Securing Your Salesforce Deployment with Two Factor Authentication
Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec...
-
Upload
gregory-charles-mclaughlin -
Category
Documents
-
view
238 -
download
1
Transcript of Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec...
Securing Data with Internet Protocol Security (IPSec)
Designing IPSec Policies Planning IPSec Deployment
Designing IPSec Policies
Making IPSec design decisions Describing IPSec communications Planning IPSec protocols Planning IPSec modes Designing IPSec filters Designing IPSec filter actions Designing IPSec encryption and integrity
algorithms Designing IPSec authentication
IPSec Design Decisions
Decide which IPSec protocols to use. Decide whether to implement IPSec transport
mode or IPSec tunnel mode. Design IPSec filters that identify which packets
to protect with IPSec. Determine which actions will take place if the
packets meet the IPSec filter criteria. Determine which encryption levels will be used
if packets meet the IPSec filter criteria. Design how computers using IPSec protection
will authenticate each other.
Describing IPSec Communications
IPSec implements encryption and authenticity at a lower level in the TCP/IP stack than do Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
An application does not have to be IPSec-aware.
The IPSec Process (Using a Telnet Protocol Example)
Planning IPSec Protocols
IPSec provides two protocols for protecting transmitted data.
Authentication Headers (AH) Encapsulating Security Payloads (ESP)
AH and ESP are separate protocols. Use AH and ESP individually or combined to
provide both integrity and inspection protection.
Assessing AH
Provides authentication, integrity, and anti-replay protection to transmitted data
Does not protect transmitted data from being read
Eliminates the possibility of the data being modified during transmission
Supported only by Microsoft Windows 2000 clients in a Microsoft networking environment
IPSec AH Header Fields
Deploying AH
Authenticates computers involved in data transmissions
Provides integrity to the transmitted packets so an attacker cannot modify or replay the transmitted data
Used to restrict communications to specific computers in a workgroup or project
Ensures that mutual authentication takes place between the computers so that only authenticated computers can participate in communications
Allows mutual authentication capabilities to protocols that do not support mutual authentication
Assessing ESP
Provides encryption, authentication, integrity, and anti-replay services
Encrypts the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) header and the application data included within an IP packet
Does not include the original IP header unless IPSec tunnel mode is used
IPSec ESP Fields
Deploying ESP
ESP is necessary when the application does not recognize application-layer security.
The application does not have to support IPSec. The IPSec encryption and decryption process takes place
at the IP/IPSec layer. The application is unaware that IPSec protection
takes place. Only operating systems and network devices that
support IPSec can apply ESP encryption. ESP provides digital signing of the transmitted
data.
Application Is Encryption Unaware
AH and ESP Differences
AH protects the entire packet. ESP protects only the TCP/UDP header and the
data payload from inspection. To ensure complete packet protection,
configure the security association (SA) to implement both IPSec AH and ESP protocols.
Allowing IPSec Traffic to Pass Through a Firewall
To pass protected traffic, configure a firewall to allow connections to UDP port 500 and protocol ID 50 for ESP or protocol ID 51 for AH.
IPSec using ESP may lead to a firewall losing the ability to inspect data as it is transmitted through the firewall.
The firewall must not be performing Network Address Translation (NAT).
IPSec packets cannot pass through a NAT. The fields protected by IPSec cannot be modified by
NAT without invalidating the packets.
Making the Decision: Using AH, ESP, or a Combination of AH and ESP
Use AH in the IPSec security design To protect the entire packet against modification To provide mutual authentication of both client and server To limit communication to authorized computers for a project
Use ESP in the IPSec security design To protect the application payload from being observed during
transmission To protect the TCP/UDP header and application data from
modification during transmission Use both AH and ESP when encryption of
transmitted data and protection of the entire packet against modification is required.
Negotiate an SA that requires both AH and ESP to ensure total protection of transmitted data
Applying the Decision: Applying AH and ESP for Fabrikam
For the data collection software Apply both AH and ESP protection to each packet Configure ESP to allow the data payload to be
encrypted as it is transmitted from the client to the server
For the network link to A. Datum Corporation Only use ESP to encrypt all data transmitted over the
Internet between the two networks
IPSec Transport Mode
IPSec Tunnel Mode
AH Tunnel Mode Packet
ESP Tunnel Mode Packet
Making the Decision: Using IPSec Transport Mode or Tunnel Mode
Use IPSec transport mode when Communications are taking place where inspection of
transmitted data must be prevented NAT is not being performed on the packets as they are
transmitted from the source computer to the destination computer
Data must be encrypted over the entire path from the source computer to the destination computer
The connection is between only two computers Use IPSec tunnel mode when
Data must be protected when being transmitted over a public portion of the network
Encryption can only take place between perimeter servers to avoid passing through a firewall or a perimeter server implementing NAT
Applying the Decision: Using IPSec Transport Mode at Fabrikam
Fabrikam requires the use of IPSec transport mode for the data collection software.
All data is being transmitted between the Windows 2000–based laptops and the server at the Washington office.
The data must be encrypted as it passes across the network to ensure that no one can read it.
The data must be signed to prove its authenticity.
Applying the Decision: Using IPSec Tunnel Mode at Fabrikam
Designing IPSec Filters
Characteristics Used to Identify a Protocol Source address information Destination address information Protocol type Source port Destination port
Protecting Response Packets by Using IPSec
Configure all defined IPSec filters as mirrored filters.
A mirrored filter reverses the source and destination information so that response packets are protected by IPSec when they are sent back.
Do not use mirrored rules when filters for IPSec tunnel mode are defined.
Design separate filters to reflect the tunnel endpoint that is used at each end of the tunnel.
When IPSec Filters Are Not Required
Whenever the Layer Two Tunneling Protocol (L2TP) is used to establish a virtual private network (VPN), IPSec filters do not have to be defined.
Windows 2000 automatically enables IPSec ESP protection for the L2TP tunnel.
Determining IPSec Exclusions
IP broadcast addresses Multicast addresses Resource ReSerVation Protocol (RSVP)
(protocol ID 46) Kerberos Internet Key Exchange (IKE)
Making the Decision: Defining IPSec Filters
Only one IPSec policy can be assigned per computer.
Define policies for computers, not for users. Define the protocol requirements so that explicit
filters can be defined, and determine attributes for each required filter.
IPSec encrypted traffic cannot be identified if it passes through a firewall.
If multiple filters are defined, the most specific filters are evaluated first and the least specific filters are evaluated last.
Making the Decision: Defining IPSec Filters (Cont.)
Always mirror defined packet filters when using IPSec transport mode.
Define an IPSec filter for each direction when defining IPSec tunnel mode connections.
Applying the Decision: Fabrikam WAN Configuration
Possible IPSec Filter Actions
Permit Block Negotiate Security
Windows 2000 IPSec Filter Settings and New Session Key Frequency
Accept Unsecured Communication, But Always Respond Using IPSec
Allow Unsecured Communication With Non-IPSec-Aware Computers
Session Key Perfect Forward Secrecy
Making the Decision: Defining IPSec Filter Actions
Block Permit Negotiate Enable Fallback To No Security Accept Unsecured Communication, But Always
Respond Using IPSec Session Key Perfect Forward Secrecy
Applying the Decision: Defining IPSec Filter Actions for Fabrikam
For the data collection software, set the filter action to Negotiate Security.
To allow or disallow other protocols, define another filter that is set to be any protocol.
The tunnel servers between Fabrikam's Washington office and the A. Datum Corporation office require two different IPSec filter actions.
Designing IPSec Encryption and Integrity Algorithms
Configure IPSec filter properties to specifically define which algorithms IPSec uses when negotiating security.
Define separate algorithms for AH and ESP-protected data streams.
Custom Settings for IPSec Protection
Can be used to define how IPSec protects transmitted data
If AH protection is required Define Message Digest v5 (MD5) or Secure Hash
Algorithm v1 (SHA1) as the integrity algorithm If ESP encryption is required
Set the digital signing algorithm to be MD5 or SHA1 Set the encryption algorithm to be Data Encryption
Standard (DES) or Triple DES (3DES)
Multiple Algorithms for the Negotiate Security Action
Can be used to define desired IPSec protection while allowing less secure variations that are used only if negotiation fails for the higher-level encryption
New Key Generation
Can define key generation based on the amount of data that is transmitted (in kilobytes) and the lifetime of the key (in seconds).
Configuring these options can protect the key from compromise.
Making the Decision: Planning Encryption and Integrity Algorithms for an SA
If configuring for multiple algorithm support, sort the algorithms from strongest to weakest.
Include security methods only for the required algorithms.
Use of strong encryption protocols requires the installation of the Windows 2000 High Encryption Pack.
Modify the default key generation settings in higher-security networks.
Applying the Decision: Planning Encryption and Integrity Algorithms for Fabrikam Fabrikam will use ESP to protect their
transmitted data, with authenticity required for the data payload but not for the entire packet.
Assuming the Windows 2000 High Encryption Pack is not installed, provisions must be made to allow the clients to connect without it.
Designing IPSec Authentication
Methods for authentication Kerberos Certificates Preshared keys
Making the Decision: Planning IPSec Authentication Protocols
Use Kerberos authentication When all computers using IPSec are members of the
same Active Directory directory service forest To minimize the amount of configuration involved in
authenticating hosts, but still maintain security for authentication
Use public key authentication When strong authentication is required between hosts
not in the same forest When a common root Certification Authority (CA) exists
for the two hosts using IPSec When each host has a valid machine certificate installed
that can be used to authenticate the host To use L2TP/IPSec for a VPN solution
Making the Decision: Planning IPSec Authentication Protocols (Cont.)
Use preshared keys When Kerberos or public key authentication cannot be
used When testing a new IPSec filter, to ensure that
authentication problems are not causing the SA's failure
When establishing an IPSec SA between two hosts and the association will only be between the two hosts
When the preshared key is set to be complex and access to the IPSec configuration interface is secured to prevent inspection of the preshared key established between the two hosts
Applying the Decision: Planning IPSec Authentication Protocols for Fabrikam
For the data collection software, the easiest authentication method is Kerberos.
For the tunnel servers between the two organizations, the most secure authentication method is public key.
Ensures that the certificates for each tunnel server are recognized and trusted by the other organization
Planning IPSec Deployment
Assessing the preconfigured IPSec policies Deploying IPSec policies in a workgroup
environment Deploying IPSec policies in a domain
environment Automatically deploying computer certificates Troubleshooting IPSec problems
Predefined IPSec Policies
Secure Server (Require Security) Server (Request Security) Client (Respond Only)
Custom IPSec Policies
Used when specific protocols must be excluded from default policies
Created when modifications are required to the default policies
Restoring Default Policies
Right-click the IPSec Policies On Local Machine or IPSec Policies On Active Directory console, and then click Restore Default Policies.
This action will restore the default setting for all three default IPSec policies.
Making the Decision: Deploying the Default IPSec Policies
Use the Secure Server (Require Security) policy when any of the following business requirements exist:
The highest level of security is required All traffic sent to the server must be protected by using
IPSec Fallback to unprotected data transmissions is not desired Only Windows 2000–based computers are required to
connect to the server All servers that require the IPSec configuration are placed
in the same organizational unit (OU) or OU structure
Making the Decision: Deploying the Default IPSec Policies (Cont.)
Use the Server (Request Security) policy when any of the following business requirements exist:
All traffic sent to the server should be protected by using IPSec
Fallback to unprotected data transmissions is supported for legacy clients
The server must support a mix of Windows 2000 and non–Windows 2000 clients
All servers that require the IPSec configuration are placed in the same OU or OU structure
Making the Decision: Deploying the Default IPSec Policies (Cont.)
Use the Client (Respond Only) policy when any of the following business requirements exist:
The Windows 2000–based computer should be enabled to use IPSec protection when requested by a server
The client computer should not initiate IPSec protection
All computers within an OU or OU structure are to be enabled for IPSec protection
Applying the Decision: Default IPSec Policies for Fabrikam
Fabrikam requires custom IPSec policies to meet its security objectives.
The data collection software could possibly use a default IPSec policy.
If more than one laptop is used, assign the Client (Respond Only) IPSec policy.
Modify the IPSec policy applied to the server hosting the data collection software to accept unsecured communication, but always respond using IPSec.
Deploying IPSec Policies in a Workgroup Environment
A workgroup environment cannot depend on Active Directory for the consistent application of IPSec policies.
IPSec policies in a workgroup environment can only be configured by connecting to the local computer security settings.
To achieve consistent IPSec configuration Export properly configured IPSec settings to an .ipsec
export file Import the settings to all matching computers
IPSec settings cannot be configured through security templates.
Making the Decision: Deploying IPSec in a Workgroup Environment
Define the required IPSec policies at a test machine.
Create a lab environment that emulates the production network.
Export the IPSec policies to an .ipsec export file.
Store the exported IPSec policies in a secure location.
Applying the Decision: Deploying IPSec in a Workgroup Environment at Fabrikam
The two tunnel servers may not be members of the domain at Fabrikam or A. Datum Corporation.
IPSec must be defined in the local computer policy for each tunnel server.
Deploy the IPSec policy by manually configuring the IPSec policy at each tunnel server.
Deploying IPSec Policies in a Domain Environment
Define IPSec policies for the site, domain, or OU.
The use of Group Policy ensures that a computer's administrator cannot override the desired IPSec settings at the local computer.
The settings inherited from Group Policy always supersede local policy settings.
Making the Decision: Deploying IPSec in an Active Directory Environment
Place computer accounts with the same IPSec requirements into the same OU or OU structure.
Know the processing order for Group Policies and local computer policies.
Assign the default Client (Respond Only) policy to the Default Domain Policy.
Assign the default Client (Respond Only) policy to a specific OU.
A computer can have only a single IPSec policy assigned at any time.
Applying the Decision: Deploying IPSec in a Domain Environment at Fabrikam
If Fabrikam deploys additional laptops The best strategy is to place all the Windows 2000–
based laptops in a common OU. Define a Group Policy object that applies the custom
IPSec policy. Two options for the Washington office
Place the data collection server in a separate OU. Have the Group Policy object applied with a filter so
that only the data collection server applies the Group Policy object.
Automatically Deploying Computer Certificates
IPSec gives two computers entering into an SA the ability to authenticate with certificates.
Only domain controllers (DCs) acquire certificates by default in a Windows 2000 network.
To use certificates for authentication Manually configure each computer with the
necessary certificate Or enable automatic certificate enrollment
Automatic Certificate Enrollment
Automatic certificate enrollment is configured within Group Policy objects.
Apply the Group Policy object at the site, domain, or OU.
A CA trusted by both computers in the SA must issue the certificates.
Certificate Templates Available for Enabling IPSec
IPSec This is a single-use certificate template. It allows only the computer associated with the
certificate to use IPSec. Computer
This is a multipurpose certificate template that can also be used for IPSec authentication.
Assign the computer certificate template to non-domain controllers (DCs).
DC This is a multipurpose certificate template that allows
IPSec authentication. Assign the DC certificate template only to DCs.
Making the Decision: Designing Certificate-Based Authentication for IPSec
Determine which certificate template to issue. Ensure that a CA is configured to issue the
certificate template. Ensure that all required computers have the
Read and Enroll permissions for the certificate template.
Configure a Group Policy object to perform the automatic certificate request.
Distribute certificates to all client computers requiring L2TP tunnel connectivity.
Applying the Decision: Designing Certificate-Based Authentication for IPSec at Fabrikam If certificate-based authentication is used for
the data collection software IPSec solution, configure automatic certificate requests.
Apply Group Policy at the OU containing the laptops and at the OU containing the data collection server.
For the laptops, define the autoenrollment certificate request to issue either IPSec or computer certificates.
An existing CA must be configured to issue the IPSec certificates.
Troubleshooting Tools
Ping IPSec Monitor (Ipsecmon.exe) Netdiag System Management Server (SMS) Network
Monitor Oakley logs
Making the Decision: Troubleshooting IPSec Connection Problems
Applying the Decision: Troubleshooting IPSec Connection Problems at Fabrikam Configure the authentication mechanism to use a
preshared key and see if the connection succeeds. If the authentication continues to fail, run the IPSec
Monitor to see if an SA is established, and determine if any errors are occurring during the session.
If no session is established, review the IPSec policy assigned to each computer.
Run the System Management Server (SMS) Network Monitor to ensure that Internet Security Association and Key Management Protocol (ISAKMP) packets are being received at each of the tunnel servers.
Enable the Oakley logs to record detailed information about the ISAKMP process.
Chapter Summary
IPSec design decisions Describing IPSec communications Planning IPSec protocols Planning IPSec modes Designing IPSec filters Designing IPSec filter actions Designing IPSec encryption and integrity
algorithms Designing IPSec authentication
Chapter Summary (Cont.)
Assessing preconfigured IPSec policies Deploying IPSec policies in a workgroup
environment Deploying IPSec policies in a domain
environment Automatically deploying computer certificates Troubleshooting IPSec problems