Absolute security on any network is nearly impossible to achieve. When we share information, the processes and mechanisms we use to transfer that information can usually be compromised. Normally, the tighter the security, the less convenient it is to share information. Because the fundamental purpose of a network is the sharing of resources, network administrators have to balance the need for easy and efficient access to resources against the level and layers of security necessary to maintain the privacy and integrity of shared resources.
As the world has become networked, the standards and protocols of the Internet have come to play a more prominent role in all computer-to-computer communication. The vast majority of this communication is done through packet-switching networks using the Internet Protocol (IP).
When information is sent across an IP network, it is divided up into discrete chunks, each of which has its own routing information. These chunks, or packets , are sent relatively independently across the network and are reassembled on the other end of the connection. Their journey may span several independent telephone, cable, and Internet networks. At almost any point along this journey, the packets and their precious information cargo can be compromised. Your job is to make sure that this doesn’t happen.
It is difficult to secure everything all of the time. So, your first job in building an IP Security scheme is to prioritize the communications that definitely need to be secure. Usually this can be done on a departmental or Organizational Unit level. Windows 2000 has many security tools to make it easier to maintain private communication across your network. The most prominent of these tools is IPSec.
Internet Protocol Security (IPSec) allows for the encryption of data packets. There are many tools, such as packet sniffers, and programs that allow a computer to imitate, or spoof , a trusted computer. Normally, the data portion of a captured packet can be read. If enough sequential packets are compromised, the entire communication can be reassembled by someone other than the intended recipient. If a packet is encrypted, the act of capturing it loses some of its importance. Each captured packet must then be decrypted, which is not an easy chore. Usually, if you encrypt all of your data, sophisticated data thieves will move on to an easier way of capturing your secrets.
IPSec provides solutions for the most common attacks your network might face. Table 33-5 presents some of the common attacks you might face and how IPSec protects you from them.
Table 33-5. IPSec Solutions
|
Type of Attack |
IPSec Solution |
|---|---|
|
Packet sniffing |
Encryption protects the information contained in captured packets. |
|
Packet reuse |
The packet sequence pattern is protected to make sure captured packets can’t be modified and reused in an attack. |
|
Elevated application permissions |
Packet filtering and IP address limitations limit the risk of a rogue application compromising security. |
There are always choices to be made when designing security. These choices usually involve deciding where, along the curve between ease of use and absolute security, your needs are best served. When you’re designing an encryption scheme to be used with IPSec, the main decisions you have to make are whether or not to encrypt data inside a packet and, if you chose to encrypt, how often the encryption keys should change. Following are some terms and abbreviations to get familiar with before we move on:
- Internet Key Exchange (IKE)
IKE is the protocol IPSec uses to negotiate a security association (SA) between two computers. IKE also assigns a shared secret key to be used for the length of the SA.
- Security association (SA)
An SA is a relationship between two computers for the purposes of secure communication. An SA is created using the IKE protocol, and the particular SA an IPSec connection will use is determined by negotiation between the connecting computers.
- Authentication header (AH)
One of the two IPSec packet security services. This service allows the sender of a packet to be authenticated, but does not encrypt the contents of the packet. AH is more efficient, but less secure, than ESP.
- Encapsulating security payload (ESP)
The second of the two IPSec packet security services. This service allows for both the authentication of the sender and the encryption of the contents of the packet. ESP is more secure, but less efficient, when compared to AH.
When you use IPSec, you not only have to choose between encrypted packets and sender authentication (ESP) or just sender authentication (AH), but also have to choose how the packets are packaged and delivered across the network.
There are two modes that IPSec can operate in, transport mode and tunnel mode . With transport mode, the packet itself is sent across the network; with tunnel mode, the packet is encapsulated inside another packet and sent through a virtual private network (VPN) tunnel. This packet encapsulation process is sometimes referred to as IP tunneling.
There are two distinct phases of IPSec negotiation. These processes are affectionately known as Phase One Negotiation and Phase Two Negotiation. Choices made during these phases will determine the level of security and processing overhead involved with the connection.
The first phase of negotiation is mainly concerned with creating a secure connection between the two computers. The IKE protocol negotiates any secure associations to be used and generates the master key , which is used to encrypt communications.
Phase two also uses keys to further secure communications, but unless you use Perfect Forward Security (PFS), the initial phase one key is reused, even when the phase two keys change. This is less secure because, the longer a single key is in use, the greater the risk of interception and decryption by an outside party.
If you’ve used a web browser to shop online, you’re probably already familiar with the concept of key length determining the level of encryption. Basically, the longer the key, the harder it is to crack. There are two lengths of keys available with Windows 2000 IPSec, 768 bits and 1024 bits.
IPSec uses the Diffie-Hellman (DH) algorithm, which allows duplicate keys to be generated independently on the IPSec-connected computers without ever sending the key itself over the network. If the generation of DH keys fails, the communication between the two computers ceases. New DH keys can be regenerated during an IPSec connection. The more often you change keys, the better the odds that your communication will remain secure.
The second phase of negotiation is where the real work of getting a secure connection up and running takes place. The first decisions have to do with the packets. A choice between AH or ESP is made, and the type of encryption for the packets is chosen. ESP is more secure than AH.
Keys will be used to encrypt the data flowing across the connection. In phase two, the amount of time a certain key will be used is determined. The shorter the time, the better the security. As always, you pay a performance penalty for greater security. So, an AH connection with long key intervals will deliver information faster, but an ESP connection with short key intervals will be more secure.
If you’ve ever configured and used a firewall, you’re probably already familiar with IP filtering. There are three things that you should know about every packet: where it came from and where it’s going, the protocol used to get it there, and the port it left from and will arrive at. With TCP/IP, the port isn’t a physical place, but a marker to determine which program the computer should send the information to.
The best way I can think of to describe TCP/IP ports is with an analogy to cable TV. Although a single coaxial cable delivers the TV signals into a house, different people at different TVs can watch different channels simultaneously, even though all of the TVs are fed by the same upstream wire. In the same way, the telephone or Ethernet wire hooked up to your computer can deliver information to many programs simultaneously.
The most common type of filtering allows communication to occur based on a computer’s IP address. Although this type of filtering is useful, it is by no means impossible to manipulate IP addresses to make one computer look like another. If a packet is captured, modified, and resent, it will look like it came from wherever the third party wants it to.
Certain programs use well known default ports. Table 33-6 lists some common TCP/IP ports and the programs or services that commonly use them.
Table 33-6. Common TCP/IP Ports
|
Port |
Program or Service |
|---|---|
|
21 |
File Transfer Protocol (FTP) |
|
23 |
Telnet |
|
25 |
Simple Mail Transfer Protocol (SMTP) |
|
79 |
|
|
80 |
WWW |
|
750 |
Kerberos |
You can filter out packets addressed to certain ports and thereby theoretically prevent that type of program from communicating. The reason I say theoretically is that most programs allow you to choose an alternate port. You should block all ports other than ones you have a specific use for.
The last type of filtering you might want to use is protocol filtering . If you don’t want anyone browsing the web, you can block all HTTP packets. It’s difficult to implement this type of filtering because many employees really need access to their web browsers and email programs for legitimate work. If that’s the case and you still need to prevent unauthorized use, you can install a proxy server or monitor the data sent to and from your employees. Although this type of draconian spying activity is legal in the United States, it’s usually bad for employee morale.
What happens when a filter runs across a packet that meets its criteria is determined by the filter policy. There are four types of policies for filters:
- Blocking policy
If a packet meets the criteria defined in the filter as unauthorized, the packet will be blocked. A blocking policy applies to both incoming and outbound traffic.
- Negotiated policy
If both computers are running IPSec, all the rules and filters apply. If one computer is not running IPSec, communication will still be allowed. You have to be very careful when using this policy, because it may allow unfriendly computers to communicate and potentially circumvent other security measures on your network.
- Passthrough policy
IPSec does nothing to filter the traffic. If you still need security, be sure the traffic is otherwise protected through the use of encryption.
- Permit policy
Blocks all traffic that doesn’t have a specific filter defined for it. This is the most secure policy.
The Windows 2000 MCSE Designing series exams test your ability to take real-world information and categorize, prioritize, and determine which solution meets the requirements. When you’re deciding how to secure communications using IPSec, you might want to use the following procedure:
Take an inventory of all the computers on your network and list all the computers they will communicate with.
For each potential connection, determine what type of information might get sent and rate how secure that communication must be.
Determine which computers will be allowed to communicate outside your network, and install gateways and firewalls as necessary.
Compare the relative values of security versus convenience for all the IPSec options, such as encryption and filter types.
Install and configure all the relevant software and prepare to monitor and improve the setup as more information becomes available.
Assuming you have configured a secure network communications strategy perfectly on the first attempt, management will be easy. But that isn’t likely to happen, so you should spend some time testing your own security. Try to break in and steal packets. Try to guess passwords with brute force password crackers. Monitor the traffic patterns and determine where bottlenecks occur. Most importantly, keep up to date with what your users need to accomplish with their network communications. Although security is very important, remember it’s the job of the network and its administrator to ensure that communication is as easy and efficient as possible.