1 Chapter 10 SECURING NETWORK COMMUNICATIONS Chapter 10: SECURING NETWORK COMMUNICATIONS 2 OVERVIEW Describe the function and utility of packet filtering. List the well-known port numbers used by common applications and services. List the criteria you can use to filter network traffic. Describe the packet filtering functionality included in Microsoft Windows Server 2003. List the major threats to network communications. Describe the functions of IPSec. Chapter 10: SECURING NETWORK COMMUNICATIONS OVERVIEW (continued) Understand the functions and architecture of the IPSec protocols. List the components of a Windows Server 2003 IPSec implementation. List the default IPSec policies included with Windows Server 2003 and their applications. Understand the functions of an IPSec policy’s components. Use the IP Security Policies snap-in to manage IPSec policies. 3 Chapter 10: SECURING NETWORK COMMUNICATIONS 4 SECURING COMMUNICATIONS WITH PACKET FILTERS Packet filtering can protect computers from destructive network traffic by selectively blocking packets with particular characteristics. Firewalls commonly implement packet filtering to allow legitimate network traffic while blocking unauthorized traffic. Packet filtering can provide protection against data compromise, viruses, and other hacker attacks. Chapter 10: SECURING NETWORK COMMUNICATIONS UNDERSTANDING PORTS AND PROTOCOLS The IP address defines which system should receive the packet. The Protocol field in the IP packet specifies the transport-layer protocol that should receive the packet. Each transport-layer protocol has a Port field that specifies the application that should be the final recipient of the data in the packet. 5 Chapter 10: SECURING NETWORK COMMUNICATIONS 6 INTRODUCING PACKET FILTERING Packet filtering allows you to control network traffic based on criteria such as IP addresses, protocols, and port numbers. Packet filtering is most commonly used on routers that provide access to the Internet. These routers can be hardware- or software-based. Hardware routers typically offer better performance. Chapter 10: SECURING NETWORK COMMUNICATIONS PACKET FILTERING CRITERIA 7 Chapter 10: SECURING NETWORK COMMUNICATIONS 8 WINDOWS SERVER 2003 PACKET FILTERING TCP/IP Packet Filtering Routing and Remote Access Service (RRAS) packet filtering Chapter 10: SECURING NETWORK COMMUNICATIONS USING TCP/IP PACKET FILTERING 9 Chapter 10: SECURING NETWORK COMMUNICATIONS USING ROUTING AND REMOTE ACCESS SERVICE PACKET FILTERING 10 Chapter 10: SECURING NETWORK COMMUNICATIONS SECURING NETWORK TRANSMISSIONS Confidential data must be protected while it is in transit over the network. Windows Server 2003 supports IPSec, which can be used to protect data while in transit. 11 Chapter 10: SECURING NETWORK COMMUNICATIONS EVALUATING THREATS 12 Chapter 10: SECURING NETWORK COMMUNICATIONS INTRODUCING IPSec IP Security (IPSec) extensions offer security to IP-based network traffic. IPSec protects data by digitally signing and encrypting it before transmission. IPSec is a network-layer protocol, and can be transmitted over any medium or device that supports IP. 13 Chapter 10: SECURING NETWORK COMMUNICATIONS 14 IPSec FUNCTIONS IPSec encryption uses the Data Encryption Standard (DES) or the Triple Data Encryption Standard (3DES). IPSec performs a number of security functions including key generation, cryptographic checksums, mutual authentication, replay prevention, and IP packet filtering. Using IPSec prevents viewing, changing, or deleting data in a packet. It also prevents IP address spoofing. Chapter 10: SECURING NETWORK COMMUNICATIONS 15 IPSec STANDARDS IPSec is based on standards that are being ratified by the Internet Engineering Task Force (IETF). RFC 2411, “IP Security Document Roadmap,” explains how the standards work together. Chapter 10: SECURING NETWORK COMMUNICATIONS IPSec PROTOCOLS The IPSec standards define two protocols: IP Authentication Header (AH) IP Encapsulating Security Payload (ESP) 16 Chapter 10: SECURING NETWORK COMMUNICATIONS IP AUTHENTICATION HEADERS 17 Chapter 10: SECURING NETWORK COMMUNICATIONS IP ENCAPSULATING SECURITY PAYLOAD 18 Chapter 10: SECURING NETWORK COMMUNICATIONS TRANSPORT MODE AND TUNNEL MODE IPSec can operate in two modes: transport mode and tunnel mode. Transport mode is used between IPSec-enabled computer systems. Tunnel mode is used between IPSec-enabled routers. 19 Chapter 10: SECURING NETWORK COMMUNICATIONS TUNNEL MODE PACKET STRUCTURE 20 Chapter 10: SECURING NETWORK COMMUNICATIONS L2TP TUNNELING 21 Chapter 10: SECURING NETWORK COMMUNICATIONS 22 DEPLOYING IPSec All versions of Windows since Windows 2000 support IPSec. IPSec policies define when and how systems should use IPSec. IPSec implementations on Windows Server 2003 should be compatible with IPSec implementations on other operating systems that conform to IETF standards. Chapter 10: SECURING NETWORK COMMUNICATIONS IPSec COMPONENTS IPSec in Windows Server 2003 consists of the following components: IPSec policy agent Internet Key Exchange (IKE) IPSec driver 23 Chapter 10: SECURING NETWORK COMMUNICATIONS 24 PLANNING AN IPSec DEPLOYMENT Using IPSec creates additional network traffic, and increases processor overhead associated with network communications. IPSec implementations can be configured for each network environment using packet filtering. Backwards compatibility must be considered because operating systems before Windows 2000 do not support IPSec. Chapter 10: SECURING NETWORK COMMUNICATIONS 25 WORKING WITH IPSec POLICIES IPSec policies are administered through the IP Security Policies MMC snap-in. IPSec policies define what traffic must be secured and what actions are performed on traffic that does or does not meet criteria. Three IPSec policies are created by default. More can be created as required. Chapter 10: SECURING NETWORK COMMUNICATIONS USING THE DEFAULT IPSec POLICIES 26 Chapter 10: SECURING NETWORK COMMUNICATIONS CREATING AN IPSec POLICY IPSec policies consist of three elements: Rules IP filter lists Filter actions 27 Chapter 10: SECURING NETWORK COMMUNICATIONS CREATING A RULE 28 Chapter 10: SECURING NETWORK COMMUNICATIONS CREATING A FILTER LIST 29 Chapter 10: SECURING NETWORK COMMUNICATIONS 30 CREATING A FILTER ACTION Filter actions allow you to determine what happens to traffic conforming to the selected filter list. Three filter actions are available: Permit Request Security (Optional) Require Security Chapter 10: SECURING NETWORK COMMUNICATIONS 31 CHAPTER SUMMARY Packet filtering is a method for regulating the TCP/IP traffic based on criteria such as IP and hardware addresses, protocols, and port numbers. Service-dependent filtering using port numbers enables you to restrict traffic based on the application that generated it or is destined to receive it. Windows Server 2003 includes two packet-filtering implementations: one in the TCP/IP client and one in RRAS. Chapter 10: SECURING NETWORK COMMUNICATIONS 32 CHAPTER SUMMARY (continued) IPSec is a set of extensions to the Internet Protocol that provides protection for data as it is transmitted over the network. The IP Authentication Header protocol provides authentication, anti-replay, and data integrity services, but it does not encrypt data. Chapter 10: SECURING NETWORK COMMUNICATIONS 33 CHAPTER SUMMARY (continued) The IP Encapsulating Security Payload protocol encrypts the information in IP datagrams, and provides authentication, anti-replay, and data integrity services. IPSec can operate in one of two modes: transport mode secures communications between end users, and tunnel mode secures WAN communications between routers. The IPSec implementation in Windows Server 2003 consists of IPSec policy agent, Internet Key Exchange (IKE), and the IPSec driver. Chapter 10: SECURING NETWORK COMMUNICATIONS CHAPTER SUMMARY (continued) Windows Server 2003 IPSec has three default policies: Client (Respond Only), Secure Server (Require Security), and Server (Request Security). IPSec policies consist of rules, IP filter lists, and filter actions. A rule is a combination of IP filter actions and filter lists. 34