What is IPsec?

download report

Transcript What is IPsec?

IPSec
The Wonder Protocol
Anurag Vij
Microsoft IT
Agenda
IPSec – the protocol
Network Segmentation using IPSec @
Microsoft
Why?
For too long “defense-in-depth” has meant
layers of network protection
Consider the medieval castle model…
The hosts themselves should start
participating
Achieves more granular security
Improves trustworthiness: now we know the
machines, too
Common problems that are solved
Spoofing
Privacy
What is IPsec?
Internet Protocol Security
Set of protocols and services
Provides various security services for traffic at
the IP layer – the network layer
These security services include
Authentication – we are who we say we are
Integrity – the data has not been tampered with
Confidentiality – the data cannot be seen by others
Anti-replay – the data cannot be replayed post
interception
Non-repudiation – validating sender of the traffic
What is IPsec? (2)
IPsec is composed of three main protocols
Authentication Header (AH)
Integrity, anti-replay, non-repudiation
Encapsulating Security Payload (ESP)
Integrity, anti-replay, non-repudiation, confidentiality
Internet Key Exchange (IKE)
Cryptographic Infrastructure provides keying and
negotiation.
IPsec Request for Comment (RFC) 2401
About these “modes”
There is no such thing as an “IPsec
tunnel”!
Types
Transport mode
Tunnel mode
Methods
AH (authenticated header)
ESP (encapsulated security payload)
IPsec authentication header
(AH) in transport mode
Orig IP Hdr TCP Hdr
Data
Insert
Orig IP Hdr AH Hdr TCP Hdr
Data
Integrity hash coverage
Next Hdr
Payload Len Rsrv SecParamIndex Seq# Keyed Hash
AH is IP protocol 51
24 bytes total
IPsec encapsulating security
payload (ESP) in transport mode
Orig IP Hdr TCP Hdr
Data
Insert
Append
Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth
Usually encrypted
Integrity hash coverage
IPsec ESP tunnel mode
Orig IP Hdr TCP Hdr
Data
IPHdr ESP Hdr IP Hdr TCP Hdr Data ESP Trailer ESP Auth
Usually encrypted
Integrity hash coverage
New IP header with source and
destination IP address
SA establishment
Application
Server or Gateway
App or Service
client
IPsec
PolicyAgent
IPsec
Driver
UDP port 500
negotiation
IKE (ISAKMP)
1 IKE SA
IPsec
IKE (ISAKMP) PolicyAgent
2 IPsec SAs
TCPIP
TCPIP
filters
NIC
“IKE Initiator”
IPsec
Driver
filters
NIC
IP protocol 50/51
“IKE Responder”
 Internet Key Exchange (IKE) - Identity Protect Mode – defined in RFC 2409
 Phase 1 “Main Mode” establishes IKE SA – trusted channel between systems,
negotiation establishes encrypted channel, mutual trust, and dynamically
generates shared secret key (“master” key)
 Phase 2 “Quick Mode” establishes IPsec SAs – for data protection, one SA for
each direction identified by packet label (SPI), algorithms and packet formats
agreed, generates shared “session” secret keys derived from “master” key
Policy
A policy defines all aspects of the
communication to be secured by IPsec
Tunnel or transport mode
Host or network address of IPsec entities
Cryptographic algorithms
Type of traffic
Key lifetimes
Action to take
Authentication methods
IPsec overview - how IPsec helps
Problem
How IPsec helps
Details
Unauthorized
system access
Targeted attacks
of high-value
servers
Authentication,
Integrity
Authentication,
Integrity
Eavesdropping
Authentication,
confidentiality
Government
guideline
compliance
Authentication,
confidentiality
Defense in depth by isolating
trusted from untrusted systems
Locking down servers with IPsec.
Examples: HR servers, Outlook®
Web Access (OWA), DC
replication
Defense in depth against
password or information
gathering by untrusted systems
Example: “All communications
between financial servers must
be encrypted.”
Planning for IPsec implementation
Determine security requirements
What network resources and traffic flows
need to be secured
How resources and traffic flows should be
secured
Authentication
Encryption
Block or permit
Planning for IPsec implementation
Design IPsec policies
Select authentication method
Kerberos, preshared key, certificates
Select security protocol
ESP for confidentiality; AH or ESP (Null) for
integrity
Planning for IPsec implementation
Design IPsec policies (cont.)
Determine traffic flows
Network and host addresses
Protocols
Port addresses
Planning for IPsec implementation
Test IPsec functionality and behavior
Design an implementation strategy
Roll out in phases
Use Microsoft IPsec policy features to
minimize user impact
Configuring IPsec policy – MMC
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(2)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(3)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(4)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(5)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(6)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(7)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(8)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(9)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(10)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(11)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(12)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
(13)
IPsec policy
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Configuring IPsec policy – MMC
IPsec policy
(14)
Policy-wide parameters
ISAKMP policy
Method 1
...
Method n
IPsec rule 1
Filter list
Filter 1
...
Filter n
Filter action
Authentication methods
Tunnel endpoint
Connection type
...
IPsec rule n
Implementation scenarios
Domain and server isolation
Protect corporate assets from unmanaged,
rogue and guest PCs
Complement to other security mechanisms
(firewall, antivirus, IDS)
Restrict communication to domain-managed
computers
Scenario: IPsec packet filtering
Filters for allowed and blocked traffic
No actual negotiation of IPsec security associations
Overlapping filters – most specific match determines
action
Does not provide stateful filtering
Recommended only on internal isolated networks for specific
or limited purposes
From IP
To IP
Any
My Internet Any
IP
My Internet TCP
IP
Any
Protocol
Src Port
Dest Port
Action
n/a
n/a
Block
Any
80
Permit
Scenario: IPsec packet filtering
(2)
DMZ* server
(Windows® 2000,
2003)
Internet
IPsec packet filtering only
Block All, Allow Port 80, 443
* Refers to perimeter network (also known as DMZ, demilitarized zone,
and screened subnet).
Scenario: Secure server solution
Allows IPsec authentication and protection
for traffic between specific sets of servers
Secures communication in environments
that are not secure
Complements firewalls by requiring
authentication of all traffic
Scenario: Secure server solution
(2)
Reduces firewall exceptions to IPsec traffic
Typical scenarios:
Between an OWA server on the Internet and a
computer running Exchange Server
Between domain controllers for domain
replication
Scenario: Domain isolation
Quarantine Ring
Boundary Ring
Protected Ring
Allowed
Allowed
Allowed
Allowed
Allowed
Common Access
Infrastructure
Blocked
Levels of Trusted Assets
Microsoft Corporate Network
SecureNet
X
U1
U2
Labs PocketPC/ MAC
(75,000) Xbox
(2,000)
(18,000)
X
B
Clients, Servers,
Home LAN,
Trustworthy Labs
(203,000)
U2
Untrustworthy
Boundary
Machines
(5,000)
ACL Controlled
D
H
C
P
D
N
S
W
I
N
S
D
C
Infrastructure
(500)
Internal Exclusions
Internet Servers
Business Partners
Extranet
(1,800)
External Exclusions
DTaps
(no connectivity to
CorpNet)
Your Feedback
is Important!
Please Fill Out the
feedback form
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.