Академический Документы
Профессиональный Документы
Культура Документы
Overview
Overview of IPsec
Configuring Connection Security Rules
Benefits of IPsec
How IPsec works
IPSec Protocols
Spoofing
Denial of
Service
Packet
Sniffing
Replay
Man in
the Middle
What Is IPSec?
IPSec provides:
Mutual authentication before and
during communications
Confidentiality through encryption of IP traffic
Integrity of IP traffic by rejecting modified traffic
Digital Signature
Benefits of IPsec
1
IPSec Policy
IPSec Policy
Security Association
Negotiation (ISAKMP)
2
TCP Layer
TCP Layer
IPSec Driver
IPSec Driver
Encrypted IP Packets
IPSec Protocols
AH (Authentication header) provides authentication, integrity, and
anti-replay protection
IP
header
Authentication
header
IP payload
(TCP segment, UDP message, ICMP
message)
ESP
header
IP payload
(TCP segment, UDP message,
ICMP message)
ESP
trailer
ESP
Auth
trailer
Description
Restricts connections based on authentication criteria
that you define
Exempts specific computers, or a group or range of
Authentication
Exemption
Server-to-Server
Tunnel
Custom
Data
IP HDR
IP HDR
ESP
HDR
Encrypted
Data
ESP
TRLR
ESP
Auth
IP HDR
New
IP HDR
ESP
HDR
Data
Encrypted
IP Packet
ESP
TRLR
ESP
Auth
Description
Ask that all inbound/outbound traffic
be authenticated, but allow the
connection if authentication fails
Require inbound be authenticated or
Authentication Methods
Method
Key Points
Default
Computer
(Kerberos V5)
User (Kerberos V5)
Computer
certificate
at least one CA
Advanced
SHAs
NAP agent
NAP ECs
Non-compliant
NAP client
NAP enforcement
servers
Non-NAP
capable client
Restricted
Network
SHAs
NAP agent
NAP ECs
NPS servers
Certificate services
E-mail servers
NAP policy servers
Remediation
servers
Boundary
Network
Secure
servers
Secure Network
Compliant
NAP client
Policy validation
NAP enforcement
VPN Server
Active
Directory
Network restriction
IEEE 802.1X
Devices
Remediation
Ongoing monitoring
of compliance
Health
Registration
Authority
Internet
Perimeter
Network
DHCP Server
Intranet
NAP Health
Policy Server
Restricted
Network
Remediation
Servers
2.
3.
4.
5.
If the health state is not compliant, the HRA informs the NAP
client how to correct its health state and does not issue a
health certificate. The NAP client cannot initiate
communication with other computers that require a health
certificate for IPsec authentication. However, the NAP client
can initiate communications with remediation servers to
correct its health state.
7.
8.
9.
10.
Active Directory
Review Questions
Under what circumstances would Authentication Exemption be
and must support connections from both domain and nondomain computers, and you want only a single authentication
method, what method is best for this scenario?