computer is a members • Another AD Domain • Another Computer

  19. Windows Firewall with IPSec Policies • For Vista and newer, if you want to deploy IPSec policies (Connection Security Rules)

  20. Connection Security Rules • Windows Server 2008 comes with four pre-configured Connection Security Rule templates: • Isolation rule • Authentication exemption rule • Server-to-Server rule • Tunnel rule

  21. Connection Security Rules • Isolation rule • To restrict inbound and outbound connection based on certain sets of criteria • Inbound vs outbound authentication requirements • Authentication method • Profile (Domain, private, public) • Name

  22. Connection Security Rules • Authentication exemption rule • To make an exception of authentication to computer(s) • Exempt computers (IP, Range of IP, Subnet) • Profile • Name

  23. Connection Security Rules • Server-to-Server rule • To secures traffic between two servers or two groups of servers • Endpoints (IP/Range of IP/Subnet) • Authentication requirements • Authentication method • Profile • Name

  24. Connection Security Rules • Tunnel rule • Same as Server-to-server, but secure only between two tunnel endpoints • Endpoint computers • Local tunnel computer • Remote tunnel computer • Authentication method • Profile • Name

  25. IPSec Driver • IPSec driver is a middle man that match the policy with the inbound and outbound rules • Main mode negotiation initiate the connection between endpoints • Quick mode negotiation determine the type of connection

  26. IPSec Policy Agent • Retrieve information about IPSec policies • Pass the information to other IPSec components that require it in order to perform security functions • The IPSec Policy Agent is a service that resides on each computer running a Windows Server 2008

  27. Deploying IPSec • IPSec policies can be deployed using local policies, Active Directory, or both • For AD, LSDOU still apply. OU’s IPSec will apply last and override all other IPSec • Three built-in IPSec policies on GPO: • Client (Respond Only)policy • On computers that normally do not send secured data • The Server (Request Security) policy • Can be used on any computer (client or server) that needs to initiate secure communications • The Secure Server (Require Security) policy • Does not send or accept unsecured transmissions

  28. Monitoring IPSec • IP Security Monitor • RSoP • Event Viewer • netsh command-line utility • Windows Firewall with Advanced Security

  29. Network Authentication • The default authentication protocol in an AD network is the Kerberos v5 protocol • NT LAN Manager (NTLM) authentication • A legacy authentication protocol • LM Authentication – the weakest. Since Win 95 • NTLM Authentication • NTLMv2 Authentication – the strongest. Win 2k and later

  30. Windows Firewall • A stateful firewall is a firewall that can track and maintain information based on the status of a particular connection • The default configuration of the Windows Firewall will block all unsolicited inbound traffic; • Attempts to access the computer from a remote network host that has not been specifically authorized by the administrator of the local server

  31. Windows Firewall • You can turn on, on with block all incoming connections, off • You also can add exception rules/ports as needed • For scopes, you have to modify from MMC Snap-in • Any computer • My network (subnet only) • A specific range of IP Addresses

  32. Assignment • Summarize the chapter in your own word • At least 75 words • Due BEFOREclass start on Thursday • Lab 9 • Due BEFORE class start on Monday

More Related