|Lesson 3 ||Protect data with IPSec|
|Objective||Define the data protection features provided by IPSec.|
Protect data with IPSec using its Protection Features
Which protection features does IPSec provide for data?
IPSec (Internet Protocol Security) is a protocol suite used to provide secure communication over IP (Internet Protocol) networks. It provides several protection features for data, including:
- Confidentiality: IPSec provides confidentiality by encrypting the data packets to prevent unauthorized access. It uses encryption algorithms such as AES (Advanced Encryption Standard) or 3DES (Triple Data Encryption Standard) to secure the data.
- Integrity: IPSec provides integrity by ensuring that the data has not been modified during transmission. It uses hashing algorithms such as SHA-1 or SHA-2 to generate a message digest that is sent with the data packet. The recipient can then verify the message digest to ensure that the data has not been tampered with.
- Authentication: IPSec provides authentication by ensuring that the sender and receiver are who they claim to be. It uses authentication protocols such as Kerberos or digital certificates to verify the identity of the communicating parties.
- Anti-replay protection: IPSec provides anti-replay protection by preventing an attacker from intercepting and retransmitting data packets. It does this by adding a sequence number to each packet, which is used to ensure that each packet is unique and not a replay of a previous packet.
Overall, IPSec provides a comprehensive set of protection features for data, making it an important tool for securing communications over IP networks.
Protect Data with IPSec
Data traffic on public and private IP networks may be confidential and require increased security. The security required can include both authentication of peers, and the encryption and authentication of data.
Two IPSec Functions
IPSec provides two functions to improve security:
- Data integrity: Use an Authentication Header (AH) to provide source authentication and integrity without providing data encryption. You use IPSec with AH in the network design where only data integrity is required, or where the application layer already encrypts data.
The Authentication Header allows you to confirm that the person who sent the data is who they claim to be, and also assures that the data has not been altered during transit over the network. Remember, (AH) Authentication Header does not encrypt the data itself.
Using an application layer protocol such as the Secure Sockets Layer (SSL) or ESP to encrypt the actual data.
- Data encryption: Encapsulating Security Payload (ESP) provides authentication and integrity, along with encryption. Use IPSec with ESP where both integrity and encryption are required.
- Authentication Header (AH): The Authentication Header is one of the security protocols used with IPSec. AH provides authentication and integrity, for the entire packet (both the IP header and the data carried in the packet).
AH signs the entire packet. It does not encrypt the data. The data is readable, but protected from modification. Packet integrity is assured by digital signatures applied to each packet.
- Encapsulating Security Payload (ESP): ESP provides confidentiality, in addition to authentication and integrity. ESP is one of the security protocols used in IPSec.
The Authentication and Encrypting Security Payload headers support two different modes: tunnel mode and transport mode. In tunnel mode, the endpoints of the tunnel are specified. These endpoints are typically two VPN. All data is encrypted as it is passed from the source to the destination server on each end of the tunnel. Transport mode provides for end-to-end encryption.
In this case, a computer on network A encrypts data before it hits the wire, and the data remains encrypted until it reaches its destination on network B.
Note the difference between tunnel and transport modes. In tunnel mode, the data is protected only between the tunnel endpoints. In transport mode, the data is protected from the source to the destination, which is referred to as "end-to-end" protection.
The following Slide Show provides an overview of the data protection features provided by IPSec.
Overview of IPSec
Pre-defined IPSec policies
Computers that are members of Windows 2000 domain include predefined IPSec policies that define integrity and encryption options. These are described in the table below.
|Client (Respond Only)
||Use this policy for computers that do not require IPSec except when requested by another computer. When defined, this policy enables the computer to respond appropriately to requests for secured communications. Only the requested protocol and port traffic for the communication are secured.
For example, a Windows 2000 Professional computer might wish to connect to a secure Windows 2000 server. The Windows 2000 Professional machine does not require secure communication via IPSec, but the server does require IPSec. The Windows 2000 Professional client will respond by creating only IPSec-secure connections to the secure server.|
|Server (Request Security)
||Use this policy for computers that secure communications most of the time. In this policy, the computer accepts unsecured traffic, but always attempts to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled.
The Request Security policy is helpful to use during an interim period when you wish to create a secure server, but not all machines on your network have been upgraded to Windows 2000. This allows the server to communicate with downlevel client operating systems in a non-secure context during the upgrade rollout. Once all the machines on the network have been upgraded, you can change the server to use the secure server IPSec policy.|
|Secure Server (Require Security)
||Use this policy for computers that always require secure communications. This policy rejects unsecured incoming communications.
The outgoing traffic is always secured. Unsecured communication is not allowed.
Only one of the policies may be active on a given computer, so your security plan must specify the required policy or define a custom policy. You must customize the predefined policies to meet the given security requirements.
Routing IPSec traffic
IPSec traffic uses particular ports and protocol numbers that can be routed transparently.
For a security gateway, firewall, Proxy Server, router, or any server that is an access point from the private network to a public network where traffic filtering may be applied, you must define filters to ensure that packets secured with IPSec are not rejected.
For example, Microsoft Proxy Server 2.0 includes a number of built-in filters, including a filter for PPTP. If you want to use L2TP/IPSec instead of PPTP, you will have to configure your own custom filter.
Define the following inbound and outbound filters for a public network interface if your design includes IPSec traffic through that interface:
- IPSec Authentication Header traffic. Permit IP Protocol ID 51
- IPSec Encapsulating Security Protocol traffic. Permit IP Protocol ID50 and UDP Port 500 for ISAKMP/Oakley negotiation traffic
The next lesson describes the protection levels provided by IPSec.