SECURING NETWORK COMMUNICATION

11

SECURINGNETWORK COMMUNICATION

Chapter 9

Chapter 9: SECURING NETWORK COMMUNICATION 2

OVERVIEW

List the major threats to network communications.

Describe the functions of Internet Protocol Security (IPSec).

Understand the functions and architecture of the IPSec protocols.

List the components of a Microsoft Windows Server 2003 IPSec implementation.

List the default IPSec policies included in Windows Server 2003 and their applications.


OVERVIEW (CONTINUED)

Understand the functions of an IPSec policy’s components.

Use the IP Security Policies snap-in to manage IPSec policies.

List the standards that define common wireless local area network (WLAN) technologies.

Describe the security problems inherent in wireless networking.

List the mechanisms that WLANs running IEEE 802.11 based on the Microsoft Windows operating system can use to authenticate clients and encrypt transmitted data.


PLANNING AN IPSec IMPLEMENTATION

Network traffic normally traverses the network unencrypted.

If someone captures traffic from the network, it can be easily viewed.

IPSec extensions are a means of securing the actual network communications.


POTENTIAL THREATS


INTRODUCING NETWORKSECURITY PROTOCOLS

Area of Network Area of Network SecuritySecurity

PurposePurpose ProtocolsProtocols

Authentication To prove you are who you say you are

Kerberos and NTLM

Authorization To determine what you can do on the network after you have authenticated

Kerberos and NTLM

Confidentiality To keep data secret Encryption components of Kerberos, NTLM, and IPSec

Integrity To ensure that the data received is the same data that is sent

Components of Kerberos, NTLM, and IPSec

Nonrepudiation To determine exactly who sent and received the message

Kerberos and IPSec


PROTECTING DATA WITH IPSec

IPSec protects data by digitally signing and encrypting it before transmission.

IPSec operates as an extension to Internet Protocol (IP) and provides end-to-end encryption.

IPSec can encrypt any traffic that takes the form of IP datagrams, no matter what kind of information is inside them.


IPSec FUNCTIONS

IPSec performs a number of security functions, including key generation, cryptographic checksums, mutual authentication, replay prevention, and IP packet filtering.

Using IPSec prevents viewing, changing, or deleting data in a packet.

IPSec also prevents IP address spoofing.


IPSec PROTOCOLS

The IPSec standards define two protocols:

IP Authentication Header (AH)

IP Encapsulating Security Payload (ESP)


IP AUTHENTICATION HEADER

IP Authentication Header protocol:

Does not encrypt the data in IP packets, but it does provide authentication, anti-replay, and integrity services

Ensures that no one has modified the packets en route, and that the packets did actually originate at the system identified by the packet’s source IP address


IP ENCAPSULATING SECURITY PAYLOAD:

IP Encapsulating Security Payload Prevents unauthorized people from being

able to read information in packets by encrypting the data

Provides authentication, integrity, and antireplay services

Although AH and ESP perform some of the same functions, using both protocols provides the maximum possible security for a data transmission.


TRANSPORT MODE AND TUNNEL MODE

IPSec can operate in two modes: transport mode and tunnel mode.

Transport mode is used between IPSec-enabled computers.

Tunnel mode is used between IPSec-enabled routers.


DEPLOYING IPSec

All versions of the Windows operating system since Windows 2000 support IPSec.

IPSec policies define when and how systems should use IPSec.

IPSec implementations on Windows Server 2003 should be compatible with IPSec implementations on other operating systems that conform to Internet Engineering Task Force (IETF) standards.


IPSec COMPONENTS

IPSec in Windows Server 2003 consists of the following components:

IPSec policy agent

Internet Key Exchange (IKE)

IPSec driver


PLANNING AN IPSec DEPLOYMENT

Using IPSec creates additional network traffic.

Processor overhead associated with network communications also increases with IPSec deployment.

Backward compatibility must be considered because operating systems earlier than Windows 2000 do not support IPSec without the addition of third-party software.


WORKING WITH IPSec POLICIES

IPSec policies are administered through the IP Security Policies Microsoft Management Console (MMC) snap-in.

IPSec policies define which traffic must be secured and which actions are performed on traffic that does or does not meet criteria.

Three IPSec policies are created by default. More can be created as required.


USING THE DEFAULT IPSec POLICIES


MODIFYING IPSec POLICIES

IPSec policies consist of three elements:

Rules

IP filter lists

Filter actions


COMMAND-LINE TOOLS

Netsh.exe

Netdiag.exe


TROUBLESHOOTING IPSec

There are two ways to ensure that IPSec is functioning:

Perform a packet capture of the network traffic.

Check the statistics node of the IPSec monitor.


THE IP SECURITY MONITOR


TROUBLESHOOT IPSec AUTHENTICATION

There are three methods used toauthenticate an IPSec connection:

Preshared key authentication

Kerberos authentication

Certificate-based authentication


SECURING A WIRELESS NETWORK

Wireless networks are becoming increasingly popular.

Related hardware is becoming more affordable.

Wireless networks present more and different security challenges than their wired counterparts.


UNDERSTANDING WIRELESS NETWORKING STANDARDS

Wireless networking standards are developed and ratified by the Institute of Electrical and Electronics Engineers (IEEE).

Three standards have been defined: 802.11b: Offers speeds up to 11 megabits

per second (Mbps) 802.11a: In development. Uses different

frequency ranges than 802.11b. Offers speeds up to 54 Mbps

802.11g: Uses the same frequency ranges as 802.11b. Offers speeds up to 54 Mbps


WIRELESS NETWORKING TOPOLOGIES


UNDERSTANDING WIRELESS NETWORK SECURITY

Wireless networks present security risks that are not present when using traditional wired networks.

Logical security becomes of paramount concern because physical security measures are not necessarily preventative.

Two main concerns when using wireless networks are unauthorized access and data interception.


CONTROLLING WIRELESS ACCESS USING GROUP POLICIES


AUTHENTICATING USERS

Open System authentication

Shared Key authentication

IEEE 802.1x authentication


OPEN SYSTEM AUTHENTICATION

Open System authentication is the default authentication method used by IEEE 802.11 devices.

Despite the name, it offers no actual authentication.

A device configured to use Open System authentication will not refuse authentication to another device.


SHARED KEY AUTHENTICATION

Devices authenticate each other using a secret key that both possess.

The key is shared before authentication using a secure channel.

All the computers in the same basic service set (BSS) must possess the same key.


IEEE 802.1x AUTHENTICATION

The IEEE 802.1x standard defines a method of authenticating and authorizing users on any 802 local area network (LAN).

Most IEEE 802.1x implementations use Remote Authentication Dial-In User Service (RADIUS) servers.

RADIUS typically uses one of the following two authentication protocols: Extensible Authentication Protocol-Transport Layer

Security (EAP-TLS) Protected EAP-Microsoft Challenge Handshake

Authentication Protocol version 2 (PEAP-MS-CHAP v2)


ENCRYPTING WIRELESS TRAFFIC

The IEEE 802.11 standard uses an encryption mechanism called WEP to secure data while in transit.

WEP uses the RC4 cryptographic algorithm developed by RSA Security Inc.

WEP allows the key length, as well as the frequency with which the computers generate new keys, to be configured.


SUMMARY

IPSec is a set of extensions to IP that provide protection for data as it is transmitted over the network.

IPSec can operate in transport mode or tunnel mode.

The IPSec implementation in Windows Server 2003 consists of the IPSec policy agent, IKE, and the IPSec driver.

Windows Server 2003 IPSec has three default policies. You can use these policies or create your own.

IPSec policies consist of rules, IP filter lists, and filter actions. A rule is a combination of an IP filter list and a filter action.


SUMMARY (CONTINUED)

Incompatible configuration settings are a common cause of IPSec communication problems.

Most WLANs in use today are based on the 802.11 standards published by the IEEE.

To secure a wireless network, you must authenticate clients before they are granted network access and encrypt all packets transmitted over the wireless link.

To authenticate IEEE 802.11 wireless network clients, you can use Open System authentication, Shared Key authentication, or IEEE 802.1x.

To encrypt transmitted packets, the IEEE 802.11 standard defines the WEP mechanism.

Documents

SECURING NETWORK COMMUNICATION