What Are Perimeter Networks?
A perimeter network is a network that is separated from an internal network and the Internet. Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network.
Perimeter networks have the following characteristics:
1- Protected by one or more firewalls Perimeter networks are separated from the Internet by one or more firewalls or routers. The perimeter network is usually also separated from the internal network by a firewall. The firewall protects the servers in the perimeter network from the Internet and filters traffic between the perimeter network and the internal network.
2- Contain publicly accessible servers and services The servers in the perimeter network are usually accessible to users from the Internet. The types of servers or services that are often located in the perimeter network include VPN servers and clients, remote access servers (RASs) and clients, Web servers, application front-end servers, SMTP gateway servers, and proxy servers.
3- Must be accessible from the Internet Because the servers on the perimeter network must be accessible from the Internet, the firewall protecting the perimeter network must allow network traffic from the Internet. This traffic must be filtered to ensure that only legitimate traffic enters the perimeter network. Because almost all network traffic will flow from the Internet to the perimeter network, most firewall rules can be configured to allow only inbound traffic.
4 -Require network connectivity to the internal network Frequently, the computers on the perimeter network must be able to connect to resources on the internal network. For example, VPN or RAS Clients connect to the VPN or RAS server, but then must gain access from that server to the internal network. An SMTP gateway server must be able to forward messages to internal e-mail servers. An application front-end server may need to connect to a database server on the internal
network. Often, users on the internal network must also be able to connect to servers in the perimeter network. This means that you must configure firewall access rules on the firewall between the perimeter network and the internal network to enable the required network traffic.
5- Require some level of network protection The servers on the perimeter network must be partially isolated both from the Internet and the internal network. The firewalls on both sides of a perimeter network should not forward all traffic, but should filter traffic flowing in both directions. Only required network traffic should be allowed to pass between networks.
Benefits of Using a Perimeter Network
The main reason for using a perimeter network is to provide an additional layer of security. A perimeter network is commonly used for deploying publicly accessible servers while servers that should never be accessed from the Internet are located on the internal network. In this way, even if an attacker penetrates the perimeter network security, only the perimeter network servers are compromised.
The servers in the perimeter network usually do not contain confidential or private organization data. This data and critical applications are located on the internal network. By implementing a perimeter network, you ensure that there is an additional layer of security between the Internet and the internal servers.
The perimeter network can also be used to secure other connections to the internal network. For example, many organizations are using mobile clients such as wireless devices or cell phones to access information such as e-mail on the internal network. These devices greatly increase the security risks; one way to reduce that risk is to install the wireless access servers for these devices in the perimeter network and then use the internal firewall to filter traffic from these servers to the internal network. VPN servers and clients can be secured using the same method.
Affichage des articles dont le libellé est Internet. Afficher tous les articles
Affichage des articles dont le libellé est Internet. Afficher tous les articles
Implementing Perimeter Networks and Network Templates
Lesson 2: Configuring Multiple Networking on ISA Server
ISA Server Support for Multiple Networks
ISA Server 2004 uses networks to define blocks of IP addresses that may be directly attached to the ISA Server computer or IP addresses that may be remote networks. ISA Server uses these networks as components when you create access rules. ISA Server supports an unlimited number of networks.
What Is Multinetworking?
Multinetworking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks. Multinetworking enables flexible options for network configuration. One common network configuration is a three-legged firewall.
In this configuration, you create three networks:
1- The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network.
2- The internal client computers and servers that are not accessible from the Internet are located on an internal network.
3- The third network is the Internet.
ISA Server multinetworking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the perimeter network. You can also define access rules for all
network traffic flowing from the Internal network to the Internet. You can also configure the relationships between the various networks, defining different network rules between each network.
You might also need to configure a more complicated network environment. In this scenario, you could have the following:
1- Two perimeter networks Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain.
2- Two internal networks You might have a group of client computers that needs to access the Internet using a different application or with security rules different from the other client computers. You can create an additional internal network and configure specific Internet access rules for each network.
3- VPN client and VPN remote-site networks ISA Server defines a network for VPN clients, and you can define a network for each remote site connected with a site-to-site VPN connection.
How to Create and Modify Network Objects
For a small organization with a fairly simple network, the default network objects may provide all the configuration options required. However, in a larger organization with a more complex network environment and more complicated requirements, you may need to create and modify the network objects.
To create a new network object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network tab.
3. On the Tasks tab, click Create a New Network.
4. On the Welcome to the New Network Wizard page, in the Network Name: box,type the name for the network. Click Next.
5. On the Network Type page, select the type of network
you are creating. Select one of the following options:
. External Network
. Internal Network
. Perimeter Network
. VPN Site-To-Site Network
6. After selecting the network type, click Next.
7. If you selected an internal, perimeter, or external network type, on the Network Addresses page, click Add.
8. In the IP Address Range Properties page, type the starting and ending addresses,and then click OK.
9. On the Completing The New Network Wizard page, review the settings and then click Finish.
To modify a network, click the network in ISA Server Management Console and then click Edit Selected Network.
Multinetworking means that you can configure multiple networks on ISA Server, and then configure network and access rules that inspect and filter all network traffic between all networks. Multinetworking enables flexible options for network configuration. One common network configuration is a three-legged firewall.
In this configuration, you create three networks:
1- The servers that are accessible from the Internet are usually isolated on their own network, such as a perimeter network.
2- The internal client computers and servers that are not accessible from the Internet are located on an internal network.
3- The third network is the Internet.
ISA Server multinetworking functionality supports this configuration. You can configure how clients on the corporate network access the perimeter network, and how external clients access the perimeter network. You can also define access rules for all
network traffic flowing from the Internal network to the Internet. You can also configure the relationships between the various networks, defining different network rules between each network.
You might also need to configure a more complicated network environment. In this scenario, you could have the following:
1- Two perimeter networks Perhaps you are deploying some servers that are domain members and other servers that are stand-alone servers. The domain members need to be able to communicate with domain controllers that are located on your internal network. In this scenario, you could configure a second perimeter network for the servers that need to be members of the domain.
2- Two internal networks You might have a group of client computers that needs to access the Internet using a different application or with security rules different from the other client computers. You can create an additional internal network and configure specific Internet access rules for each network.
3- VPN client and VPN remote-site networks ISA Server defines a network for VPN clients, and you can define a network for each remote site connected with a site-to-site VPN connection.
How to Create and Modify Network Objects
For a small organization with a fairly simple network, the default network objects may provide all the configuration options required. However, in a larger organization with a more complex network environment and more complicated requirements, you may need to create and modify the network objects.
To create a new network object, use the following procedure:
1. In the Microsoft ISA Server Management Console tree, expand the Configuration node and click Networks.
2. In the Details pane, click the Network tab.
3. On the Tasks tab, click Create a New Network.
4. On the Welcome to the New Network Wizard page, in the Network Name: box,type the name for the network. Click Next.
5. On the Network Type page, select the type of network
you are creating. Select one of the following options:
. External Network
. Internal Network
. Perimeter Network
. VPN Site-To-Site Network
6. After selecting the network type, click Next.
7. If you selected an internal, perimeter, or external network type, on the Network Addresses page, click Add.
8. In the IP Address Range Properties page, type the starting and ending addresses,and then click OK.
9. On the Completing The New Network Wizard page, review the settings and then click Finish.
To modify a network, click the network in ISA Server Management Console and then click Edit Selected Network.
Enabling Secure Access to Internet Resources
Guidelines for Designing an Internet Usage Policy :
One of the first steps that an organization must take, as it prepares to grant access to Internet resources, is to define an Internet usage policy. An Internet usage policy defines what actions users are allowed to perform while they are connected to the Internet. The Internet usage policy becomes the basis for configuring the ISA Server settings to provide secure access to the Internet.
Internet usage policies should do the following:
1- Describe the need for an Internet usage policy. At first, users may resist the policy because they may interpret the policy as arbitrarily and without any business reason limiting what they can do. The policy should define exactly why the policy is being created. For many organizations, there are clear legal requirements for creating a policy that limits what users can do, especially for organizations that
work with confidential and private client information. Frequently, understanding the rationale for a policy greatly decreases the resistance to the policy.
2- Describe what the policy covers. The policy must include specific descriptions of what is acceptable and unacceptable Internet usage. This policy may define which applications can be used to access Internet resources, or what Internet resources can be accessed, as well as what applications and resources are denied by the policy.
3- Identify the people within the organization who are responsible for creating and enforcing the policy. If users have questions about the policy, or if policy restrictions prevent users from accessing resources that they need to do their jobs, users must have the means of resolving these issues. The easiest way to ensure this resolution is to provide users with the contacts they can use to get their
answers quickly.
4- Define how violations are handled. The policy must define exactly what will happen to users who violate the security policy. Many security policies include levels of disciplinary action depending on the severity or recurrence of policy violations.
How ISA Server Enables Secure Access to Internet Resources
Now that you have developed the Internet usage policy, you are ready to implement that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
1- Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
2- Implementing ISA Server as a proxy server When Firewall clients and Web Proxy clients connect to the ISA Server to gain access to Internet resources, ISA Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server hides the details of the internal network from the Internet. Only the ISA Server’s external IP address is transmitted on the Internet.
3- Using ISA Server to implement the organization’s Internet usage policy ISA Server can be used to implement many Internet-use restrictions.
Now that you have developed the Internet usage policy, you are ready to implement that policy. Many of the restrictions that you have defined in the policy can be implemented using ISA Server to block access to specified resources.
ISA Server provides the following functionality to enable secure access:
1- Implementing ISA Server as a firewall ISA Server provides a complete firewall solution that enables multilayer filtering. As a firewall, ISA Server secures access to the Internet by ensuring that no unauthorized traffic can enter the internal network.
2- Implementing ISA Server as a proxy server When Firewall clients and Web Proxy clients connect to the ISA Server to gain access to Internet resources, ISA Server acts as a proxy server. ISA Server accepts the client request for Internet content, and then creates a new request that it sends to the Internet server. ISA Server hides the details of the internal network from the Internet. Only the ISA Server’s external IP address is transmitted on the Internet.
3- Using ISA Server to implement the organization’s Internet usage policy ISA Server can be used to implement many Internet-use restrictions.
Enabling Secure Internet Access with ISA Server 2004
Lesson 1: Enabling Secure Access to Internet Resources
What Is Secure Access to Internet Resources?
Almost all organizations provide some level of Internet access for their users. The use of the Internet as a source of information and e-mail as a communication tool means that most organizations cannot afford to be without access to the Internet. At the same time, ensuring that the connection to the Internet is secure is critical.
So what is secure access to the Internet? At a minimum, providing secure Internet access for users in an organization means the following:
1- Users can access the resources that they need. To do their jobs, users in many organizations must be able to use a Web browser or other application to access Internet resources.
2- The connection to the Internet is secure. Users must be reasonably sure that they will not be attacked through the Internet connection. Ideally, the connection to the Internet should not reveal any information about the internal system that can be used to launch an attack against the client computer. Information about the computer, such as the computer name, user logon name, and shared folders, as well as details about the network configuration for the client computer, such as the client Internet Protocol (IP) address, should be hidden.
3- The data that users transfer to and from the Internet is secure. In some cases, users might send confidential personal information such as credit card information to the Internet or they might send private or confidential organizational information such as client data to the Internet. This data must be secured when it leaves the organization. If the data cannot be protected, you must prevent users from sending the information to the Internet.
4- Users cannot download malicious programs from the Internet. One of the ways attackers gain access to your network is by getting users to download malicious content. You must prevent users from inadvertently or deliberately causing damage to the network by downloading viruses or Trojan horse applications to their client computers.
Secure access to the Internet also means that the user’s actions comply with the organization’s
security or Internet usage policy. This means the following:
1- Only users who have permission to access the Internet can access the Internet.
2- These users can use only approved protocols and applications to access Internet resources.
3- These users can gain access only to approved Internet resources, or these users cannot gain access to denied Internet resources.
4- These users can gain access to the Internet only in accordance with any other restrictions the organization may establish, such as when and from which computers access is permitted.
What Is Secure Access to Internet Resources?
Almost all organizations provide some level of Internet access for their users. The use of the Internet as a source of information and e-mail as a communication tool means that most organizations cannot afford to be without access to the Internet. At the same time, ensuring that the connection to the Internet is secure is critical.
So what is secure access to the Internet? At a minimum, providing secure Internet access for users in an organization means the following:
1- Users can access the resources that they need. To do their jobs, users in many organizations must be able to use a Web browser or other application to access Internet resources.
2- The connection to the Internet is secure. Users must be reasonably sure that they will not be attacked through the Internet connection. Ideally, the connection to the Internet should not reveal any information about the internal system that can be used to launch an attack against the client computer. Information about the computer, such as the computer name, user logon name, and shared folders, as well as details about the network configuration for the client computer, such as the client Internet Protocol (IP) address, should be hidden.
3- The data that users transfer to and from the Internet is secure. In some cases, users might send confidential personal information such as credit card information to the Internet or they might send private or confidential organizational information such as client data to the Internet. This data must be secured when it leaves the organization. If the data cannot be protected, you must prevent users from sending the information to the Internet.
4- Users cannot download malicious programs from the Internet. One of the ways attackers gain access to your network is by getting users to download malicious content. You must prevent users from inadvertently or deliberately causing damage to the network by downloading viruses or Trojan horse applications to their client computers.
Secure access to the Internet also means that the user’s actions comply with the organization’s
security or Internet usage policy. This means the following:
1- Only users who have permission to access the Internet can access the Internet.
2- These users can use only approved protocols and applications to access Internet resources.
3- These users can gain access only to approved Internet resources, or these users cannot gain access to denied Internet resources.
4- These users can gain access to the Internet only in accordance with any other restrictions the organization may establish, such as when and from which computers access is permitted.
Installing and Managing ISA Server Clients
What Is a Web Proxy Client?
A Web Proxy client is a client computer that has an HTTP 1.1–compliant Web browser application and is configured to use the ISA Server computer as a Web Proxy server. Virtually all current Web browsers comply with this HTTP standard, so any client computer can be configured as a Web Proxy client, including computers which are SecureNAT or Firewall clients.
When a Web Proxy client tries to access resources on the Internet, the requests are directed to the Firewall service on the ISA Server computer. If the access rule is configured to require
authentication, the ISA Server computer requests authentication from the Web Proxy client. The Firewall service then determines whether the user is allowed to access the Internet and checks the access rules to determine whether the request is allowed. For example, you can configure access to rules to block access to specified sites, or to block requests with certain keywords in the client request. The Firewall service may also cache the requested object or serve the object from the ISA Server cache.
One of the advantages of using Web Proxy clients is that most client computers already run compatible Web browsers, so Web Proxy clients require no special software to be installed. However, you must configure the Web browser to use the ISA Server computer as a proxy server. In most cases, this is a simple configuration. If you install Firewall Client software, you can use it to configure the Web browser to use the ISA Server computer as a proxy server. After you have completed the initial configuration of theWeb Proxy client, you can also automate the configuration of the Web Proxy clientusing the ISA Server Management Console.
Using Web Proxy clients provides several advantages:
■ As mentioned earlier, almost all client computers already run compatible Web browsers, which means you do not need to install any software on the client computers.All you need to do is configure the software, and this can be automated.
■ Web Proxy clients support authentication, so you can restrict access to Internet resources based on users and groups.
■ Client computers can be running any operating system that supports compatible Web browsers.
■ All client requests and responses are passed through the Web Proxy filter on ISA Server. This means that you can use application layer filtering to filter all trafficfrom the Web Proxy clients to the Internet, and from the Internet to the Web Proxy clients.
Guidelines for Choosing an ISA Server Client
ISA Server clients are used to provide access to Internet resources. This means that one of the choices that you must make as you deploy ISA Server 2004 is which ISA Server client you will deploy.
MCP 70-299 : 8 - Planning and Configuring IPSec
Lesson 3: Configuring IPSec
IP Filters :
IP filters describe network traffic and are used by IPSec policies to determine whether an IP security rule should apply to an individual packet. IP filters can specify traffic to or from a set of IP addresses, WINS servers, DNS servers, DHCP servers, or a default gateway. You can also configure an IP filter to match a packet’s source or destination port number, or even a packet’s IP protocol number. Each of the following examples can be specified by either a single IPSec IP filter or a combination of multiple filters:
■ All traffic to or from IP address 10.4.22.17
■ All Internet Control Message Protocol (ICMP) traffic to or from the default gateway
■ All traffic sent to TCP port 80, except traffic sent from the internal network
■ All outbound connections, except those to specific servers
Multiple IP filters can be combined into an IP filter list. In fact, adding an IP filter to an IP filter list is the only thing you can do with an IP filter, because IPSec policies only allow you to specify IP filter lists. If your needs are simple, you can make an IP filter list that consists of a single IP filter. However, most IP filter lists will consist of multiple IP filters.
Filter Actions :
You use filter actions, also referred to as security methods, to define how an IPSec policy should handle traffic that matches an IP filter. A filter action responds in one of three ways: it drops the traffic, it allows the traffic, or it attempts to negotiate security. If you choose the Permit or Block options for a filter action, there is nothing left to configure. In fact, you never need more than one filter action for each of the Permit and Block options.
There are several additional settings to consider when you configure a filter action to negotiate security. First, you must choose whether the server will allow communications with clients that do not support IPSec by selecting or clearing the Allow Unsecured Communication With Non-IPSec-Aware Computers check box. You can only require IPSec when you have only IPSec-enabled all client computers. Otherwise, clients without IPSec will be denied access to the server. Generally, this setting is enabled only when Active Directory is used to deploy IPSec configuration settings to all networked computers.
You should use the Filter Action Wizard to configure filter actions whenever possible, because configuring integrity and encryption settings can be complicated. The IP Traffic Security page of the wizard enables you to specify the protection suites associated with the filter action. You can choose Integrity And Encryption, Integrity Only, or Custom. If you select Integrity And Encryption, the wizard configures the filter action with ESP-based integrity verification (using Secure Hash Algorithm 1 [SHA1] by default) and encryption (using 3DES by default). If you select Integrity Only, Triple-Data Encryption Standard (3DES) encryption is disabled.
IP Security Rules :
An IP security rule consists of an IP filter list, a filter action, and, optionally, a connection type and tunnel endpoint. You can specify only one IP filter list and one filter action per rule. If the rule pertains to traffic traveling between networks across an IPSec tunnel, you should provide the IP address of the tunnel endpoint. This does not conflict with your ability to add IP filter lists; you can configure an endpoint and apply the rule only to traffic on a specific subnet within the destination network accessible through the IPSec tunnel.
The default response rule is used to configure the computer to respond to requests for secure communication when no other rules match the traffic. If an active policy does not have a rule defined for a computer that is requesting secure communication, the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A, the default response rule is used.
Configuring IP Security Policies with Graphical Tools :
IP filters, filter actions, and IP security rules are only useful when added to an IP security policy. When configuring IP security policies on the local computer, you can use the IP Security Policy Management snap-in. You can also use the Group Policy Object Editor snap-in to edit either local or domain GPOs. In the Group Policy Object Editor, expand Computer Configuration, Windows Settings, Security Settings, and then click either IP Security Policies On Local Computer or IP Security Policies On Active Directory. Because this node might have several different labels, this chapter will refer to it
as simply IP Security Policies.
To create a new security policy, right-click the applicable IP Security Policies node in the Group Policy Object Editor or IP Security Policy Management snap-in, and then click Create IP Security Policy. This opens the IP Security Policy Wizard, which guides you through the process of creating a security policy.
During the configuration process, you will be prompted to activate the default response rule. In most cases, you should enable the default response rule. If you do, you will be prompted to select an authentication method. For more information about rules, see the section "IP Security Rules" in this lesson.
Configuring IP Security Policies with Command-Line Tools :
Though you should usually use graphical tools to configure IP security policies, Windows Server 2003 also provides the Netsh command-line tool for scripting IPSec configuration. Netsh is a native Windows Server 2003 command-line scripting tool that you can use to display or modify the local or remote network configuration. The Netsh IPSec commands cannot be used on any other version of Windows.
To use the command line to configure IPSec policies on computers running Windows XP, use Ipseccmd.exe, which is provided on the Windows XP CD, in the \Support\Tools folder. To use the command line to configure IPSec policies on computers running Windows 2000, use Ipsecpol.exe, which is provided with the Windows 2000 Server Resource Kit.
To use Netsh interactively to view or modify IPSec settings, open a command prompt and run the command Netsh with no parameters. This starts the Netsh interactive command prompt. Then type Ipsec static or Ipsec dynamic to set the context for Netsh. For example, the following commands launch Netsh and set the context to Ipsec dynamic:
C:\>netsh
netsh>ipsec
netsh ipsec>static
netsh ipsec static>
Static mode allows you to create, modify, and assign policies without affecting the active IPSec policy. Dynamic mode allows you to display the active state and immediately implement changes to the active IPSec policy. Dynamic Netsh commands affect the service only when it is running. If it is stopped, dynamic policy settings are discarded.
MCP 70-299 : 8 - Planning and Configuring IPSec
Negotiating IPSec Connections :
Unfortunately, IP was not originally designed with authentication or encryption in mind. As the internet grew and TCP/IP became the network protocol of choice, this unsecured form of communication became the standard. IPSec allows computers to continue using IP, while adding authentication and encryption.
However, most computers on IP networks today do not have IPSec enabled. As a result, computers with IPSec enabled are usually configured to politely ask remote computers to use IPSec to improve the security of the connection. If the two computers determine that they both have IPSec configured, and can agree upon a set of security standards, they can begin to use IPSec. This process is known as IPSec negotiation.
Not all IPSec negotiations are successful. Often the negotiations will fail because one of the two computers is not capable of using IPSec. Alternatively, the computers might not have the same security protocols enabled, which would mean that they wouldn’t be able to agree on a set of standards. In these cases, the computers will either revert to unprotected IP communications or determine that they will not communicate at all if they cannot use IPSec.
Internet Key Exchange (IKE) is the algorithm by which the first secure Security Association, or SA (a secure channel), is negotiated. IKE is a combination of the Internet Security Association Key Management Protocol (ISAKMP) and the Oakley Key Determination protocol and performs a two-phase negotiation: Main Mode and Quick Mode.
Main Mode
The initial long form of the IKE negotiation (Main Mode or Phase 1) performs the authentication and generates the master key material to establish an ISAKMP SA between machines. The result is referred to as an ISAKMP SA or an IKE SA. After the ISAKMP SA is established, it will remain in place for the period of time defined on the host computers—by default, it will last for 8 hours on computers running Windows. If data is actively being transferred at the end of the 8 hours, the Main Mode security association (SA) will be renegotiated automatically.
Main Mode negotiation occurs in three parts:
1. Negotiation of protection suites
2. Diffie-Hellman exchange
3. Authentication
Quick Mode
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of SAs that are negotiated on behalf of the IPSec service, the SAs created during Quick Mode are called the IPSec SAs. Two SAs are established, each with its own Security Parameter Index (SPI) label. One IPSec SA is used for inbound traffic, and the other is used for outbound traffic. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specific IP traffic is also selected.
IPSec hosts will perform IKE Quick Mode negotiation on a regular basis to reduce the risk of an attacker using brute force methods to determine the keys used in the communications. Each renegotiation re-establishes two new IPSec security associations with new keys and SPIs. By default, computers running Windows will perform Quick Mode negotiation every hour (3600 seconds) or after 100 megabytes have been transferred.
Either side of the connection can start the renegotiation process. Therefore, the site that first reaches the defined session key limit will initiate renegotiation. Lesson 3 describes how to specify session key limits.
Authentication Header and ESP :IPSec can use two protocols: Authentication Header (AH) and ESP. The protocols canbe used either separately or together. AH provides data origin authentication, dataintegrity, and anti-replay protection for the entire packet, including the IP header andthe data payload carried in the packet. Naturally, AH does not provide protection forthe fields in the IP header that are allowed to change in transit, such as the hop count.AH does not encrypt data, which means it does not provide privacy. Attackers can readthe contents of packets if they can intercept them, but the packets cannot be modified.ESP is more commonly used than AH because it provides data origin authentication,data integrity, anti-replay protection, and the option of privacy. While AH and ESP canbe used together, you will use ESP alone in most circumstances. You should chooseAH over ESP only when the data and header in the packet need to be protected frommodification and authentication but not encrypted. You might do this if you have anintrusion detection system, firewall, or quality of service (QoS) router that needs toinspect the contents of the packet. Otherwise, take advantage of the privacy providedby encryption, and use ESP. If IPSec traffic must traverse a NAT server, you must useESP, because ESP is the only IPSec protocol that supports NAT-T.
IPSec in Windows :
IPSec is natively available and can be used to protect network communications for Windows 2000, Windows XP Professional, and Windows Server 2003. Additionally, a legacy client is available for Microsoft Windows NT 4.0, Windows 98, and Windows Millennium Edition (ME). You can download the legacy client from
Unfortunately, IP was not originally designed with authentication or encryption in mind. As the internet grew and TCP/IP became the network protocol of choice, this unsecured form of communication became the standard. IPSec allows computers to continue using IP, while adding authentication and encryption.
However, most computers on IP networks today do not have IPSec enabled. As a result, computers with IPSec enabled are usually configured to politely ask remote computers to use IPSec to improve the security of the connection. If the two computers determine that they both have IPSec configured, and can agree upon a set of security standards, they can begin to use IPSec. This process is known as IPSec negotiation.
Not all IPSec negotiations are successful. Often the negotiations will fail because one of the two computers is not capable of using IPSec. Alternatively, the computers might not have the same security protocols enabled, which would mean that they wouldn’t be able to agree on a set of standards. In these cases, the computers will either revert to unprotected IP communications or determine that they will not communicate at all if they cannot use IPSec.
Internet Key Exchange (IKE) is the algorithm by which the first secure Security Association, or SA (a secure channel), is negotiated. IKE is a combination of the Internet Security Association Key Management Protocol (ISAKMP) and the Oakley Key Determination protocol and performs a two-phase negotiation: Main Mode and Quick Mode.
Main Mode
The initial long form of the IKE negotiation (Main Mode or Phase 1) performs the authentication and generates the master key material to establish an ISAKMP SA between machines. The result is referred to as an ISAKMP SA or an IKE SA. After the ISAKMP SA is established, it will remain in place for the period of time defined on the host computers—by default, it will last for 8 hours on computers running Windows. If data is actively being transferred at the end of the 8 hours, the Main Mode security association (SA) will be renegotiated automatically.
Main Mode negotiation occurs in three parts:
1. Negotiation of protection suites
2. Diffie-Hellman exchange
3. Authentication
Quick Mode
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of SAs that are negotiated on behalf of the IPSec service, the SAs created during Quick Mode are called the IPSec SAs. Two SAs are established, each with its own Security Parameter Index (SPI) label. One IPSec SA is used for inbound traffic, and the other is used for outbound traffic. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specific IP traffic is also selected.
IPSec hosts will perform IKE Quick Mode negotiation on a regular basis to reduce the risk of an attacker using brute force methods to determine the keys used in the communications. Each renegotiation re-establishes two new IPSec security associations with new keys and SPIs. By default, computers running Windows will perform Quick Mode negotiation every hour (3600 seconds) or after 100 megabytes have been transferred.
Either side of the connection can start the renegotiation process. Therefore, the site that first reaches the defined session key limit will initiate renegotiation. Lesson 3 describes how to specify session key limits.
Authentication Header and ESP :IPSec can use two protocols: Authentication Header (AH) and ESP. The protocols canbe used either separately or together. AH provides data origin authentication, dataintegrity, and anti-replay protection for the entire packet, including the IP header andthe data payload carried in the packet. Naturally, AH does not provide protection forthe fields in the IP header that are allowed to change in transit, such as the hop count.AH does not encrypt data, which means it does not provide privacy. Attackers can readthe contents of packets if they can intercept them, but the packets cannot be modified.ESP is more commonly used than AH because it provides data origin authentication,data integrity, anti-replay protection, and the option of privacy. While AH and ESP canbe used together, you will use ESP alone in most circumstances. You should chooseAH over ESP only when the data and header in the packet need to be protected frommodification and authentication but not encrypted. You might do this if you have anintrusion detection system, firewall, or quality of service (QoS) router that needs toinspect the contents of the packet. Otherwise, take advantage of the privacy providedby encryption, and use ESP. If IPSec traffic must traverse a NAT server, you must useESP, because ESP is the only IPSec protocol that supports NAT-T.
IPSec in Windows :
IPSec is natively available and can be used to protect network communications for Windows 2000, Windows XP Professional, and Windows Server 2003. Additionally, a legacy client is available for Microsoft Windows NT 4.0, Windows 98, and Windows Millennium Edition (ME). You can download the legacy client from
http://www.microsoft.com /windows2000/server/evaluation/news/bulletins/l2tpclient.asp.
MCP 70-299 : Assessing and Deploying a Patch Management Infrastructure
Lesson 2: Deploying Updates on New Clients
Security Considerations :
Computers are under attack from the moment they connect to the Internet. Worms and viruses are constantly active, probing every IP address for vulnerabilities. Microsoft Windows Server 2003 is much more resilient to attacks that might occur during the installation process than earlier versions of Windows because it adheres to the “secure by default” ideal. However, vulnerabilities have been discovered in unpatched computers running Windows Server 2003, and these vulnerabilities might be exploited during the setup process.
Although it is possible to update and secure a computer running Windows so that it can be connected directly to the Internet without becoming infected by a worm or a virus, a computer does not have the benefit of updates or security hardening during the installation process. If you attempt to install Windows on a computer while it is connected to the Internet, there is a high probability that it will be attacked, and possibly exploited.
Integrated Installation :
You can apply service packs, but not necessarily other types of updates, directly to Windows 2000, Windows XP, and Windows Server 2003 installation files. The process of integrating a service pack into the original setup files for an operating system is called slipstreaming. Slipstreaming creates an integrated installation—including the latest service pack—that can be used when installing the operating system on new computers. Using this process improves the security of new computers, and reduces the time required to apply updates after completing the initial installation. You can either perform the installation from a shared folder or create a CD with the integrated setup files.
Because the integrated installation replaces individual files, the space requirements for this installation type are almost identical to the space requirements for the base operating system. After you slipstream a service pack into the operating system setup files, you cannot remove the service pack.
Lesson Summary :
■ Computers should not be connected to the Internet or even to a private network with other hosts, until after the operating system and all updates have been installed.
■ Computers can be built while connected to the network if you create an isolated network segment with a minimal number of trusted computers that have been scanned for worms, viruses, and other malicious software.
■ You can reduce the time required to install new updates by slipstreaming a service pack into operating system installation files and configuring other updates to be automatically applied.
Inscription à :
Articles (Atom)
