IPsec

Overview
Overview of IPsec
Configuring Connection Security Rules

Configuring IPsec NAP Enforcement

Lesson 1: Overview of IPsec

Threats to Secure Data Transmission
What Is IPsec?

Benefits of IPsec
How IPsec works
IPSec Protocols

Recommended Uses of IPsec

Tools Used to Configure IPsec
What Are Connection Security Rules?

Threats to Secure Data Transmission

Spoofing
Denial of
Service

Packet
Sniffing

Replay

Man in
the Middle

What Is IPSec?

IPsec is a suite of protocols that allows secure, encrypted

communication between two computers over an unsecured
network

IPSec provides:
Mutual authentication before and
during communications
Confidentiality through encryption of IP traffic
Integrity of IP traffic by rejecting modified traffic

Protection from replay attacks

Digital Signature

Benefits of IPsec

IPSec verifies, authenticates, and encrypts IP packets

to provide secure network transmissions

IPsec has two goals: to protect IP packets and to defend against

network attacks
Configuring IPsec on sending and receiving computers enables the
two computers to send secured data to each other

IPsec secures network traffic by using encryption and data signing

An IPsec policy defines the type of traffic that IPsec examines,

how that traffic is secured and encrypted, and how IPsec peers
are authenticated

How IPSec Works

Active Directory

1
IPSec Policy

IPSec Policy

Security Association
Negotiation (ISAKMP)

2
TCP Layer

TCP Layer

IPSec Driver

IPSec Driver

Encrypted IP Packets

IPSec Protocols
AH (Authentication header) provides authentication, integrity, and
anti-replay protection
IP
header

Authentication
header

IP payload
(TCP segment, UDP message, ICMP
message)

Signed by Authentication header

ESP (Encapsulating Security Payload) provides confidentiality,

authentication, integrity, and anti-replay protection
IP
header

ESP
header

IP payload
(TCP segment, UDP message,
ICMP message)

Encrypted with ESP header

Signed by ESP Auth trailer

ESP
trailer

ESP
Auth
trailer

Recommended Uses of IPsec

Recommended uses of IPsec include:
Authenticating and encrypting host-to-host traffic
Authenticating and encrypting traffic to servers
L2TP/IPsec for VPN connections
Site-to-site tunneling
Enforcing logical networks

Tools Used to Configure IPsec

To configure IPsec, you can use:

Windows Firewall with Advanced Security MMC
(used for Windows Server 2008 and Windows Vista)
IP Security Policy MMC (Used for mixed environments
and to configure policies that apply to all Windows versions)

Netsh command-line tool

What Are Connection Security Rules?

Connection security rules involve:
Authenticating two computers before they
begin communications
Securing information being sent between
two computers
Using key exchange, authentication, data integrity,
and data encryption (optionally)

How firewall rules and connection rules are related:

Firewall rules allow traffic through, but do not
secure that traffic
Connection security rules can secure the traffic,
but creating a connection security rule does not
allow traffic through the firewall

Lesson 2: Configuring Connection Security Rules

Choosing a Connection Security Rule Type
What Are Endpoints?

Choosing Authentication Requirements

Authentication Methods
Determining a Usage Profile

Choosing a Connection Security Rule Type

Rule Type
Isolation

Description
Restricts connections based on authentication criteria
that you define
Exempts specific computers, or a group or range of

IP addresses, from being required to authenticate

Authentication
Exemption

Grants access to those infrastructure computers with

Server-to-Server

Authenticates two specific computers, two groups of

computers, two subnets, or a specific computer and a
group of computers or subnet

Tunnel

Provides secure communications between two peer

computers through tunnel endpoints (VPN or L2TP
IPsec tunnels)

Custom

Enables you to create a rule with special settings

which this computer must communicate before

authentication occurs

What Are Endpoints?

ESP Transport Mode

Data

IP HDR

IP HDR

ESP
HDR

Encrypted
Data

ESP
TRLR

ESP
Auth

ESP Tunnel Mode

IP HDR

New
IP HDR

ESP
HDR

Data

Encrypted
IP Packet

ESP
TRLR

ESP
Auth

Choosing Authentication Requirements

Option
Request Authentication for inbound
and outbound connections

Description
Ask that all inbound/outbound traffic
be authenticated, but allow the
connection if authentication fails
Require inbound be authenticated or

Require authentication for inbound

it will be blocked
connections and request authentication
Outbound can be authenticated but
for outbound connections
will be allowed if authentication fails
Require authentication for inbound and
outbound connections

Require that all inbound/outbound

traffic be authenticated or the traffic
will be blocked

Authentication Methods
Method

Key Points

Default

Use the authentication method configured on the IPsec

Settings tab

Computer and User

(Kerberos V5)

You can request or require both the user and computer

authenticate before communications can continue; domain
membership required

Computer
(Kerberos V5)
User (Kerberos V5)

Request or require the computer to authenticate using

Kerberos V5
Domain membership required

Request or require the user to authenticate using Kerberos

V5; domain membership required
Request or require a valid computer certificate, requires

Computer
certificate

at least one CA

Only accept health certificates: Request or require a valid

health certificate to authenticate, requires IPsec NAP

Advanced

Configure any available method; you can specify methods

for First and Second Authentication

Determining a Usage Profile

Security Settings can change dynamically with the network
location type
Windows supports three network types, and programs can use
these locations to automatically apply the appropriate
configuration options:
Domain: selected when the computer is a domain member

Private: networks trusted by the user (home or small

office network)
Public: default for newly detected networks, usually the most
restrictive settings are assigned because of the security risks
present on public networks

The network location type is most useful on portable

computers which are likely to move from network to network

Lesson 3: Configuring IPsec NAP Enforcement

IPsec Enforcement for Logical Networks
IPsec NAP Enforcement Processes

Requirements to Deploy IPsec NAP Enforcement

IPsec Enforcement for Logical Networks

HRA
VPN
802.1X
DHCP
NPS proxy

SHAs
NAP agent
NAP ECs

Non-compliant
NAP client

NAP enforcement
servers

Non-NAP
capable client

Restricted
Network

NAP administration server

Network policies
NAP health policies
Connection request policies
SHVs

SHAs
NAP agent
NAP ECs

NPS servers
Certificate services
E-mail servers
NAP policy servers

Remediation
servers

Boundary
Network

Secure
servers

Secure Network

Compliant
NAP client

IPsec NAP Enforcement Processes (1)

IPsec NAP Enforcement
includes:

Policy validation
NAP enforcement

VPN Server
Active
Directory

Network restriction

IEEE 802.1X
Devices

Remediation
Ongoing monitoring
of compliance

Health
Registration
Authority

Internet
Perimeter
Network

DHCP Server

Intranet

NAP Health
Policy Server

Restricted
Network
Remediation
Servers

NAP Client with

limited access

IPsec NAP Enforcement Processes (2)

1.

The IPsec EC component sends its current health state to the

HRA.

2.

The HRA sends the NAP clients health state information to

the NAP health policy server.

3.

The NAP health policy server evaluates the health state

information of the NAP client, and sends the results to the
HRA. If the NAP client is not compliant, the results include
health-remediation instructions.

4.

If the health state is compliant, the HRA obtains a health

certificate for the NAP client. The NAP client now can initiate
IPsec-protected communication with other compliant
computers using its health certificate for IPsec authentication.

5.

If the health state is not compliant, the HRA informs the NAP
client how to correct its health state and does not issue a
health certificate. The NAP client cannot initiate
communication with other computers that require a health
certificate for IPsec authentication. However, the NAP client
can initiate communications with remediation servers to
correct its health state.

IPsec NAP Enforcement Processes (3)

6.

The NAP client sends update requests to the

appropriate remediation servers.

7.

The remediation servers provision the NAP client with

the required updates for compliance with health
requirements. The NAP client updates its health state
information.

8.

The NAP client sends its updated health state

information to the HRA, and the HRA sends the
updated health state information to the NAP health
policy server.

9.

Assuming that all the required updates were made,

the NAP health policy server determines that the NAP
client is compliant and sends that result to the HRA.

10.

The HRA obtains a health certificate for the NAP

client. The NAP client now can initiate IPsec-protected
communication with other compliant computers.

Requirements to Deploy IPsec NAP Enforcement

Requirements for deploying IPsec NAP Enforcement:

Active Directory

Active Directory Certificate Services

Network Policy Server

Health Registration Authority

Review Questions
Under what circumstances would Authentication Exemption be

useful in a Connection Security Rule?

What is the difference between the ESP protocol and the AH

protocol when using IPsec?

What encryption algorithms are available for the ESP protocol in

Windows Server 2008?

If you need secure communications to a particular domain server

and must support connections from both domain and nondomain computers, and you want only a single authentication
method, what method is best for this scenario?

Is it possible for a computer in the restricted logical network to

access resources on a server in the secure logical network?

What types of computers would you typically find within the

restricted logical network in an IPsec NAP environment?