Understanding IPSec "Security is the chief enemy of mortals ...Presentation Transcript
"Security is the chief enemy of mortals."—William Shakespeare "Shun security."—Thales of Miletos "One has to abandon altogether the search for security."—Morris L. West
The one thing they all had in common: none of them were network administrators. For those who are responsible for the integrity of millions of bytes of data that travel over our networks, much of it sensitive information, security is a real and growing concern. "happiness has many roots, but none more important than security." E. R. Stettinius
Computer security is a term that encompasses many different issues, and in designing their new operating system, Microsoft has attempted to cover as many of the bases as possible. Improved authentication technologies, using Kerberos, certificates, Secure Sockets Layer (SSL), and—for compatibility with previous Microsoft operating systems—NTLM, provide for positive confirmation of the user’s identity at logon. The new Encrypting File System (EFS) provides the means to encode data stored on disk so that it is not readable to unauthorized users.
But what about the safety of that data as it travels over the network? That's where IP Security (IPSec) comes in. Most network traffic today uses the TCP/IP protocol stack, including that which is sent over the Internet. IPSec allows you to encrypt data at the Network layer of the popular OSI network communications model to protect it from malicious or accidental access by persons for whom it was not destined.
Overview of IP Security IP Security, as its name implies, operates at the same layer as the Internet Protocol (IP), and this allows for a high level of protection with little overhead, and with no requirement to change your existing applications.
This is important because, unlike other security methods that operate at higher layers (for example, SSL), IPSec can provide security to applications that do not have to be aware of its existence (SSL works only with application programs that were designed to use SSL). And, unlike security methods that operate at lower layers of the OSI model, such as link layer encryption, IPSec is able to protect data from host to host, even when routed across the Internet or another internetwork. IPSec protects not only the IP protocol, but also those protocols that operate at higher levels in the TCP/IP protocol suite, such as TCP, UDP, and ICMP. IPSec is a set of protocols that were developed to provide for highly reliable, standardized, cryptographic-based security for data communications
Basics of Encryption IPSec uses encryption algorithms to protect data. What is encryption, and how did modern encryption technologies develop? It might be useful to take a brief look at the history of cryptography and various encryption methods of the past and present.
A (Very) Brief History of Cryptography The science of cryptography is an old one; some sources estimate that it goes back at least 4000 years, to the cryptic carving used to decorate the tombs of ancient Egyptian rulers and ancient Chinese ideographs. It is perhaps human nature to want to keep secrets—what child hasn't yearned for some form of the infamous secret decoder ring, or an "invisible ink" that can only be seen by the intended recipient, or experimented with speaking "pig latin" so the uninitiated could not (at least in theory) understand him? And for better or worse, the innate desire to uncover the secrets of others also seems to be inborn.
The Origins of Encryption In early cultures, most information was imparted through the spoken word, in a face-to-face transaction. You had to be on the lookout for eavesdroppers, but you could be fairly sure to whom you were speaking. However, as societies developed sophisticated means of communication, more and more information was transferred by nonverbal methods. Written communications were more vulnerable to interception by unauthorized third parties, so ways had to be devised to disguise the meaning of confidential messages.
The first encryption methods were crude and, although often effective at protecting written communications from the prying eyes of casual observers, could be "cracked" relatively easily by knowledgeable—or merely persistent—persons.
Simple Encoding Methods One of the simplest "codes," usually discovered and delighted in by elementary school children, involves transposing letters of the alphabet and/or replacing letters with numbers. Under the former method, for instance, each letter of the alphabet would be "moved forward" by five letters, so that an "f" in the encoded message, for instance, represented an "a" in the real message. It's easy to construct a "key" to decipher this simple form of encryption
A Simple Form of Encryption This simple key makes it easy to create a message that says: gzd utyfytjs that makes no sense to someone who doesn't have the "key." To another who is working from the same table, however, it's obvious that I'm saying: buy potatoes
The latter method is just as simple—a number is assigned to each letter of the alphabet; for example, we could start numbering with "a" as "8." In this case, our "buy potatoes" message would be encoded as 9-28-32 23-22-27-8-27-22-12-26. Again, without the key, it's meaningless, and with the key, it's a simple matter of substitution.
The problem with these "secret codes" is obvious: Someone who has enough patience can eventually hit on the correct substitution process (or algorithm), and if our low-tech hacker ever got his or her hot little hands on a decrypted message, the entire key would be readily reconstructed, and all future communications that used it could be deciphered. Added Complexity Increases Security
This led to the creation of more complex encryption methods. For instance, in order to decode a numerical message, you might follow this procedure: 1. Subtract 7 from the encoded number. 2. Go to the page of the Bible represented by the result. 3. Add 3 to the original number. 4. Count the words on the page and go to the one represented by the result in step 3. 5. The last letter in that word represents the character in the actual message that corresponds to the original number.
The key (literally) is knowing the precise steps of the formula. So long as this is kept secret and known only to the sender and the recipient, there would be a certain amount of security provided by this encoding method. Of course, it is important that both parties' versions of the Bible match exactly; even if both use the King James version, the method falls apart if the pages are not printed precisely alike.
All of the early encryption methods described so far can be referred to as secret key technologies. The same key (substitution formula or set of steps) is used to encrypt and then decrypt the information. When the same key is used to both encrypt and decrypt the data, it is referred to as a symmetric key encryption method. Modern Encryption Methods
Secret key encryption methods are still used today. The widely used Data Encryption Standard (DES) uses secret key algorithms. Standard DES operates on 64-bit blocks of data, and uses a series of complex steps (even more complex than our Bible-assisted method) to transform the original input bits to encoded output bits. Secret Key Encryption
In secret key encryption, the key is called a shared secret because two (or more) people know the key. The problem with this comes in if you want to send encoded messages to more than one person. If you used one of the keys discussed earlier to send secret messages to Jim, and then you wish to encode a message to send to Jack, you'll probably need to come up with a different key. If you use the same one you know and are used to, Jim will be able to read the messages that pass between you and Jack, and Jack will be able to read all the past and future messages sent to Jim. Having to remember and use all these different keys could become a real pain
Doesn't sound very secure, does it? If the key is public, won't any and everyone be able to decrypt your data? Certainly "secret key technology" sounds much more secure than "public key technology." However, this is one of those instances where names can be deceiving. Actually public key, or asymmetric encryption methods, are more secure than secret key methods. This is because public key technologies actually involve the use of not one, but two keys. The "public" key is only half of the equation. A better term for public key encryption would be "public/private key encryption." Public key encryption
Three methods of Public Key Encryption
Think of the method used to secure safety deposit boxes at banks. When you rent a box, you have a key to it—but your key alone won't unlock it. The bank officer also has a key, but again, that key by itself isn't of much value. When both keys are used, however, the authorized person can access the box. Likewise, with public key encryption technologies, it takes two keys to tango. One is the public key, which is made available to all those who want to send you an encrypted message. They can all use that public key to encrypt their messages, but they can't use it to decrypt them—only your private key, which you keep secret, can do that. This is called a confidential data exchange. Confidential Data Exchange
The only problem with the preceding scenario is that there is no assurance that the person who used your public key to encrypt and send you a message is really whomever he or she claims to be. How can we ensure that? Well, let's look at using the public and private keys in a slightly different way: What if the sender encrypted the message using his or her private key, and then you decrypted it using his or her public key? What would this accomplish? We get the same confidentiality of the data as with the first method, but since presumably only the sender has the private key, we can be confident of his identity. Now we have an authenticated data exchange. Authenticated Data Exchange
If we want the benefits of both methods, we can combine them and double the protection. That is, the sender would encrypt the message with the recipient's public key, then sign it again with the sender's private key. Double the Protection
In the past decade, communications over the Internet and other large networks that use the TCP/IP protocols has increased exponentially. As more data flows across these public and corporate networks, it has become more important to devise methods of providing security for information that is intended to remain private. IPSec is actually a collection of open standards, developed by the Internet Engineering Task Force (IETF), for providing secure communications over IP networks. IPSec Standards
IPSec defines a network security architecture that allows secure networking for the enterprise, allowing you to secure packets at the network layer. By performing its services at the network layer, IPSec secures information in a manner that is transparent to the user and to the protocols that lie above the transport layer. IPSec provides “layer 3” protection. IPSec Architecture
The IPSec security architecture provides an “end to end” security model. This means that only the “endpoints” of a communication need to be IPSec aware. In other words, computers and devices that serve as intermediaries of message transfer do not need to be IPSec enabled. This allows the administrator of a Windows 2000 network to implement IPSec for end-to-end security over diverse network infrastructures, including the Internet. Network devices that are in between the sending and receiving computers, such as bridges, switches, and routers, can be oblivious to IPSec. This end-to-end capability can be extended to different communication scenarios, including: Client to client Gateway to gateway (also called "tunneling")
Transport vs. Tunnel Mode IPSec can operate in two different modes, depending upon the scope of the secure communication. These are known as transport mode and tunnel mode.
In transport mode, both clients must use TCP/IP as their network protocol. Transport Mode When IPSec is used to protect communications between two clients (for example, two computers on the same LAN), the machines can utilize IPSec in what is known as transport mode. In this example, the endpoints of the secure communication are the source machine and the destination host
Tunnel Mode The second communication mode is a gateway-to-gateway solution. IPSec protects information that travels through a transit network (such as the Internet). Packets are protected as they leave the exit gateway, and then decrypted or authenticated at the destination network’s gateway. When gateways represent the endpoints of the secure communication, IPSec is operating in tunnel mode. A tunnel is created between the gateways, and client-to-client communications are encapsulated in the tunnel protocol headers. In tunnel mode, the host and destination computers do not employ IPSec, and can use any LAN protocol supported by IPSec (IPX/SPX, AppleTalk, NetBEUI, TCP/IP).
The IPSec protocols used by Windows 2000 to provide security for IP packets consist of the following:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
The Authentication Header ensures data integrity and authentication. The AH does not encrypt data, and therefore provides no confidentiality, but does protect the data from modification. When the AH protocol is applied in transport mode, the Authentication Header is inserted between the original IP header and the TCP or UDP header.
AH Datagram after the application of AH in transport mode
Microsoft refers to AH as a "medium security method," and recommends it when your network requires standard—but not high—levels of security.
The Encapsulating Security Payload (ESP) protocol, like AH, provides authentication, integrity, and anti-replay to an IP datagram—but it does more; it also provides confidentiality. Although authentication services are available with ESP, the original IP header (prior to application of the ESP header) is not authenticated by ESP.
The ESP header, in transport mode, is placed between the original header and the TCP header
Microsoft recommends that ESP be used in high security environments, where encryption of the data is required. To use ESP and AH together, to provide security for both the data and the IP header, you must create a custom security method in Windows 2000's security method configuration.
Security Negotiation Security negotiation ensures that the authentication and encryption methods used by the sending and receiving computers are the same. If they are not, reliable communication cannot take place. To provide for compatibility between the security systems being used, there must be protocols in place to negotiate the security methods. IPSec uses ISAKMP and IKE to define the way in which security associations are negotiated.
Security Associations (SAs) define IPSec secured links. One of the tasks of IPSec is to establish a Security Association between the two computers desiring to communicate with one another securely. This could include: Communications between remote nodes and the network Communications between two networks Communications between two computers on a local area network (LAN) Security Associations
Each Security Association is defined for one unidirectional flow of data, most commonly from one single point to another. Whatever traffic flows over a specific SA will be treated the same. The two communicating computers must agree on the method for exchanging and protecting information before secure communications can take place. How it works: 1. The computer that is initiating the communication will transmit an offer list to the receiving computer, which contains a list of potential levels of security. 2. The receiving computer can accept the offer, or reject it. If the latter, it transmits a message back to the sender that notifies the sender that no offer was accepted.
One of two types of Security Associations can be established:
· A soft SA is established if the active security policies are set to permit unsecured communications with computers that are not IPSec-capable.
· A hard SA is established if the active policies are compatible. A hard SA is a secured security association.
Security Associations Types
The first phase of security negotiation is key exchange . IPSec standards support either manual or automated key exchange, but large-scale implementations necessitate automated key exchange. Key Exchange
Automated Key Management uses a combination of the Internet Security Association Key Management Protocol and the Oakley Protocol (ISAKMP/Oakley). This combination of protocols is often referred to collectively as the Internet Key Exchange (IKE). The IKE is responsible for exchange of “key material” (groups of numbers that will form the basis of new key), session keys, SA negotiation, and authentication of peers participating in an IPSec interaction. During this exchange, the Oakley protocol protects the identities of the negotiating parties.
There are two phases involved in the key exchange:
Establishment of the ISAKMP SA
Establishment of the IPSec SA
The steps involved in establishing the ISAKMP SA are:
1. The computers establish a common encryption algorithm (either DES or 3DES).
2. A common hash algorithm is agreed upon (either MD5 or SHA1).
3. An authentication method is established. (Depending on policy, this can be Kerberos, public-key encryption, or prearranged shared secret).
Establishing the ISAKMP Security Association
Establishing the IPSec Security Association In the second phase of key exchange, Security Associations are negotiated for security protocols (AH, ESP, or both). After a secure channel has been established by the creation of the ISAKMP SA, the IPSec SA(s) will be established. The process is similar, except that a separate IPSec SA is created for each protocol (AH or ESP) and for each direction of traffic (inbound and outbound). Each IPSec SA must establish the following: Encryption algorithm Hash algorithm Authentication method.
Each IPSec SA uses a different shared key than that negotiated during the ISAKMP SA. Depending on how policy is configured, the IPSec SA works by reusing “key material” derived from the original ISAKMP SA. All data transferred between the two computers will take place in the context of the IPSec SA.
IPSec uses authentication to ensure that data is not changed, and encryption to protect the confidentiality of the data. The Windows 2000 implementation of IPSec can use DES (Data Encryption Standard), or it can use a strong encryption algorithm such as 3DES), which provides a higher level of security than DES because it uses a longer key.
The High Encryption Pack needs to be installed to use 3DES, and if the computer does not have the High Encryption Pack installed and receives a policy with 3DES settings, it will revert to DES.
How IPSec Works Some of the important components of IP Security
the IPSec driver
the IPSec filter list
the ISAKMP service
Authentication methods are the means used by IPSec to define the way in which identities are verified. In order for two computers to communicate securely using IPSec, they must have at least one authentication method in common. A computer can have multiple authentication methods, and configuring multiple methods will increase the chances that, in attempting communication with another computer, there will be a common method. IPSec Authentication
The authentication methods that can be used by IPSec include:
Public Key certificates
Version 5 of the Kerberos security protocol is the default authentication method in Windows 2000. Client computers that belong to a trusted domain can use the Kerberos authentication method, which is based on a shared secret, as long as they are running the Kerberos v5 protocol. They do not have to be Windows 2000 machines to use this method. Kerberos v5
A second authentication method involves the use of public key certificates in conjunction with a trusted certificate authority (CA). An advantage of this method is that it can be used with computers that are not running the Kerberos v5 protocol. Public key certificates are appropriately used for remote access communications or those that go across the public Internet.
Public key certificates
The third option is to use a preshared key, which is a secret key that was agreed upon previously by the two users conducting the transaction. This method, like the public key certificate, has the advantage of working with computers that are not running Kerberos v5. The disadvantage is that IPSec must be configured, on both sides, to use the specified preshared key. Preshared key
The ISAKMP Service ISAKMP is used in conjunction with session key establishment protocols like Oakley, which is a leading key management method. The ISAKMP service is responsible for managing the exchange of the cryptographic keys used in IPSec communications, and Oakley generates and manages the authenticated keys used to secure the information. ISAKMP centralizes the management of security associations, which in turn reduces connection time.
IPSec Driver The IPSec driver, along with the other IPSec components, is incorporated into the Windows 2000 TCP/IP protocol. If the driver becomes corrupted, it can be reinstalled by removing and reinstalling TCP/IP. The IPSec driver is the component that first checks the IP filter list in the policy that is active, and notifies the ISAKMP service to begin security negotiations.
IPSec Packet Handling A typical IPSec transaction involves the following steps: 1. The IPSec driver receives the filter list. 2. The driver inspects each packet (both inbound and outbound traffic) and compares it to the filter list. 3. The driver applies the filter to any matching packets. 4. The packet is allowed through (received or sent) if the filter action allows transmission. The packet is discarded if the filter action blocks transmission. The security association (SA) that has been negotiated is used to process the incoming and outgoing packets. If there are multiple SAs configured, the SPI (Security Parameters Index) is used to determine which SA goes with the packet.
IPSec Filter Lists IPSec uses IP filter lists, each of which contains one or more filters. An IP filter defines IP addresses and types of IP traffic. The administrator can specify the source or destination address, and/or the traffic type to be filtered. Each IP packet will be checked against the filter list.
IP Filters Inbound filters are, as the name suggests, applied to incoming IP packets, while outbound filters are applied to IP packets being sent out onto the network. The filter list triggers a security negotiation when a match is made to the source or destination address or the type of IP traffic.
Filter Settings Filter settings include the following: Source/destination address This is the IP address of the sending and receiving computer. It can be one IP address or a group of addresses, a subnet, a network, or multiple networks. Protocol This is the protocol being used to transfer the packet. The default is TCP/IP and all related protocols in the TCP/IP suite. Source/destination port for TCP or UDP The default setting is all ports, but the administrator can configure this setting to specify only a particular port(s).
IPSec and SNMP The Simple Network Management Protocol (SNMP) is a protocol included in most implementations of the TCP/IP suite, which is used to monitor and manage networks and network devices. When the SNMP service is running and IPSec is used, SNMP messages will be blocked unless you configure a rule in your current active IPSec policy to prevent this.
In order to do this, the IP filter list needs to specify the source and destination addresses of the SNMP management systems and agents for the UDP protocol on ports 161 and 162 (inbound and outbound). Two filters will have to be configured to accomplish this, one for each port. Filter action should be configured to permit the traffic that matches the filter list. In this way, the SNMP packets will be allowed through.
IPSec and L2TP One of the new features in Windows 2000 is the ability to establish a secure virtual private network (VPN) connection using L2TP (the Layer Two Tunneling Protocol) in combination with IPSec for improved security. Windows NT 4.0 supported only the Point-to-Point Tunneling Protocol (PPTP) for virtual private networking. Windows 2000 supports both L2TP and PPTP for VPN connections, but IPSec can be used only with L2TP.
When to Use L2TP Instances in which you might use the L2TP/IPSec combination (referred to as L2TP over IPSec) include: Providing a secure link between remote clients and a corporate network (End to End security). Providing a secure connection for company's offices located at multiple sites (Secure tunneling). In order to use L2TP over IPSec, both the Layer Two Tunneling Protocol and IPSec must be supported by both the VPN client and the VPN server.