600 likes | 827 Views
IPSEC FAQ. http://www.microsoft.com/windowsserver2003/techinfo/overview/ipsecfaq.mspx. What is IPsec? .
E N D
IPSECFAQ • http://www.microsoft.com/windowsserver2003/techinfo/overview/ipsecfaq.mspx
What is IPsec? • Internet Protocol security (IPsec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. The Internet Engineering Task Force (IETF) IPsec working group defines the IPsec standards. • IPsec is the long-term direction for secure networking. It provides aggressive protection against private network and Internet attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roving clients. • The Microsoft Windows 2000, Windows XP, and the Windows Server 2003 family implementations of IPsec are IETF standards-based.
Where can I find background information on IPsec? • For the IETF standards, see the IETF Internet Protocol Security working group. • For an overview of IPsec in Windows Server 2003, see the Internet Protocol Security for Microsoft Windows Server 2003 white paper. • For an overview of IPsec in Windows 2000, see the Internet Protocol Security for Microsoft Windows 2000 Server white paper.
Where is the Microsoft IPsec documentation? • IPsec documentation is included with Windows 2000 (click Start, then click Help), Windows XP (click Start, then click Help and Support), and Windows Server 2003 (click Start, then click Help and Support). There are also IPsec chapters of the Windows 2000 Server Resource Kit, Windows Server 2003 Deployment Guide, and the Windows Server 2003 Technical Reference. • For a list of all the resources for IPsec in Windows Server 2003, see the Windows Server 2003 IPsec Web site. • For a list of all the resources for IPsec in Windows 2000, see the Windows 2000 IPsec Web site.
What standards define IPsec? • The following IETF standards define IPsec: • RFC 2401: Security Architecture for the Internet Protocol • RFC 2402: IP Authentication Header • RFC 2403: The Use of HMAC-MD5-96 within ESP and AH • RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH • RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV • RFC 2406: IP Encapsulating Security Payload (ESP) • RFC 2407: The Internet IP Security Domain of Interpretation for ISAKMP • RFC 2408: Internet Security Association and Key Management Protocol (ISAKMP) • RFC 2409: The Internet Key Exchange (IKE)
What are the differences between IPsec and firewalls? • Firewalls are designed to monitor incoming and outgoing traffic to determine whether the traffic is allowed. The Windows implementation of IPsec can also perform this function. However, IPsec can also ensure that the incoming and outgoing traffic is secure (protected with cryptography). For example, with the correct IPsec policy settings, you can require that all communications between domain controllers be secured. • Another key difference between IPsec for Windows and firewalls is the following: • The default behavior of firewalls is to discard incoming or outgoing traffic unless there is an exception to allow it.•The default behavior of IPsec for Windows is to allow incoming or outgoing traffic, unless there is an exception to discard or secure it.
What usage scenarios are currently recommended? • The following usage scenarios are currently recommended: • Server and Domain Isolation Using IPsec and Group Policy • Using Microsoft IPsec for Windows to Help Secure an Internal Corporate Network Server • Active Directory in Networks Segmented by Firewalls • Improving Security with Domain Isolation
Why would I use IPsec instead of Secure Sockets Layer (SSL)? • Because IPsec works at the IP layer of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack, you do not have to modify existing applications to use IPsec. All TCP/IP applications can use IPsec, whereas only SSL-enabled TCP/IP applications can use SSL. IPsec is an excellent solution to securing the traffic of legacy applications. • Other points of contrast between IPsec and SSL are the following: • SSL was designed for client application-to-server application authentication and encryption. IPsec can be used end-to-end or for gateway-to-gateway scenarios. • SSL only supports the use of digital certificates for authentication. The Windows implementation of IPsec supports the use of Kerberos, preshared key, and digital certificates for authentication.
What are the differences between using IPsec and the Windows Firewall for blocking or permitting traffic? • With IPsec for Windows policy settings, you can block or permit incoming and outgoing traffic based on: • The source and destination addresses based on IPv4 address ranges expressed as subnets • The IP protocol number • The source and destination Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) portsIn contrast, with Windows Firewall you can only specify exceptions (incoming traffic that is permitted) based on source IPv4 address ranges expressed as subnets and destination TCP and UDP ports. • However, with Windows Firewall, you can do the following: • Specify exceptions based on program names • Permit or block Internet Protocol version 6 (IPv6) traffic and specify both port and program-based exceptions
What is an IPsec policy? • An IPsec Policy is a group of settings that specify IPsec behavior with regard to the types of traffic that are permitted, blocked, or secured. An IPsec policy consists of: • General IPsec policy settings—Settings that apply regardless of which rules are configured. These settings determine the name of the policy, its description for administrative purposes, how often to check for policy changes, key exchange settings, and key exchange methods. • IPsec policy rules—One or more IPsec rules that determine which types of traffic IPsec must examine, how traffic is treated, how to authenticate an IPsec peer, and other settings such as the type of network connection to which the rule applies and whether or not to use IPsec tunneling • After IPsec policies are created, an individual IPsec policy can be assigned (activated) at the domain, site, organizational unit, and local level.
What is an IPsec policy rule? • Each IPsec rule contains the following configuration items: • Filter list—A single filter list is selected that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied. The filter list is configured on the IP Filter List tab in the properties of an IPsec rule within an IPsec policy. • Filter action—A single filter action is selected that includes the type of action required (Permit, Block, or Negotiate Security) for packets that match the filter list. For the Negotiate Security filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPsec settings. Each security method determines the security protocol (such as Authentication Header [AH] or Encapsulating Security Payload [ESP]), the specific cryptographic and hashing algorithms, and session key regeneration settings used. The filter action is configured on the Filter Action tab in the properties of an IPsec rule within an IPsec policy. • Authentication methods—One or more authentication methods are configured (in order of preference) and used for authentication of IPsec peers during main mode negotiations. The available authentication methods are the Kerberos V5 protocol, use of a certificate issued from a specified certification authority, or a preshared key. The authentication methods are configured on the Authentication Methods tab in the properties of an IPsec rule within an IPsec policy. • Tunnel endpoint—Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For outbound traffic, the tunnel endpoint is the IP address of the IPsec tunnel peer. For inbound traffic, the tunnel endpoint is a local IP address. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an IPsec rule within an IPsec policy. • Connection type—Specifies whether the rule applies to local area network (LAN) connections, dial-up connections, or both. The connection type is configured on the Connection Type tab in the properties of an IPsec rule within an IPsec policy. • The rules for a policy are displayed in reverse alphabetical order based on the name of the filter list selected for each rule. There is no method for specifying an order in which to apply the rules in a policy. IPsec for Windows automatically creates an IPsec filter list and orders the list based on the most specific to the least specific filter list. For example, a filter that specified individual IP addresses would be applied before a filter that specified all addresses on a subnet.
When should the predefined policies be used? • The predefined policies should only be used for testing and research purposes. You should create your own IPsec policy when deploying IPsec in a production environment.
What is an IP filter? • An IP filter defines a specific set of IP traffic. The configuration parameters of an IP filter are the following: • Source address (individual address or address range) • Source address mask • Source TCP port • Source UDP port • Destination address (individual address or address range) • Destination address mask • Destination TCP port • Destination UDP port • IP protocol
What is an IP filter list? • An IP filter list is a set of IP filters grouped together under a common name, typically for the purpose of applying a specific filter action.
What is a filter action? • A filter action defines how IPsec will handle traffic. You can specify permit, block, or secure (known as Negotiate Security) filter actions. When you select the secure filter action, you must also specify security methods, authentication methods, connection type, and whether to use IPsec tunneling.
What does the "Allow unsecured communication with non IPsec-aware computer" checkbox on the "Security Methods" tab do? • Specifies whether to allow unsecured communications with computers that cannot negotiate the use of IPsec or process IPsec-secured traffic. You can use this option to secure traffic with computers on your network that are IPsec-capable while allowing unsecured communications with computers on your network that are not IPsec-capable. However, when you enable this option, unsecured traffic is allowed when IPsec negotiations with an IPsec-capable computer fail.
What does the "Accept unsecured communication, but always respond using IPsec" checkbox on the "Security Methods" tab do? • Specifies whether to accept initial unsecured traffic sent by another computer, but require secure communication when replying. This option is typically enabled on a policy that is assigned to server computers when the client computers have a policy assigned in which the default response rule is enabled. This simplifies IPsec deployment because the policy assigned to the client computers does not have to be configured with additional rules that initiate secured communication to all secured servers.
What does the "Session Key perfect forward secrecy" checkbox on the "Security Methods" tab do? • Specifies whether you want to renegotiate new master key keying material each time a new session key is required. When session key perfect forward secrecy (PFS) is disabled, new session keys are derived from current master key keying material, subject to the number of times the master key keying material can be used to derive the session key. Although enabling session key perfect forward secrecy (PFS) provides greater security, performance and throughput might be impacted.
What is the Default Response rule used for? • The default response rule, which can be used for all policies, has the IP filter list of <Dynamic> and the filter action of Default Response when the list of rules is viewed with the IP Security Policies snap-in. The default response rule cannot be deleted, but it can be deactivated. It is activated by default for all policies. • The default response rule is used to ensure that the computer responds to requests for secure communication. If an active policy does not have a rule defined for a computer that is requesting secure communication, then the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A, the default response rule is used. • When enabled on a client computer, the default response rule allows the client to start communicating in the clear to a server with the Accept unsecured communication, but always respond using IPsec option enabled. The server will respond with a negotiation request that, if successful, protects the rest of the traffic. • Security methods and authentication methods can be configured for the default response rule. The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets. The filter action of Default Response indicates that the action of the filter (Permit, Block, or Negotiate Security) cannot be configured. Negotiate Security will be used. However, you can configure: • The security methods and their preference order on the Security Methods tab. • The authentication methods and their preference order on the Authentication Methods tab.
How are IPsec policies applied in the Active Directory directory service? • For computers that obtain their IPsec policy through Active Directory-based group policy, the IPsec policy applied is the one assigned to the Group Policy object (GPO) that is closest to the computer in the Active Directory domain structure, when following the domain structure up to the root of the domain. For example, if a computer is a member of an organizational unit (OU), then the IPsec policy assigned to that OU's GPO would be the one applied. However, if the OU's GPO does not have an assigned IPsec policy, then the computer will apply the IPsec policy assigned to the GPO in the next OU up the Active Directory tree towards the root. • The IPsec policies in different GPOs are not merged. Only one IPsec policy is applied, the one assigned with the closest GPO towards the root of the Active Directory tree.
Can I use IPsec to secure multicast or broadcast traffic? What about blocking it? • No. IPsec does not secure multicast or broadcast traffic. However, you can configure IPsec to block multicast or broadcast traffic.
How does IPsec for Windows determine filter ordering? • IPsec for Windows derives an IPsec filter list from the rules of the assigned IPsec policy. The IPsec filter list, which is derived from but different than the IP filter lists configured in the IPsec policy, is the end result of the policy configuration, specifying the exact set of interesting traffic and how it is to be handled. The IPsec filter list is ordered by a weight value, which is based on how specific the originally defined IP filter is; more specific IP filters will produce IPsec filters with a higher weight value. For more information, see IPsec Filter Ordering.
What happens when filters conflict? • Conflicting IPsec filters contain the same value for addressing, ports, and the IP Protocol field value, but have different filter actions. For example, one IPsec filter may permit and the other IPsec filter may block. When there are conflicting IPsec filters, the IPsec filter with the most restrictive filter action is added to the IPsec filter list. The block filter action is more restrictive than the secure filter action, which is more restrictive than the permit filter action.
Do you need to exempt DNS traffic from being secured with IPsec? • Yes. You should create an exemption that permits DNS traffic (TCP port 53 and UDP port 53).
Do you need to exempt NetBIOS over TCP/IP name resolution traffic from being secured with IPsec? • Yes. You should create an exemption that permits NetBIOS over TCP/IP name resolution traffic, commonly sent between client computers and Windows Internet Name Service (WINS) server computers (UDP port 137).
Do I need to configure Windows Firewall for exceptions for IPsec traffic? • No. IPsec for Windows automatically creates the exceptions for IPsec negotiation traffic (UDP ports 500 and 4500) when the active IPsec policy requires secure traffic.
Why does Microsoft recommend against using preshared key authentication for IPsec? • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. Preshared key authentication creates a master key that is less secure than digital certificates or the Kerberos V5 protocol. In addition, preshared keys are stored in plaintext and can be viewed by users with administrator-level privileges. Preshared key authentication is provided for interoperability purposes and to adhere to IPsec standards. It is recommended that you use preshared keys only for testing and that you use digital certificates or Kerberos V5 instead in a production environment.
Why does IPsec use computer authentication and not user authentication? • IPsec is designed for computer-to-computer security services and is independent of the actual traffic being secured. User credentials are employed by Application layer components, rather than Network layer components. Additionally, IPsec might need to secure traffic before a user has logged on to the computer.
What certificate attributes are required for IPsec to accept the certificate? • IPsec requires the following attributes for certificates used in IPsec authentication: • Must contain an RSA public key that has a corresponding private key that can be used for RSA signatures • Cannot be expired • Must have been issued from a trusted root certification authority • For additional information, see the "IKE Main Mode and Quick Mode Negotiation" section of How IPsec Works.
Is AES encryption supported? • No. The Microsoft implementation of IPsec in current versions of Windows does not support the Advanced Encryption Standard (AES). Support for AES is being considered for future versions of Windows.
Why would I use 3DES over DES encryption? • Triple Data Encryption Standard (3DES) is recommended because it is more secure than DES. Use DES when securing traffic to third-party IPsec peers that do not support 3DES. Windows XP, Windows Server 2003, and Windows 2000 (Service Pack 1 and higher) support 3DES.
Why would I use SHA1 over MD5 for hashing? • Secure Hash Algorithm 1 (SHA1) is recommended because it is more secure than Message Digest 5 (MD5). Use MD5 when securing traffic to third-party IPsec peers that do not support MD5. Windows XP, Windows Server 2003, and Windows 2000 (Service Pack 1 and higher) support SHA1.
How many simultaneous IPsec connections can be sustained on a basic server computer? • Results vary because there are many factors affecting the performance of IPsec such as processor speed and the types of network adapters. In Microsoft testing, the following results were achieved on an Intel Pentium III-based computer, running at 993 MHz, and with 384 MB of RAM: • Time between initiated negotiations (ms) Security associations (SAs) established (SAs/sec) • 250 15.79762 • 200 19.27202 • 150 19.38969 • 100 17.99813 • 50 18.7118 • 0 5.49884 • The most time and processor-intensive part of an IPsec-secured connection is the main mode negotiation, from which the master key is derived.
What is IPsec offload? What effect does it have on performance? • IPsec offload is the offloading of IPsec cryptographic calculations to high-performance firmware on network adapters, rather than having those calculations being performed using the computer's processor. Some IPsec offload adapters can perform DES, 3DES, SHA1 HMAC, MD5 HMAC, and even Diffie-Hellman key determination calculations. Using IPsec offload adapters can have a significant impact on performance.
Can I use IPsec with network load balancing (NLB)? Can we use IPsec with Microsoft Cluster Server (MSCS)? • Yes. IPsec for Windows supports NLB and MSCS cluster scenarios. However, IPsec sessions do not fail over. For more information, see IPsec is not designed for failover.
What performance counters are available? • There are no performance counters in current versions of Windows to monitor IPsec-secured traffic.
What monitoring tools can I use for IPsec? • For computers running Windows 2000, you can use the IP Security Monitor tool. Click Start, click Run, type ipsecmon.exe, and then click OK. • For computers running Windows XP or Windows Server 2003, you can use the IP Security Monitor snap-in. For more information, see To start the IP Security Policy Management snap-in. • For computers running Windows XP, you can use the ipseccmd\\computershow all command. • For computers running Windows Server 2003, you can use the netsh ipsec static show or netsh ipsec dynamic show commands.
How can I view my current IPsec security associations (SAs)? • For computers running Windows 2000, you can use the IP Security Monitor tool. Click Start, click Run, type ipsecmon.exe, and then click OK SAs are listed in the Security Associations portion of the IP Security Monitor window. • For computers running Windows XP or Windows Server 2003, you can use the IP Security Monitor snap-in. For more information, see To start the IP Security Policy Management snap-in. • For computers running Windows XP, you can use the ipseccmd\\computershow all command. • For computers running Windows Server 2003, you can use the netsh ipsec static show or netsh ipsec dynamic show commands.
How do you turn on Oakley logging? Where is the log file stored? • The Oakley log records all IKE (ISAKMP) main mode and quick mode negotiations. To enable Oakley logging, do the following: • For computers running Windows 2000, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created. • For computers running Windows XP, use the ipseccmd set logike command. • For computers running Windows Server 2003, use the netsh ipsec dynamic set config ikelogging 1 command. • The Oakley log is stored in the systemroot\Debug folder. A new Oakley.log file is created each time the IPsec Policy Agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.
How do I troubleshoot communications that are encrypted by IPsec? • Because the IP payloads have been encrypted with IPsec, it is not possible to perform troubleshooting based on the contents of IPsec-protected packet payloads. For example, you cannot use an intermediate router or firewall to capture and interpret IPsec-protected packets. You can perform some troubleshooting based on the presence of encrypted packets, how many are sent, and when they are sent.
Can I use Microsoft Network Monitor to troubleshoot IPsec traffic? • Yes. Network Monitor is included with Microsoft Systems Management Server, Windows 2000 Server, Windows Server 2003, and features protocol parsers for IKE (displayed as ISAKMP), AH, and ESP. However, Network Monitor does not parse the encrypted portions of IPsec-protected traffic.
What settings do I need to enable IPsec event logging? • You can use the Windows XP Event Viewer snap-in to view the following IPsec-related events: • IPsec Policy Agent events in the audit log. • IPsec driver events in the system log. To enable IPsec driver event logging, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ IPSEC\DiagnosticMode registry setting to 1. You must restart the computer for this change to take effect. The IPsec driver only writes events to the system log once an hour. • IKE events (SA details) in the audit log. To view these events, enable success or failure auditing for the Audit logon events audit policy for your domain or local computer. For more information, see To establish an audit policy. • IPsec policy change events in the audit log. To view these events, enable success or failure auditing for the Audit policy change audit policy for your domain or local computer. For more information, see To establish an audit policy.
How does IPsec work with network address translators (NATs)? • IPsec Network Address Translator Traversal (NAT-T), a new IETF standard, allows IPsec negotiation and encapsulation of ESP-protected payloads. For more information about how IPsec NAT-T works, see IPsec NAT Traversal Overview. • Windows XP Service Pack 2 and Windows Server 2003 has built-in support for IPsec NAT-T. L2TP/IPsec NAT-T update for Windows XP and Windows 2000, a free download, provides support for computers running Windows XP with no service packs installed, Windows XP with Service Pack 1, and Windows 2000.
How do I remove all local IPsec policy settings? • You can remove static local IPsec policy settings with the following: • The IP Security Policies snap-in for Windows 2000, Windows XP, or Windows Server 2003 • The Ipseccmd.exe tool for Windows XP • Commands in the netsh ipsec static context for Windows Server 2003
What is the difference between ESP with authentication only and AH? • AH provides data origin authentication and data integrity for the entire IP packet (with the exception of some fields in the IP header that must change in transit). ESP with authentication only (also known as ESP null) provides data origin authentication and data integrity for only the IP payload.
Why would you want both AH and ESP? • ESP provides data confidentiality, data origin authentication, and data integrity for the IP payload. ESP does not provide data origin authentication and data integrity for the IP header. If you want to protect the IP header for ESP-encrypted packets, you must use both AH and ESP. By protecting the IP header, you can detect and eliminate most types of network attacks that rely on the spoofing of IP addresses.
What is IPsec main mode negotiation? • The negotiation of a secured IPsec session has two distinct phases: main mode and quick mode. The main mode negotiation creates a bidirectional main mode SA (also known as an ISAKMP SA), which is a secure channel through which the quick mode negotiation and all future IKE traffic takes place. • Main mode negotiation accomplishes the following: • Negotiates security parameters for IKE traffic. These include the authentication method, lifetime of the main mode SA, the Diffie-Hellman group to be used to generate a shared secret, and how the IKE traffic is to be protected (encryption and HMAC algorithms). • Exchanges Diffie-Hellman keying material. For a set of publicly exchanged keys, a mutually determined secret key is calculated. • Authenticates the identities of the IPsec peers (Kerberos, digital certificates, or preshared key)
What is IPsec quick mode negotiation? • IPsec quick mode negotiation creates the unidirectional quick mode SAs (also known as IPsec SAs), to secure data traffic. During negotiation, the IPsec peers determine the specific encryption algorithm, hashing algorithms, the use of ESP or AH (or both), whether to use transport or tunnel, and a description of the traffic to protect. All quick mode negotiation messages are protected with the main mode SA previously established. Each successful quick mode negotiation establishes two IPsec SAs. One SA is for inbound traffic and the other is for outbound traffic.
What are IKE, Oakley, and ISAKMP and how do they relate? • Internet Key Exchange (IKE) is used to dynamically establish SAs between IPsec peers. IKE is a hybrid of 3 protocols that is based on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP) and implements parts of two key management protocols: Oakley and SKEME. • IKE uses ISAKMP to define how two peers communicate, including the packet formats, retransmission timers, and message construction requirements. IKE uses both Oakley and SKEME to provide the mechanism and management of key exchanges.
What is IPsec transport mode? • IPsec transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an ICMP message (containing an ICMP header and ICMP message data).