IPSec (Securing IP traffic)

           Security implemented on traffic between two specified computers

Works at the Network layer (OSI 3)

     4 levels of security
Block transmissions
Encrypt transmissions
Sign transmissions
Permit transmissions unchanged

    BLOCK
eg computer1 cannot communicate with computer 2, all IP traffic discarded

    ENCRYPT
eg computer1 should only communicate with server1 using encrypted traffic
(sniffers see only garbled data)

     SIGN
eg computer1 should sign all traffic to server1
(sniffers can see the data, but the receiver will know if the data has been changed)

      PERMIT
let all traffic pass unsecured

IPSec filters

    You set filters to specify when traffic should be secured

–  By source IP address, IP subnet, DNS name

–  By destination IP address, IP subnet, DNS name

–  By the port and port type (TCP, UDP, ICMP…)

IPSec rules

•      IPSec rule = IPSec filter + IPSec action

–  Filter says when to activate the rule (eg when traffic is to a particular destination address)

–  Action says what to do (eg sign the traffic)

Authentication

•      The encryption or signing needs some kind of authentication between the machines to agree upon keys to use in the encryption and to verify each computers credentials
3 methods

–  Kerberos (use your AD account passwords on the DC)

–  Certificates (use public key certificates)

–  Preshared key (manually set a cleartext string on each machine)

Issues

•      Switches and routers will pass IPSec traffic

     NAT proxies will not

•      Be careful with DHCP, DNS ets. You have to make sure both client and server are configured with compatible policies.

Configuring IPSec

•      Configured through group policies

•      Can monitor using ipsecmon at the run box

•      You can only have one policy active at any time.