2. The IP Security Policy Wizard Welcome window appears, as shown in Figure 10.11. Click the Next button. www.syngress.com Planning, Implementing, and Maintaining Internet Protocol Security • Chapter 10 737 Figure 10.10 Creating a Custom IPSec Policy Figure 10.11 The IP Security Policy Wizard. 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 737 3. The IP Security Policy Name window appears, prompting you to give your IPSec policy a name and description, as shown in Figure 10.12.You can choose to accept the default name (not recommended, as it’s not very descriptive), or you can enter a new name and description.Then click the Next button. 4. The next window allows you to specify how the policy will respond to requests, as shown in Figure 10.13. Accept the default (Activate the default response rule) or clear the check box, and then click the Next button www.syngress.com 738 Chapter 10 • Planning, Implementing, and Maintaining Internet Protocol Security Figure 10.12 Enter a IP Security Policy Name Figure 10.13 Specify How the Policy Will Respond to Secure Communication Requests 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 738 5. The Default Rule Authentication Method window appears, as shown in Figure 10.14. Select a different authentication method or accept the default, Active Directory default (Kerberos V5 protocol), and then click Next. NOTE Nothing special is required to use Kerberos authentication. If you select to use a certificate for authentication, you will need a PKI implementation and you must specify the certification authority to issue the certificate. If you select to use a pre- shared key, you must enter a string of characters that is also known to the party with which you are communicating. 6. The Completing the IP Security Policy Wizard window appears, as shown in Figure 10.15.You can choose to edit the properties of the policy (the default) or clear the check box if you do not wish to edit the properties at this time. Click Finish to complete the wizard. For this example, we will leave the Edit proper- ties box selected. www.syngress.com Planning, Implementing, and Maintaining Internet Protocol Security • Chapter 10 739 Figure 10.14 Select the Default Rule Authentication Method 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 739 7. When you select the option to edit properties, the New IP Security Policy Properties dialog box opens, as shown in Figure 10.16.This dialog box allows you to edit the IP security rules and change the general properties of the rule, such as the name and description. Click the Edit button in this dialog box. 8. The Edit Rule Properties dialog box opens, as shown in Figure 10.17. Here, you can add, edit, or remove security methods; set the security methods that can be used when working with another machine; and select to use session key perfect forward secrecy (PFS).You can also arrange the order of precedence by using the www.syngress.com 740 Chapter 10 • Planning, Implementing, and Maintaining Internet Protocol Security Figure 10.15 Completing the IP Security Policy Wizard Figure 10.16 IP Security Policy Properties 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 740 Move up and Move down buttons to change a method’s position in the list. After making your selections, you can close the dialog box, or continue and select authentication methods. For this example, click the Authentication Methods tab. 9. The Authentication Methods tab, shown in Figure 10.18, allows you to choose a trust method for communicating client computers. Click Add to add a method (again, your selections include using a certificate or a pre-shared key).You can change the order of precedence for these authentication methods in the same manner as described in Step 7. Click OK to close the dialog box. www.syngress.com Planning, Implementing, and Maintaining Internet Protocol Security • Chapter 10 741 Figure 10.17 Edit the IP Security Policy Security Methods Figure 10.18 Edit the IP Security Policy Authentication Methods 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 741 10. After the policy has been edited, you need to assign the policy. Before you assign the policy, make sure that you have the IPSec service started.To assign the policy, right-click the policy name in the right pane and select Assign, as shown in Figure 10.19. NOTE The policy must be assigned before it can be used, and the IPSec service must be started before you assign the policy. EXAM WARNING Ensure that you have the appropriate rights assigned to the account you will use to manage IPSec policies. To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory. To administer IPSec policies on a local or remote computer, you must be a member of the Administrators group on the local or remote computer. www.syngress.com 742 Chapter 10 • Planning, Implementing, and Maintaining Internet Protocol Security Figure 10.19 Assign the Newly Created IP Security Policy 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 742 Defining Key Exchange Settings You can define key exchange settings that apply to IP security policy. Open the MMC containing the security policy, and follow these instructions for modifying the policy: 1. Select the policy you wish to modify by double-clicking that policy. 2. Select the General tab and click the Settings button. 3. To force reauthentication and the negotiation of new master key keying material each time a new session key is required, click Master key perfect forward secrecy (PFS). 4. To cause the reauthentication and new master key regeneration based on number of minutes, type in a value for Authenticate and generate a new key after every number minutes. If you require a different setting, you can add a value in the Authenticate and gen- erate a new key after every number sessions. This will set a maximum limit on the number of times a master key or its base keying material can be reused to generate the ses- sion key.When this limit is reached it will force a reauthentication with a new master key generation. If you have enabled Master key perfect forward secrecy (PFS), the number of ses- sions is set to 1 by default and cannot be reconfigured. For special requirements on the master key exchange, select the methods and use master key PFS where it is required for interoperability. By default, this setting is disabled, which should be appropriate in most environments. If you set the session limit to 0, it will cause rekeys to be determined based www.syngress.com Planning, Implementing, and Maintaining Internet Protocol Security • Chapter 10 743 Perfect Forward Secrecy You can use perfect forward secrecy (PFS) to force reauthentication and negotia- tion of a new master key any time a new session key is required. There are two types of PFS used in Microsoft’s IPSec implementation: master key PFS and session key PFS. Master key PFS should be used when it’s needed for interoperability. By default, it is disabled. One reason is that it requires a lot of resources on the domain controller to perform the reauthentications (assuming Kerberos is the authentica- tion protocol). Session key PFS is not as resource-intensive. Reauthentication is not required. You can configure PFS separately for master and session keys. PFS doesn’t determine when a new key is generated (as do key lifetimes). Instead, it is used to determine how new keys are generated, so that if one key is compromised, this won’t compromise the entire communication. With PFS enabled, additional keys cannot be created from the keying material used to gen- erate a particular key. Configuring & Implementing… 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 743 only on time. If you work in a performance-based environment, keep in mind that if you enable master key PFS, it could affect performance because each quick mode will require a new main mode negotiation. Managing Filter Lists and Filter Actions To manage IP filter lists and filter actions, open the IP Security Policy Management MMC and select the policy you wish to modify by double-clicking that policy. In the Rules tab, select the rule you wish to modify that contains the IP filter and double-click it. Select the IP Filter List tab and double-click the IP filter that contains the filter list you want to configure.Then do one of the following: ■ Click Add to add a filter list. ■ Select an additional filter that needs modifying and select Edit. ■ To delete an existing filter, choose the filter and click the Remove button. To edit or modify a filter in the IP Filter properties window, double-click the filter, choose the Addresses tab, and then select the Source Address drop-down box. Choose a source address as follows: ■ My IP Address Secures packets from all IP addresses on the computer. ■ Any IP Address Secures packets from any computer. ■ A specific DNS name Secures packets from the Domain Name System (DNS) name that you specify in Host name.This is available only when creating new filters. ■ A specific IP address Secures packets from only the IP address that you enter in IP address. ■ A specific IP subnet Secures packets from the IP subnet indicated by the IP address that you specified in IP address and the subnet mask that you specify in Subnet mask. ■ DNS Servers dynamic Secures packets from the DNS server that the com- puter is using.The filter is updated as needed, and it will automatically detect changes in the DNS server addresses. ■ WINS Servers dynamic Secures packets from the WINS server that the com- puter is using.The filter is updated as needed, and it will automatically detect changes in the WINS server addresses. ■ DHCP Server dynamic Secures packets from the DHCP server that the com- puter is using.The filter is updated as needed, and it will automatically detect changes in the DHCP server addresses. www.syngress.com 744 Chapter 10 • Planning, Implementing, and Maintaining Internet Protocol Security 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 744 ■ Default Gateway dynamic Secures packets from the default gateway that the computer is using.The filter is updated as needed, and it will automatically detect changes in the default gateway server addresses. Select the Destination Address and repeat the same steps for the destination address. Next, select the desired Mirrored setting, as follows: ■ To create two filters based on the filter settings, with one filter for traffic to the destination and one filter for traffic from the destination, select the Mirrored check box. ■ To create a single filter based on filter settings, uncheck the Mirrored box. ■ To create a filter for an IPSec tunnel, uncheck the Mirrored box and create two filter lists.The first filter list describes outbound traffic, and the other filter describes inbound traffic. Also, create two rules that use the inbound and out- bound filter lists in the IP security policy. NOTE Mirrored IPSec filters are used to create two filters: one for traffic going to the des- tination and another filter for traffic coming from the destination computer. Enter a description for the filter in the Description tab.To filter by a specific port or protocol, select Configure advanced filter settings on the Protocol tab. When modifying IPSec rules, remember the following: ■ Outbound packets that do not match any filter are sent unsecured. ■ Inbound packets not matching any filters are allowed. ■ Filters are applied in order, with the most specific followed by least specific. ■ Filters are not applied in the order in which they appear in the filter list. ■ Only address-based filters are supported. ■ Protocol-specific filters are not supported. ■ Port-specific filters are not supported. ■ Tunnel filters should not be mirrored. ■ IKE security requests result in the source IP address of the request being used to find a matching filter. ■ IKE response is determined by the security action and tunnel settings that are associated with that particular filter. www.syngress.com Planning, Implementing, and Maintaining Internet Protocol Security • Chapter 10 745 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 745 ■ Filters used in tunnel rules are matched first. ■ End-to-end transport filters are matched after tunnel rule filters have been matched. Assigning and Applying Policies in Group Policy Now we will take a look at how to assign or unassign IPSec policy in Group Policy for Active Directory.These settings will take effect the next time Group Policy is refreshed, and if a new policy is assigned over an existing policy, the current policy is automatically unas- signed. Use the IP Security Policies on Active Directory within the Group Policy console to assign policies to apply to Active Directory objects. Follow these steps to assign or unas- sign IPSec policy in Group Policy for Active Directory-based Group Policy: 1. Click Start | Administrative Tools | Active Directory Computers and Users and right-click the domain or OU for which you want to set Group Policy. 2. Click Properties, and then click the Group Policy tab. 3. Select the Group Policy Object (GPO) you wish to modify and choose Edit. Alternatively, select New to create a new GPO (and type a descriptive name for it), and then click Edit. www.syngress.com 746 Chapter 10 • Planning, Implementing, and Maintaining Internet Protocol Security Setting Up an IPSec Test Lab You should set up an IPSec test lab with a server and a few client machines running the same operating system that your clients are using, so you can test IPSec policy configurations before deploying them on your production network. Use the lab to ensure that you can perform basic IPSec management tasks after you get the IPSec policies and filters set up. Some of these tasks include the following: ■ Secure Web traffic ■ Secure ping ■ Communication with a fallback server ■ Communication with a secured server and communication with an IPSec/VPN connection In a test lab, you can test and make changes to the environment without the possibility of causing a work stoppage on your live network. Be careful when rolling out IPSec, because misconfigured IPSec policies can shut down communications on your network. Head of the Class 255_70_293_ch10.qxd 9/10/03 6:04 PM Page 746 [...]... you learned about the key-management and key-exchange protocols associated with IPSec, including ISAKMP and IKE, and the Oakley key-determination protocol and the Diffie-Hellman key-generation protocols.You learned about the DES and 3DES encryption algorithms and the MD-5 and SHA hashing algorithms We covered the basics of how SAs function, and you learned that IKE uses a bidirectional SA called a main... IPSec: AH and ESP.You learned that AH provides for data authentication and integrity, and ESP also provides those services, and also adds data confidentiality AH and ESP can be used separately or together You learned that an SA is an agreement between two IPSec-enabled computers as to the security settings that will be used for a communication session.The SA is negotiated according to the settings on each... Services\PolicyAgent\ Oakley\EnableLogging DWORD Registry setting to a value of 0 Remain started Remain started Stop and restart the IPSec service by using net stop policyagent and net start policyagent at the command prompt N /A Stop and restart the SIPSec service by using net stop policyagent and net start policyagent at the command prompt N /A Stop and restart the IPSec service by using net stop policyagent and. .. net start policyagent at the command prompt N /A Stop and restart the IPSec service by using net stop policyagent and net start policyagent at the command prompt Page 7 58 Disable Windows Server 2003 Windows Server 2003 Windows XP Professional 6:04 PM Registry Setting to Enable IKE Tracing 9/10/03 Enable/Disable Operating IKE Tracing Log System 255_70_293_ch10.qxd Table 10.9 IKE Tracing Log Scenarios... Broadcast I Multicast I IKE I Kerberos I RSVP IPSec will exempt all multicast, broadcast, RSVP, Kerberos, and IKE traffic if you are using Windows XP and Windows 2000.The Windows Server 2003 family only exempts IKE traffic from traffic filtering by default Actions such as block, configure, and permit filter actions can be configured just for broadcast and multicast traffic SAs will not be negotiated for broadcast... confidentiality “scrambles” the data so it cannot be read by unauthorized persons Nonrepudiation is a way to ensure that the sender of a message will not be able to later deny sending it You learned about the two modes in which IPSec can operate: tunnel mode and transport mode.We examined how tunnel mode is used primarily between gateways or between a server and a gateway.You learned that transport mode,... IPSec AH tunnel mode? A: The AH tunnel mode is used by IPSec to ensure packet integrity and authentication by encapsulating an IP packet with an Authentication Header (AH) and an IP packet AH does not provide encryption of data Q: What is the ESP tunnel mode? A: The ESP tunnel mode is used by IPSec for data confidentiality.The mode works by encapsulating the packet with an Encapsulating Security Payload... Before secure data can be exchanged, a security agreement between the two communicating computers must be established.This security agreement is called an SA An SA is a combination of three things: security protocols, a negotiated key, and an SPI IPSec uses cryptography to provide three basic services: authentication, data integrity, and data confidentiality IPSec in Windows Server 2003 has two different... IPSec data and TCP checksums This speeds up, or accelerates, the process because it is being handled by a chip on the network interface card (NIC) instead of by the operating system software NICs that are capable of offloading IPSec cryptographic functions can also perform a large-send offload, which is the processing of very large TCP segments for accelerated transmissions If a Plug and Play NIC has this... Payload (ESP) and IP header as well as an ESP authentication trailer Q: On what Microsoft platforms does IPSec work? A: Native support for IPSec is provided in Windows 2000 ,Windows XP Professional, and Windows Server 2003 products Q: What is the strongest encryption method for key-exchange settings available when implementing IPSec in Windows Server 2003? A: Triple Data Encryption Standard (3DES), newly . Default Gateway dynamic Secures packets from the default gateway that the computer is using.The filter is updated as needed, and it will automatically detect changes in the default gateway server. modify and choose Edit. Alternatively, select New to create a new GPO (and type a descriptive name for it), and then click Edit. www.syngress.com 746 Chapter 10 • Planning, Implementing, and Maintaining. Master key perfect forward secrecy (PFS). 4. To cause the reauthentication and new master key regeneration based on number of minutes, type in a value for Authenticate and generate a new key after every