Upload
lilith
View
37
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Chapter 9. SECURING NETWORK COMMUNICATION. OVERVIEW. List the major threats to network communications. Describe the functions of Internet Protocol Security (IPSec). Understand the functions and architecture of the IPSec protocols. - PowerPoint PPT Presentation
Citation preview
11
SECURINGNETWORK COMMUNICATION
Chapter 9
Chapter 9: SECURING NETWORK COMMUNICATION 2
OVERVIEW
List the major threats to network communications.
Describe the functions of Internet Protocol Security (IPSec).
Understand the functions and architecture of the IPSec protocols.
List the components of a Microsoft Windows Server 2003 IPSec implementation.
List the default IPSec policies included in Windows Server 2003 and their applications.
Chapter 9: SECURING NETWORK COMMUNICATION 3
OVERVIEW (CONTINUED)
Understand the functions of an IPSec policy’s components.
Use the IP Security Policies snap-in to manage IPSec policies.
List the standards that define common wireless local area network (WLAN) technologies.
Describe the security problems inherent in wireless networking.
List the mechanisms that WLANs running IEEE 802.11 based on the Microsoft Windows operating system can use to authenticate clients and encrypt transmitted data.
Chapter 9: SECURING NETWORK COMMUNICATION 4
PLANNING AN IPSec IMPLEMENTATION
Network traffic normally traverses the network unencrypted.
If someone captures traffic from the network, it can be easily viewed.
IPSec extensions are a means of securing the actual network communications.
Chapter 9: SECURING NETWORK COMMUNICATION 5
POTENTIAL THREATS
Chapter 9: SECURING NETWORK COMMUNICATION 6
INTRODUCING NETWORKSECURITY PROTOCOLS
Area of Network Area of Network SecuritySecurity
PurposePurpose ProtocolsProtocols
Authentication To prove you are who you say you are
Kerberos and NTLM
Authorization To determine what you can do on the network after you have authenticated
Kerberos and NTLM
Confidentiality To keep data secret Encryption components of Kerberos, NTLM, and IPSec
Integrity To ensure that the data received is the same data that is sent
Components of Kerberos, NTLM, and IPSec
Nonrepudiation To determine exactly who sent and received the message
Kerberos and IPSec
Chapter 9: SECURING NETWORK COMMUNICATION 7
PROTECTING DATA WITH IPSec
IPSec protects data by digitally signing and encrypting it before transmission.
IPSec operates as an extension to Internet Protocol (IP) and provides end-to-end encryption.
IPSec can encrypt any traffic that takes the form of IP datagrams, no matter what kind of information is inside them.
Chapter 9: SECURING NETWORK COMMUNICATION 8
IPSec FUNCTIONS
IPSec performs a number of security functions, including key generation, cryptographic checksums, mutual authentication, replay prevention, and IP packet filtering.
Using IPSec prevents viewing, changing, or deleting data in a packet.
IPSec also prevents IP address spoofing.
Chapter 9: SECURING NETWORK COMMUNICATION 9
IPSec PROTOCOLS
The IPSec standards define two protocols:
IP Authentication Header (AH)
IP Encapsulating Security Payload (ESP)
Chapter 9: SECURING NETWORK COMMUNICATION 10
IP AUTHENTICATION HEADER
IP Authentication Header protocol:
Does not encrypt the data in IP packets, but it does provide authentication, anti-replay, and integrity services
Ensures that no one has modified the packets en route, and that the packets did actually originate at the system identified by the packet’s source IP address
Chapter 9: SECURING NETWORK COMMUNICATION 11
IP ENCAPSULATING SECURITY PAYLOAD:
IP Encapsulating Security Payload Prevents unauthorized people from being
able to read information in packets by encrypting the data
Provides authentication, integrity, and antireplay services
Although AH and ESP perform some of the same functions, using both protocols provides the maximum possible security for a data transmission.
Chapter 9: SECURING NETWORK COMMUNICATION 12
TRANSPORT MODE AND TUNNEL MODE
IPSec can operate in two modes: transport mode and tunnel mode.
Transport mode is used between IPSec-enabled computers.
Tunnel mode is used between IPSec-enabled routers.
Chapter 9: SECURING NETWORK COMMUNICATION 13
DEPLOYING IPSec
All versions of the Windows operating system since Windows 2000 support IPSec.
IPSec policies define when and how systems should use IPSec.
IPSec implementations on Windows Server 2003 should be compatible with IPSec implementations on other operating systems that conform to Internet Engineering Task Force (IETF) standards.
Chapter 9: SECURING NETWORK COMMUNICATION 14
IPSec COMPONENTS
IPSec in Windows Server 2003 consists of the following components:
IPSec policy agent
Internet Key Exchange (IKE)
IPSec driver
Chapter 9: SECURING NETWORK COMMUNICATION 15
PLANNING AN IPSec DEPLOYMENT
Using IPSec creates additional network traffic.
Processor overhead associated with network communications also increases with IPSec deployment.
Backward compatibility must be considered because operating systems earlier than Windows 2000 do not support IPSec without the addition of third-party software.
Chapter 9: SECURING NETWORK COMMUNICATION 16
WORKING WITH IPSec POLICIES
IPSec policies are administered through the IP Security Policies Microsoft Management Console (MMC) snap-in.
IPSec policies define which traffic must be secured and which actions are performed on traffic that does or does not meet criteria.
Three IPSec policies are created by default. More can be created as required.
Chapter 9: SECURING NETWORK COMMUNICATION 17
USING THE DEFAULT IPSec POLICIES
Chapter 9: SECURING NETWORK COMMUNICATION 18
MODIFYING IPSec POLICIES
IPSec policies consist of three elements:
Rules
IP filter lists
Filter actions
Chapter 9: SECURING NETWORK COMMUNICATION 19
COMMAND-LINE TOOLS
Netsh.exe
Netdiag.exe
Chapter 9: SECURING NETWORK COMMUNICATION 20
TROUBLESHOOTING IPSec
There are two ways to ensure that IPSec is functioning:
Perform a packet capture of the network traffic.
Check the statistics node of the IPSec monitor.
Chapter 9: SECURING NETWORK COMMUNICATION 21
THE IP SECURITY MONITOR
Chapter 9: SECURING NETWORK COMMUNICATION 22
TROUBLESHOOT IPSec AUTHENTICATION
There are three methods used toauthenticate an IPSec connection:
Preshared key authentication
Kerberos authentication
Certificate-based authentication
Chapter 9: SECURING NETWORK COMMUNICATION 23
SECURING A WIRELESS NETWORK
Wireless networks are becoming increasingly popular.
Related hardware is becoming more affordable.
Wireless networks present more and different security challenges than their wired counterparts.
Chapter 9: SECURING NETWORK COMMUNICATION 24
UNDERSTANDING WIRELESS NETWORKING STANDARDS
Wireless networking standards are developed and ratified by the Institute of Electrical and Electronics Engineers (IEEE).
Three standards have been defined: 802.11b: Offers speeds up to 11 megabits
per second (Mbps) 802.11a: In development. Uses different
frequency ranges than 802.11b. Offers speeds up to 54 Mbps
802.11g: Uses the same frequency ranges as 802.11b. Offers speeds up to 54 Mbps
Chapter 9: SECURING NETWORK COMMUNICATION 25
WIRELESS NETWORKING TOPOLOGIES
Chapter 9: SECURING NETWORK COMMUNICATION 26
UNDERSTANDING WIRELESS NETWORK SECURITY
Wireless networks present security risks that are not present when using traditional wired networks.
Logical security becomes of paramount concern because physical security measures are not necessarily preventative.
Two main concerns when using wireless networks are unauthorized access and data interception.
Chapter 9: SECURING NETWORK COMMUNICATION 27
CONTROLLING WIRELESS ACCESS USING GROUP POLICIES
Chapter 9: SECURING NETWORK COMMUNICATION 28
AUTHENTICATING USERS
Open System authentication
Shared Key authentication
IEEE 802.1x authentication
Chapter 9: SECURING NETWORK COMMUNICATION 29
OPEN SYSTEM AUTHENTICATION
Open System authentication is the default authentication method used by IEEE 802.11 devices.
Despite the name, it offers no actual authentication.
A device configured to use Open System authentication will not refuse authentication to another device.
Chapter 9: SECURING NETWORK COMMUNICATION 30
SHARED KEY AUTHENTICATION
Devices authenticate each other using a secret key that both possess.
The key is shared before authentication using a secure channel.
All the computers in the same basic service set (BSS) must possess the same key.
Chapter 9: SECURING NETWORK COMMUNICATION 31
IEEE 802.1x AUTHENTICATION
The IEEE 802.1x standard defines a method of authenticating and authorizing users on any 802 local area network (LAN).
Most IEEE 802.1x implementations use Remote Authentication Dial-In User Service (RADIUS) servers.
RADIUS typically uses one of the following two authentication protocols: Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS) Protected EAP-Microsoft Challenge Handshake
Authentication Protocol version 2 (PEAP-MS-CHAP v2)
Chapter 9: SECURING NETWORK COMMUNICATION 32
ENCRYPTING WIRELESS TRAFFIC
The IEEE 802.11 standard uses an encryption mechanism called WEP to secure data while in transit.
WEP uses the RC4 cryptographic algorithm developed by RSA Security Inc.
WEP allows the key length, as well as the frequency with which the computers generate new keys, to be configured.
Chapter 9: SECURING NETWORK COMMUNICATION 33
SUMMARY
IPSec is a set of extensions to IP that provide protection for data as it is transmitted over the network.
IPSec can operate in transport mode or tunnel mode.
The IPSec implementation in Windows Server 2003 consists of the IPSec policy agent, IKE, and the IPSec driver.
Windows Server 2003 IPSec has three default policies. You can use these policies or create your own.
IPSec policies consist of rules, IP filter lists, and filter actions. A rule is a combination of an IP filter list and a filter action.
Chapter 9: SECURING NETWORK COMMUNICATION 34
SUMMARY (CONTINUED)
Incompatible configuration settings are a common cause of IPSec communication problems.
Most WLANs in use today are based on the 802.11 standards published by the IEEE.
To secure a wireless network, you must authenticate clients before they are granted network access and encrypt all packets transmitted over the wireless link.
To authenticate IEEE 802.11 wireless network clients, you can use Open System authentication, Shared Key authentication, or IEEE 802.1x.
To encrypt transmitted packets, the IEEE 802.11 standard defines the WEP mechanism.