The Cable Guy - May 2001
Exploring Peer-to-Peer IPsec in Windows 2000
The Internet Protocol (IP) portion of the TCP/IP protocol suite does not provide a default security mechanism, making IP packets easy to read, modify, replay, and forge. Without security, both public and private networks are susceptible to unauthorized monitoring and access. While internal attacks might be the result of minimal or nonexistent intranet security, risks from outside the private network stem from connections to both the Internet and extranets. Password-based user access controls alone do not protect data transmitted across a network.
Internet Protocol security (IPSec) is the best long-term direction for secure networking. It provides a key line of defense against private network and Internet attacks, balancing ease of use with strong security. IPSec has two goals:
- To protect the content of IP packets
- To provide a defense against network attacks through packet filtering and the enforcement of trusted communication
Both of these goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management. This foundation provides the strength and flexibility required to protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can further be used to block receipt or transmission of specific traffic types.
Peer-to-peer IPSec is based on an end-to-end security model, establishing trust and security from a source IP to a destination IP address. The IP address itself does not necessarily have to be considered an identity, rather the system behind the IP address has an identity that is validated through an authentication process. The only computers that must be aware of IPSec are the sending and receiving computers. Each handles security at its respective end and assumes that the medium over which the communication takes place is not secure.
Computers that only route data from source to destination are not required to support IPSec, although firewalls might need to be configured to forward IPSec traffic. This model allows IPSec to be successfully deployed in any of the following existing enterprise scenarios:
- Local area network (LAN): client/server and peer-to-peer.
- Wide area network (WAN): router-to-router (using IPSec tunnel mode).
- Virtual private network (VPN) remote access: access to private networks over the Internet (using a combination of IPSec and Layer Two Tunneling Protocol (L2TP).
For peer-to-peer IPSec, both systems require IPSec configuration (an IPSec policy) to set options and access controls that enable them to agree to the method by which traffic between them is secured. The Windows 2000 implementation of IPSec is based on industry standards that were developed by the Internet Engineering Task Force (IETF) IPSec working group.
Windows 2000 IPSec policy configuration is the translation of your security requirements to one or more IPSec policies—only one of which can be assigned at the domain, site, organizational unit, or local level. An IPSec policy in Windows 2000 consists of the following elements:
Policy-wide parameters
Includes the policy name, policy description, and the polling interval used to detect changes in Active Directory-based policy.
Main mode policy
Contains Internet Key Exchange (IKE) parameters, such as encryption key lifetimes, and other settings. The main mode policy also contains a list of security methods, listed in order of preference, for protecting the identity of IPSec peers during authentication.
IPSec rules
Contains one or more rules that describe IPSec behavior for the policy.
IPSec rules are the part of the policy data that is used to associate IKE negotiation parameters with one or more IP filters. Each IPSec rule contains the following:
A selected filter list
Contains one or multiple predefined filters that describe the types of IP traffic to which an action (permit, block, or secure) is applied.
A selected filter action
Includes the type of action to take (permit, block, or secure) for packets that match the filter list. For the secure action, the negotiation data contains one or more security methods that are used in order of preference during IKE negotiations and other IPSec behavior settings. Each security method describes the security protocol to use, the specific cryptographic algorithms, and the session key regeneration settings.
Selected authentication methods
Contains one or more authentication methods in order of preference that are used for protection during IPSec negotiations. The available authentication methods are the Kerberos V5 protocol, the use of a certificate issued from a specified certificate authority, or a preshared key.
A selected connection type
Contains a setting that specifies whether the rule applies to only local area network (LAN) connections, to only dial-up connections, or to both types of connections.
A selected tunnel setting
Contains settings that determine whether traffic is tunneled and, if it is, the tunnel endpoint.
Exploring IPSec with Two IPSec Peers
Before you begin to evaluate your security risks and deploy IPSec, it is helpful to configure some simple IPSec policies and see IPSec in action. The following exercises use two computers running Windows 2000 that do not require an Active Directory domain or public key certificate infrastructure. The first exercise demonstrates how to protect traffic between the computers and the second demonstrates how to use IPSec for port blocking.
Note The following exercises are intended an examples to quickly create IPSec policies to experience IPSec protection and port blocking capabilities. These exercises are not recommendations for configuration in a production environment. In a typical production deployment, you either create a policy with a general rule to protect all traffic and additional rules to exempt traffic from protection (such as ICMP traffic to the default gateway address, DNS traffic to the DNS server, DHCP traffic to the DHCP server), or you create a policy with rules to protect specific types of traffic.
Exercise 1: Protecting Traffic Between Computers
To demonstrate secured traffic, you can use the Ping command that is included with Windows 2000.
Test connectivity before IPSec policy
On Computer1:
- Click Start, point to Programs, point to Accessories, and then click Command Prompt.
- At the command prompt, ping the IP address of Computer 2. You should see the successful replies.
- Ping the IP address of Computer 1's default gateway. You should see the successful replies.
Configure local IPSec policy to secure traffic
On Computer 1 and Computer 2:
- Click Start, click Run, type MMC, and then click OK.
- In MMC, click Console, click Add/Remove Snap-in, and then click Add.
- Click IP Security Policy Management, and then click Add.
- Click This computer.
- Click Finish, click Close, and then click OK.
- Right-click IP Security Policies on Local Machine, and then click Create IP Security Policy, and then click Next.
- In IP Security Policy Name, type Secure Traffic, and then click Next.
- In Requests for Secure Communication, clear the Activate the default response rule check box, click Next, and then click Finish.
- On the Rules tab of the Secure Traffic Properties dialog box, click Add, and then click Next.
- In Tunnel Endpoint, click Next.
- In Network Type, click Next.
- In Authentication Method, click Use this key to protect the key exchange (preshared key), type 123456789 as the preshared key, and then click Next.
- In IP Filter List, click All IP Traffic, and then click Next.
- In Filter Action, click Require Security, and then click Next.
- Click Finish¸ and then click Close.
- In the contents pane, right-click Secure Traffic, and then click Assign.
Test connectivity after IPSec policy
On Computer1:
- At the command prompt, ping the IP address of Computer 2. You should see a series of "Negotiating IP Security" messages.
- Ping the IP address of Computer 2 again. You should see the successful replies. Traffic between Computer 1 and Computer 2 is now secured through IPSec encryption.
- Ping the IP address of Computer 1's default gateway. You should see a series of "Negotiating IP security" messages.
- Ping the IP address of Computer 1's default gateway again. You should see a series of "Negotiating IP security" messages. Computer 1 and its default gateway are unable to communicate because the default gateway is not configured with the equivalent IPSec policy, used to negotiate and secure traffic with Computer 1.
- Click Start, click Run, type ipsecmon, and then click OK.
- Use IP Security Monitor to view the security association with Computer 2 and the statistics for the secured traffic between Computer 1 and Computer 2.
Exercise 2: Port Blocking
To demonstrate port blocking, you can use IPSec filters and the Simple TCP/IP Services optional networking component that is included with Windows 2000.
Install the Simple TCP/IP Services
On Computer2:
- Click Start, point to Settings, and then click Control Panel.
- Double-click Add/Remove Programs.
- Click Add/Remove Windows Components.
- In Components, click Networking Services, and then click Details.
- In Subcomponents of Networking Services, click Simple TCP/IP Services, click OK, and then click Next.
- If prompted, type the path to the location of the distribution files, and then click OK.
- Complete any remaining screens in the Windows Components Wizard, and then click Finish.
Test Simple TCP/IP Services
On Computer1:
- At the command prompt, type telnet Computer2IPAddress daytime (where Computer2IPAddress is the IP address of Computer 2). You should see the date and time displayed.
- At the command prompt, type telnet Computer2IPAddress quote. You should see a literary quote displayed.
Reconfigure local IPSec policy to block the daytime and quote service ports
On Computer2:
- From the MMC console containing IP Security Policies on Local Machine, right-click the Secure Traffic policy¸ click Properties, and then click Add.
- In Security Rule Wizard, click Next.
- In Tunnel Endpoint, click Next.
- In Network Type, click Next.
- In Authentication Method, click Next.
- In IP Filter List, click Add.
- In the IP Filter List dialog box, in Name, type Daytime and Quote protocols.
- In the IP Filter List dialog box**,** click Add.
- In IP Filter Wizard, click Next.
- In IP Traffic Source, in Source Address, click Any IP Address, and then click Next.
- In IP Traffic Destination, in Destination Address, click My IP Address, and then click Next.
- In IP Protocol Type, in Select a protocol type, click TCP, and then click Next.
- In IP Protocol Port, in Set the IP protocol port, click To this port, type 13, and then click Next.
- Click Finish.
- In the IP Filter List dialog box**,** click Add.
- In IP Filter Wizard, click Next.
- In IP Traffic Source, in Source Address, click Any IP Address, and then click Next.
- In IP Traffic Destination, in Destination Address, click My IP Address, and then click Next.
- In IP Protocol Type, in Select a protocol type, click TCP, and then click Next.
- In IP Protocol Port, in Set the IP protocol port, click To this port, type 17, and then click Next.
- Click Finish¸ and then click OK.
- In IP Filter List, click Daytime and Quote protocols, and then click Next.
- In Filter Action, click Add.
- In Filter Action Wizard, click Next.
- In Filter Action Name, in Name, type Blocking, and click Next.
- In Filter Action General Options, click Block, click Next, and then click Finish.
- In Filter Action, click Blocking, and then click Next.
- Click Finish¸ and then click Close.
Send traffic after IPSec policy configuration
On Computer1:
- At the command prompt, type telnet Computer2IPAddress daytime. You should see a connection failure message.
- At the command prompt, type telnet Computer2IPAddress quote. You should see a connection failure message.
- At the command prompt, ping Computer 2. You should see the successful replies.
The addition of the new rule to the assigned IPSec policy of Computer 2 is blocking all traffic to and from TCP port 13 (used for the daytime service), and all traffic to and from TCP port 17 (used for the quote service). However, other types of secured traffic are allowed.
Restore network connectivity
On Computer 1 and Computer2:
- From the MMC console containing IP Security Policies on Local Machine, right-click the Secure Traffic policy, and then click Unassign.
By unassigning the Secure Traffic policy, you are restoring normal (non-secure) network connectivity between Computer 1, Computer 2, and all other network nodes.
For More Information
For more information about Windows 2000 IPSec, consult the following resources:
- IP Security for Windows 2000 Server
- Step-by-Step Guide to Internet Protocol Security (IPSec)
- Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security
- Windows 2000 Server Documentation (from the Networking book, go to Internet Protocol Security)
- Windows 2000 Server Resource Kit Books, TCP/IP Core Networking Guide
- Knowledge Base Search (Query the Windows 2000 product on "Windows 2000 IPSec")
For a list of all The Cable Guy articles, click here.