Internet Protocol Security IP PACKETS HAVE NO INHERENT SECURITY – NO WAY TO VERIFY, How to ensure that, the data has not been modified in transmit. How to ensure that, the data has not been viewed by the third party. How to ensure that, the data that you have received is from the right person (from the true sender). What about, Non repudiation. Hence, IPSec provides an automated solution for these three areas, Authentication Integrity Confidentiality Encryption
Standard IP Packet: First, data. The data is encapsulated/wrapped by TCP Header, which determines the destinations application on the machine your sending to . It determines for which application data is ment for. by sending port number of the application Example: 80 for HTTP, 21 for FTP…. IP Header is encapsulated/wrapped on TCP Header. IP Header determines where the data should go on the physical network. It takes care of taking data from one computer to another computer on the network/ internet. Once the data reaches destination first IP Header is removed, then TCP Header says where the data should go with the destination system and finally when it gets to that location TCP Header is also removed, the data is reassembled and delivered to the application. NOW THE DIFFERENCE BETWEN STANDARD IP PACKET AND IPSEC PROTECTED PACKET IS THAT,
IPSec Packet: First, data Data is encapsulated with TCP Header. Then, IPSec Header is encapsulated And now IP Header is encapsulated IPSec is application independent because of which it enables authentication, integrity, confidentiality, encryption into the system.
How to implement IPSec enabled communication? IPSec can be implemented through policies that enforce a set of packet filters on inbound or outbound traffic. Filters set to or (with the help of filters you can): Block Permit Negotiate security (encrypt) IPSec policies used to: Protect contents of IP packet. Defends against network hacks. 1. IPSec can be enabled through “IP Sec policy editing tool” - open this editing tool via “mmc” Go to run > type “mmc”> file>add/remove snap in > Add > select “IPSec policy management” and click “Add”> local computer > finish > ok. And you can now see three policies at the right side of the window “client (respond only)”, “server(request security)”, “secure server(require security)”. To implement any of the policy , right click policy and click on ” Assign “.The policy will be enabled. To implement IPSec policies on active directory users or on organizational unit. Right click organizational unit>properties>Group policy> ” new ” give a name and ” edit ” > computer management > windows > security settings > IP Security policy on active directory and you will see three preloaded filters/policies. You can assign or unassign any policy.
Configuring IPSec policies Default policies: Client (Respond only):System won’t use IPSec unless requested. Server (Request security):Try to initiate IPSec communication whenever possible. Secure Server(Require Security):Disallow any communication that does not use IPSec. Can only assign one policy at a time.
2. IPSec works under IP Layer of TCP/IP model. Type ” secpol.msc ” in run to open IP Security policy console. Need to set rules (must be defined) : what type of packets must be blocked or encrypt or filtered or.. when packets communicate from ipaddress 192.168.1.1 192.168.1.10 Policy Rules Tell IP sec how to behave(encrypt certain communication, sign other communication, etc.) A rule is defined by the combination of IPSec actions + IPSec FiltersFilter: only activate the rule if traffic comes from ip address 192.168.2.23 and uses FTP. Action: encrypt the traffic
Go to IP security management on local computer > right click ” Manage IP Filter list and filter actions “ > under “ manage filter actions ” > click ” Add ” > welcome screen > next > give name as ” block ” and next> select ” block” and next> “finish” > Now go to the Assigned policy > properties > under rules, double click on ” ALL ICMP Traffic ” > under filter action , select ” Block ” > ” Apply ” and ” Ok “. the above rules is If the filter match’s icmp traffic or ping traffic the action is to block the traffic. 3. Above is for default policies and if we want to set our own policy rule , example when ever system 23 communicate with system 100 vice-versa their communication must be encrypted(secure).
IPSec policy Example: Two systems: 192.168.2.23 and .100 Filter: Trigger rule when traffic to .23, over any port. Action : Encrypt data. Authentication: pre shared key – bosco Create filters and actions, then build the rules into the policies at both the machines.
start > run > secpol.msc >
First, we are going to create a new filter,
Rightclick on IP Security policies on local computer > Manage IP Filter lists and filter actions, > under Manage IP Filters click ” Add ” > Add > source address: My ip address, Destination address: a specific ip address:192.168.2.23 , ok > under protocol, select ANY>under description, traffic to 23 and click on ok > ok >
Then , we need to create an action,
Under Manage filter actions, click ” Add ” > Select ” Negotiate Security “ , click on ” Add ” and select ” Integrity and encryption ” (data will be encrypted and verified as authentic and unmodified). > ok > ok > close.
Now we need to create a new ip security policy that will use a rule that will assemble both filter and action that we just created(defined).
Right click on ” IP Security policies on local computers ” > select ” create IP Security policy ” > a welcome wizard opens, click next > Name: traffic to computer 23, next > uncheck ” activate default response rule “, next > finish
A dialog box containing rules & general will open immidiately.Notic that: the ip filter list(dynamic) is unchecked because we said that we created a policy rule. so here you need to attach filter and action you have created. to do this ,
click on ” Add ” > under ip filter list, select the ip filter u created and go to > Filter Action, select new filter action u created for encryption. and go to > Authentication method (authentication methods specify how trust is establised between the computers. These authentication methods are offered and accepted when negotiating security with another computer) , click ” edit ” > select use this string(preshared) :type ” bosco “ and click ” OK ” > “apply” , ”Ok” > “Ok” > “OK”.
This new Policy is published on the right side window, Eg: traffic to computer 23
Right click policy ” traffic to computer 23 ” >”Assign”
now after assigning , I have to go to the other computer ( 192.168.2.100) and reverse the process, I have to create a rule which gonna be called traffic to .100 and configure it exactly in the same way that you did here at 192.168.2.23 using same preshared key.
Test by pinging 192,168.2.23 and .100 at each other computer.
This is how you can configure your computers to exchange a secure communication within and between computers.