تنظیمات IPSecurity کاملا کاربردی (قسمت اول)

IPSec  Internet Protocol Security (IPSec) ver 4

 از اين سرويس براي حفاظت كردن Network Traffic  از حمله افراد مزاحم و هكرها استفاده مي شود اين سرويس در لايه 3 شبكه فعال مي باشد

 توسط اين روش يك IP Packet را مي توان به دو روش كه در شكل  مشاهده مي كنيد Encrypt ويا Sign كرد

 در روش AH كه در زير مشاهده مي كنيد يك Packet  به طور كامل Sign مي شود يعني كل

 آن به صورت Unmodify يا غيره قابل تغيير مي شود

 در اين روش يك Packet را مي توان خواند ولي تغيير نمي توان داد در روش دوم ESP  يك Packet را

 سيستم بوسيله يك سري الگوريتم كد مي كند كه با

 اين الگوريتم ها آشنا خواهيد شد فرق اين روش با روش AH در اين هست كه در روش دوم سيستم كاري با  IP Header  ندارد

 البته شما مي توانيد از هر دو روش نيز در يك لحظه براي شبكه استفاده كنيد

 كه بهترين راه نيز همين مي باشد و امنيت شبكه  بسيار بالا مي رود

IPSec security protocols

 قبل از شروع بايد دو Protocol مهم كه اين سرويس از آنها براي محافظت از Packet هاي IP استفاده مي كند را معرفي كرد AH and ESP

Authentication Header (AH)

اين روش براي محافظت از يك Packet مي باشد كه هم از قسمت Header و هم بقيه قسمتهاي يك

 packet محافظت مي كند به اين ترتيب كه كل آن Packet را Sign مي كند يعني غيره قابل تغيير

در اين روش مي توان يك Packet را Read  كرد ولي امكان Write را نداريم چون در حالت

unmodify مي باشد لازم بذكر هست كه براي تغييردادن مسيريك Packet بايدHeader آن را تغيير

داد وچون اين روش از اين كار جلوگيري مي كند يعني اجازه Write  شدن به Header را نمي دهد

امكان داردايجاد مشكل كند اين مشكل درRouter ها به چشم مي آيد چون كار يكRouter تغير دادن

مسيرمقصد  يك Packet مي باشد كه براي اين كار بايد Header يك Packet را دستكاري كند  Authentication Header (AH)

 براي رفع اين مشكل Router  ها راه حلي پيدا كرده اند سرويسي به نام ICV وجود دارد كه تغييرات  Packet در بين مسير  را Check

مي كند كه تغييري نكند فيلدهايي كه در داخل Header  توسط Router  تغيير مي كند براي اين سرويس ارزش صفر دارند بنابراين AH دچار مشكل با Router ها

نمي شود

Encapsulating Security Payload (ESP)

اين سرويس براي كد كردن يك Packet  استفاده مي شود منظور از كد كردن همان Encrypt

 كردن آن مي باشداين كدكردن توسط يك سري الگوريتم هاي رياضي مي باشدكه MD5 and 3DES

از معروف ترين اين الگوريتم ها مي باشند البته مانند شكل كه مشاهده مي كنيد اين نوع قسمتي از 

 Packet را Sign مي كند البته زماني كه يك Packet در حالت Tunnel ساخته شود و فرستاده

شود اين قسمت ازPacket توسط اين Protocol به صورت Sign مي شود همان طور كه در شكل

مي بينيد اين روش به IP Header كاري ندارد  

 Encapsulating Security Payload (ESP)

 درزير تركيب اين دو روش را مي بينيد 

             Packet signature and encryption

The IP header is not signed and is not necessarily protected from modification.

 To provide data integrity and authentication for the IP header, use ESP and AH.

 در زير انواع الگوريتم هاي موجود را با شرح مشاهده مي كنيد

 The encryption algorithm: DES, 3DES, 40bitDES.

DES

Used when the high security and overhead of 3DES are not necessary.

3DES

Used when high security is required. 3DES processes each block three times, using a unique 56-bit key each time:

Encryption on the block with key 1

Decryption on the block with key 2

Encryption on the block with key 3

This process is reversed if the computer is decrypting a packet.

The integrity algorithm: MD5 or SHA.

MD5

Message Digest 5 (MD5) is based on RFC 1321. It was developed in response to a weakness found in MD4. MD5 completes four passes over the data blocks (MD4 completed three passes), using a different numeric constant for each word in the message on each pass. The number of 32-bit constants used during the MD5 computation equates to 64, ultimately producing a 128-bit hash that is used for the integrity check. While MD5 is more resource intensive, it provides stronger integrity than MD4.

SHA1

Secure Hash Algorithm 1 (SHA1) was developed by the National Institute of Standards and Technology as described in Federal Information Processing Standard (FIPS) PUB 180-1. The SHA process is closely modeled after MD5. The SHA1 computation results in a 160-bit hash that is used for the integrity check. Because longer hash lengths provide greater security, SHA is stronger than MD5.

IPSec Policy Agent

 در سيستم سرويسي به نام IPSec Policy Agent وجود دارد كه اين سرويس وظيفه اش اين است كه جستجو كند كه آيا يك Policy از نوع IPSEC به صورت

Locally تعريف شده يا خير درغيره اين صورت اگر سيستم عضو يك Domain باشد درADS به دنبال آن مي گردد تا اگر بر روي سيستم هاي عضو Domain

يك Policy  اعمال شده آن را پيدا كرده و بر روي سيستم اعمال كند 

دراين ميان IPSEC Policy Agant مامور است كه سيستم را از بودن يك Policy  در Domain مطلع كند و ISAKMP/Oakley نيز وظيفه اش ساختن كليد

بر اساس الگوريتم هاي تعريف شده مي باشد و IPSEC Driver نيز اجرا كنند اين سرويس مي باشد اگر Policy وجود نداشته باشند اين سرويس فعال نمي شود

IPSec security negotiation

 يك سيستم مي تواند چند كليد ارتباطي تعريف كند و براي ارتباط با هر سيستمي از يكي از آنها استفاده كند البته سرويسي به نام ISAKMP

اين وظيفه را برعهده دارد تا بين Policy  و Key هاي مد نظر هماهنگي ايجاد كند يك سرور مانند RAS چون با تعداد زيادي سيستم ارتباط برقرارمي كند

بايد براي امنيت بالا با هر يك از اين سيستم ها يك كليد مجزا بسازد به همين دليل نقش اين سرويس خيلي مهم مي باشد در ارتباط ميان سيستم ها

  In

ternet Security Association and Key Management Protocol  ISAKMP

 اين سرويس ارتباطي بين دو سيستم بوجود مي آورد در اين ارتباط كه  به صورت Encrypt شده مي باشد هر دو سيستم براي مشخص كردن يك كليد و يك الگوريتم

 با هم هماهنك مي شوند در اين ميان هست كه مشخص مي شود كه دو سيستم چگونه Key هاي هم ديگر را بعد از هر ارتباط تغيير مي دهند يا حتي الگوريتم ها نيز

مي توان تنظيم كرد كه تغيير كند در مدت زمان مشخص يا مقدار kbyte كه  Send or receiveشده اين كار بسيار زياد تاثير دارد در امنيت شبكه و ارتباطات

در زير سه گزينه مي بينيد كه براي اين سرويس مهم مي باشد در انتخاب آنها براي برقراري ارتباط .اين سرويس از هر سه اين گزينه ها استفاده مي كند

The encryption algorithm: DES, 3DES, 40bitDES, or none.

The integrity algorithm: MD5 or SHA.

The authentication method: Public Key Certificate, preshared key, or Kerberos V5 (the Windows 2000 default).

 Public Key Certificate

مي توان براي برقراي  سيستم ها از يك Certificate  استفاده كرد  براي اطلاعات بيشتر در HELP اين كلمه را جستجو كنيد 

preshared key

اما Preshared Key يك نشانه رمز يا يك اسم رمز مي باشد كه سيستم ها توسط آن مي توانند طرف خود را شناسايي كنند يعني سيستم از ميان سيستم هاي شبكه

فقط جواب سيستمي را مي دهد كه Preshared key  آن با خود يكي باشد يا بهتر هست بگوييم سيستم به دنبال سيستم كسي مي گردد كه اين Key را داشته باشد

و اين KEY يك TEXT بيشتر نمي باشد 

لازم بذكر است كه اين سرويس براي كد كردن كليدها Key و اطلاعات يك Packet از الگوريتم هاي بالا استفاده مي كند گزينه يك و دوم

درزير مراحل كاري ارتباط IPSEC را مشاهده مي كنيد اين مراحل بر اساس شكل بالا مي باشد 

For simplicity, this example illustrates IPSec from a domain computer to a domain computer. Alice, using an application on Computer A, sends a message to Bob.

The IPSec driver on Computer A checks the IP Filter List in the active policy for a match with the address or traffic type of the outbound packets.

The IPSec driver notifies ISAKMP to begin security negotiations with Computer B.

The ISAKMP service on Computer B receives a request for security negotiations.

The two computers perform a key exchange, establish an ISAKMP SA and a shared, secret key.

The two computers negotiate the level of security for the data transmission, establishing a pair of IPSec SAs and keys for securing the IP packets.

Using the outbound IPSec SA and key, the IPSec driver on Computer A signs the packets for integrity, and encrypts the packets if confidentiality has been negotiated.

The IPSec driver on Computer A transfers the packets to the appropriate connection type for transmission to Computer B.

Computer B receives the secured packets and transfers them to the IPSec driver.

Using the inbound SA and key, the IPSec driver on Computer B checks the integrity signature and decrypts the packets, if necessary.

The IPSec driver on Computer B transfers the decrypted packets to the TCP/IP driver, which transfers them to the receiving application.

Virtual Private Networking with IPSec

 The entire process of encapsulation, routing, and de-encapsulation is called tunneling. Tunneling hides, or encapsulates, the original packet inside a new packet. This new packet may have new addressing and routing information, which enables the new packet to travel through networks. When tunneling is combined with privacy, the original packet data (as well as the original source and destination) is not revealed to those listening to traffic in the network. The network could be any internetwork: a private intranet, or the Internet. Once the encapsulated packets reach their destination, the encapsulation header is removed and the original packet header is used to route the packet to its final destination.

The tunnel itself is the logical data path through which the encapsulated packets travel. To the original source and destination peer, the tunnel is usually transparent and appears as just another point-to-point connection in the network path. The peers are unaware of any routers, switches, proxy servers, or other security gateways between the tunnel’s beginning point and the tunnel’s end point. When tunneling is combined with privacy, it can be used to provide Virtual Private Networks (VPN).

In Windows 2000, two types of tunneling are provided that use IPSec:

Layer 2 Tunneling Protocol (L2TP/IPSec), in which L2TP provides encapsulation and tunnel management for any type of network traffic and IPSec in transport mode provides the security for the L2TP tunnel packets.

IPSec in tunnel mode, in which IPSec itself does the encapsulation for IP traffic only.

Before using either type of tunneling, a complete understanding of the functionality should be obtained. For more information, see "Virtual Private Networking and IPSec" in the Windows 2000 Resource Kit.

The encapsulated packets travel through the network inside the tunnel. (In this example, the network is the Internet.) The gateway may be an edge gateway which stands between the outside Internet world and the private network--a router, firewall, proxy server, or other security gateway. Also, two gateways may be used inside the private network to protect traffic across less trusted parts of the network.

L2TP and IPSec

IPSec and L2TP are combined to provide both tunneling and security for IP, IPX and other protocol packets across any IP network. IPSec can also perform tunneling without L2TP, but it is only recommended for interoperability, when one of the gateways does not support L2TP or PPTP.

L2TP encapsulates original packets inside a PPP frame, performing compression when possible and then inside a UDP-type packet assigned to port 1701. Since the UDP packet format is an IP packet, L2TP automatically uses IPSec to secure the tunnel, based on the security settings in the user configuration of the L2TP tunnel. The IPSec Internet Key Exchange (IKE) protocol negotiates security for the L2TP tunnel using certificate-based authentication by default. This authentication uses computer certificates, not user certificates, to verify that both source and destination computers trust each other. If IPSec transport security is successfully established, then L2TP negotiates the tunnel, including compression and user authentication options and performs access control based on the user identity. Thus, L2TP/IPSec is the easiest, most flexible, most interoperable and more secure tunneling option for both client remote access VPN and gateway-to-gateway VPN tunnels.

Configuration for L2TP/IPSec VPN remote access clients is performed using Network and Dial-up Connections. Configuration for the VPN remote access server and for gateway-to-gateway tunnels is performed using the Routing and Remote Access console.

The original packet header, shown here as the IP or IPX header, carries the original and ultimate source and destination addresses (addresses used on the private network), and the outer IP header, shown as New IP Header contains the source and destination addresses of the tunnel end points (addresses used in the public network). The L2TP header carries tunnel control information. The PPP header identifies the protocol of the original packet, for example IP or IPX. For more information on L2TP/IPSec, see Network and Dial-up Connections in Windows 2000 Server Help.

IPSec Tunneling

The primary reason for using IPSec tunnel mode is for interoperability with other routers, gateways, or end-systems which do not support L2TP/IPSec or PPTP VPN tunneling technology. IPSec tunnel mode is supported only in gateway-to-gateway tunneling scenarios and for certain server-to-server or server-to-gateway configurations as an advanced feature. The Windows 2000 Resource Kit chapter on IPSec describes these scenarios and configurations in more detail and should be understood before using IPSec tunnel mode. IPSec tunnel mode is not supported for client remote access VPN scenarios. L2TP/IPSec or PPTP should be used for client remote access VPN.

The two formats of IPSec packets can be used also in tunnel mode:

ESP Tunnel Mode

The original IP header (which is the original packet header) usually carries the ultimate source and destination addresses, while the outer IP header usually contains the source and destination address of security gateways. The ESP tunnel format always provides strong integrity and authenticity for traffic carried inside the tunnel. The ESP tunnel is used mainly to provide privacy for the tunneled packets using DES or 3DES encryption. The level of encryption is specified in the Filter Action of the tunnel rule, and thus could also be configured for no encryption if the contents of the tunnel traffic does not require privacy.

In the preceding illustration, the original packet between the ultimate source and destination is encapsulated by the new IP and ESP headers. The Signed area indicates where the packet has been protected with integrity. The Encrypted area indicates that the entire original packet may be encrypted.

The information in the new IP header is used to route the packet from origin to the tunnel destination end point; usually a security gateway. The new IP ESP header is not protected by the integrity hash. This is the IETF RFC design to allow the packet header to be modified by network components as necessary to provide additional services, such as changing the source or destination IP address, or giving it higher priority over other packets.

AH Tunnel Mode

AH tunnel mode does not provide encryption privacy for the contents of the tunnel, only strong integrity and authenticity.

The entire packet is signed for integrity, including the new tunnel header. Thus, no change in the source or destination address can be made once the packet is sent by the source of the tunnel. The IETF RFC design still allows for a few fields in the new IP header to be modified by network components to provide priority for certain packets, and to delete stray or old packets. ESP and AH can be combined to provide tunneling, which includes both integrity for the entire packet and confidentiality for the original IP packet.

IPSec tunnels provide security for "IP only" traffic. The tunnel is configured to protect traffic either between two IP addresses or between two IP subnets. If the tunnel is used between two hosts instead of between two gateways, the outer IP address is the same as the inner IP address. In Windows 2000, IPSec does not support protocol-specific, port-specific, or application-specific tunnels. Configuration is performed using the IPSec Policy console by specifying a security rule containing a filter to describe the traffic that goes into the tunnel, a filter action for securing the tunnel and an authentication method to be used by the tunnel end points. Three types of authentication are supported: certificates, pre-shared key, and Kerberos.

IPSec policy planning

اولين موردي كه قبل از راه اندازي يك Policy بر روي يك Domain بايد به صورت يك Document داشت هدف ما از راه اندازي يك Policy بر روي شبكه مي باشد مابايد بدانيم كه اين سرويس جه مشكلاتي را با چه امكاناتي حل مي كند و چه مشكلاتي ممكن هست بوجود آورد پس هدف مهم مي باشد يك مثال اين سرويس كاري مي تواند بكند كه هيچ سيستم Prewindows 2000  در شبكه نتواند با سرورها ارتباط برقرار كند منظور سيستم هاي WIN95 and WIN98 مي باشد پس اگر در شبكه ما سيستم هاي بالا كه اين سرويس را پشتيباني نمي كنند موجود باشد راه اندازي آن ما را دچار مشكل خواهد كرد مگر آنكه ما اين سيستم ها را جز، شبكه داراي Security قرارندهيم كه اين خود معني اش يك شبكه با Risk بالا مي باشد در نتيجه شبكه ما كامل داراي Security نمي باشد و سيستم هاي ما از خطر هكرها در امان نخواهد ماند همين طور سرورهاي ما در شبكه. پس ما Zone هاي  از كامپيوتر ها را مي توانيم IPSEC اعمال كنيم كه فقط از WIN 2000 استفاده مي كنند لازم بذكر هست كه WIN XP نيز بايد اين سرويس را ازسرورهاي  WIN 2003 SERVER بگيرد 

Establishing an IPSec security plan

 شما بايد يكي از سه حالت زير را در نظر داشته باشيد اول Minimal securityآنكه شما در شبكه اطلاعات مهمي كه حساس باشند نداريد پس لزومي براي ايجاد  IPSEC  نداريد دوم شما 

در شبكه امكان دارد اطلاعات مهمي داشته باشيد در اين حالت  شما مي توانيد ((Client (Respond Only) and Server (Request Security).را در نظر بگيريد در حالت سوم شما داراي شبكه اي با اطلاعات كاملا محرمانه مي باشيد و بايد از حداكثر Security برخوردار باشيد كه Secure Server Require Security    

نوع IPSEC Policy شما مي باشد البته نوع چهارمي وجود دارد كه Administrators مي توانند آن را دستي ايجاد كنند 

انواع اين Level هاي Policy را در زير مشاهده مي كنيد 

Client (Respond Only)

This is used for computers which should not secure communications most of the time. For example, intranet clients may not require IPSec, except when requested by another computer. This policy enables the computer on which it is active to respond appropriately to requests for secured communications. The policy contains a default response rule, which enables negotiation with computers requesting IPSec. Only the requested protocol and port traffic for the communication is secured.

Server (Request Security)

This is used for computers which should secure communications most of the time. An example would be servers which transmit sensitive data. In this policy, the computer accepts unsecured traffic, but always attempts to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled.

Secure Server (Require Security)

This is used for computers which always require secure communications. An example would be a server which transmits highly sensitive data, or a security gateway which protects the intranet from the outside. This policy rejects unsecured incoming communications, and outgoing traffic is always secured. Unsecured communication will not be allowed, even if a peer is not IPSec-enabled.

در حالت اول Respond Only سيستم ها اگر IPSEC  را پشتيباني كنند جواب Packet هارا به صورت Secureمي دهند در غيره اين صورت عادي عمل مي كنند اين حالت با حالت دومي سازگاري دارد درحالت دومRequest Security سيستم ها اول سعي دارند از طريقSecure با هم ارتباط برقرار كنند ولي اگر Packet از  طرف سيستمي آمد كه Secure  نشده بود سيستم ها آن را قبول مي كنند و جواب مي دهد 

در حالت سوم Require Security كليه Packet ها incoming و outcoming از طريق Secure  فرستاده مي شوند ودر اين حالت Max Security

در شبكه اعمال مي شود ولي سيستم هاي PREWindows 2000 نمي توانند در اين شبكه نقشي داشته باشند   

Assign IPSec policy

Assessing the risk and determining the appropriate level of security for your organization.

    شما بايد تشخيص بدهيد  كه نوع Policy كه در شبكه اعمال كرده ايد چه مقدار Risk امنيتي دارد

Identifying valuable information.

    شما بايد سيستم هاي كه در شبكه داراي اطلاعات باارزش مي باشند را پيدا كنيد و  اين سيستم ها را داراي Security كنيد

Defining security policies that use your risk management criteria and protect the identified information.

    بررسي سيستم ارداري و اجرا اين Policy بر اساس ضوابط اداري

Determining how the policies can best be implemented within the existing organization.

    تشخيص اين كه آيا اين Policy بهترين ابزار يا بهترين راه براي اعمال Security مي باشد يا خير

Ensuring that management and technology requirements are in place.

    تشخيص اين كه آيا اين Policy را در اين  مكان مشخص شده نياز مي باشد يا خير

  Special IPSec considerations

Windows 2000 Encryption Requirements

  شما بايد حداقل از يكي از الگوريتم هاي كد كردن اطلاعات استفادع كنيد كه بهترين آنها 3DES مي باشد در زمان برقراري دو سيستم بايد آنها داراي يكي از الگوريتم

هاي مانند MD5 and 3DES باشند كه اطلاعات بر اساس اين مدل ها كد بندي شود و از طريق اين موارد Traffic شبكه Secure مي شود 

Authentication

شناسايي افراد با Account در شبكه بايد با سرويس  Kerberos V5  انجام شود 

IP Filter Lists

شما مي توانيد توسط اين گزينه يك نوع فيلتر بوجو آوريد كه در شبكه مهم مي باشد شما مي توانيد تعريف كنيد كه با كدامRange IP مي خواهيد Traffic Secure

داشته باشيد البته نوع الگوريتم هاو نيز نوع تعاريف IP Filter شما مي تواند تايين كننده ميزان بار كاري بر روي شبكه باشد شما در اين قسمت با معرفي اين IP ها

به آنها چند حالت مي دهيد كه  اولي Block مي باشد يعني بستن ارتباط Secure دوم Permit مي باشد كه مشخص مي باشد براي اطلاعات بيشتر به قسمت 

Filter actions رجوع كنيد 

 همان گونه كه در شكل A1 مي بينيد مي توان Traffic از نوع ICMP را Filter كرد ودر قسمتA2 مي بينيد كه مي توان در اين فيلتر تعريف كرد كه چه سيستم هاي

با ما در ارتباط باشند در اين قسمت از گزينه هاي My IP Address  ,  Any IP Address ,  A Specific IP Address ,  A Specific IP Subnet

كه توسط اين گزينه ها مي توان محدوده فيلتر را مشخص كرد براي Source Address و Destination Address

Security Gateways

ترافيك Secure  در شيكه دچار مشكلاتي در gateway, firewall, proxy server, router ها مي شود براي رفع مشكل بايد IP Filter هاي زير را اعمال

كرد لازم است كه حتما اين Port ها در Device هاي كه گفته شد باز باشند  تا IPSec Traffic امكان عبور از آنها را داشته باشند 

Input Filters

IP Protocol ID of 51 (0x33) for inbound IPSec Authentication Header traffic.

IP Protocol ID of 50 (0x32) for inbound IPSec Encapsulating Security Protocol traffic. UDP port 500 (0x1F4) for inbound ISAKMP/Oakley negotiation traffic.

Output Filters

IP Protocol ID of 51 (0x33) for outbound IPSec Authentication Header traffic.

IP Protocol ID of 50 (0x32) for outbound IPSec Encapsulating Security Protocol traffic. UDP port 500 (0x1F4) for outbound ISAKMP/Oakley negotiation traffic.

در شبكه سرورهاي DHCP, DNS, and WINS services; Domain Controllers نير بايد داراي يك سري IP Filter باشند كه براي مثال

سرور dns  را شرح مي دهيم تذكر dns از Port 53 استفاده مي كند لازم بذكر است كه بايد فيلتر از نوع Permit باشد 

Set the IP filter list to exempt traffic between the computer and the DNS server from requiring IPSec:

Set the Source address to My IP address.

Set the Destination address to the IP address of your DNS server.

Enable Mirrored to automatically create the inbound filter.

Configure the protocol settings, From this Port and To this Port, to the port which your DNS server has been configured to use for traffic. It is generally port 53.

Set the filter action to Permit, to ensure that DNS traffic passes through and security is never negotiated for traffic which matches this IP filter list.

براي پيدا كردن Port هاي معروف مي توانيد در آدرس زير پيدا كنيد 

%winroot%\system32\drivers\ etc\services or RFC 1700.

  

Description of an IPSec policy

IPSec policy properties 

دو نوع IPSEC POLICY وجود دارد اولي به صورت  Locally وجود دارد كه در Registry يك سيستم تعريف شده و نگهداري مي شود دوم

اين Policy در يك ADS يا همان Active Directory مي باشد كه حالت دوم داراي كاربرد بيشتري مي باشد 

لازم بذكر هست كه Rule هاي تعريف شده در IPSEC Policy سرورهاي DNS,WINS,DHCP,SNMP,RRAS باهم متفاوت مي باشد 

 Rules 

يك Rule مقررميكند كه چگونه و چه وقت ارتباط سيستم ها Secure باشد كه شامل موارد زير مي باشد 

 IP filter lists 

براي برقراري ارتباط بين سيستم  ها بايد يك IP Filter حداقل وجود داشته باشد همان طور كه در شكل A1,A2 مشاهده كرديد مي توان اين فيلتر را بر روي سيستم

ها ونيز Protocol هاي آنها نيز اعمال كرد كه بسيار مهم مي باشد 

در زير مي توانيد فيلترهاي لازم براي برقراري سيستم A با سيستم B را مشاهده كنيد 

For example, if Computer A wants to securely exchange data with Computer B:

 The active IPSec policy on Computer A must have a filter for any outbound packets to Computer B. Source=A and Destination=B.

 The active IPSec policy on Computer A must have a filter for any inbound packets from Computer B. Source=B and Destination=A.

Each peer must also have the reverse filter:

 The active IPSec policy on Computer B must have a filter for any inbound packets coming from Computer A. Source=A and Destination=B.

 The active IPSec policy on Computer B must have a filter for any outbound packets to Computer A. Source=B and Destination=A.

 براي هر يك از Inbound AND Outbound بايد يك Filter جدا تعريف كرد لازم بذكر است كه كليه Port هاي سيستم را مي توان در بر گرفت يا اينكه يك 

Port  را استفاده كرد براي مثلا عبور Traffic ICMP يا IGMP 

 در مثال زير مي توانيد يك IP Filter را مشاهده كنيد  در اينجا براي برقراري يك Host با يك سري از Host هاي شبكه از IP Base   و Mask  آن استفاده شده

Source address

 IP BASE=192.168.1.16   MASK= 255.255.255.240  ==NETWORK==>  192.168.1.16 .. .. .. .. 192.168.1.31

 Destination address

 IP BASE=192.168.1.230  MASK=255.255.255.255

 

در اين قسمت شما مي توانيد نوع Protocol خود را تعريف كنيد كه در اين جا از TCP استفاده شده و Port  1800

در بالا شما گزينه Mirrored  را انتخاب مي كنيد براي اينكه اين فيلتر هم در آدرس مبدا و هم در آدرس مقصد چك شود و از اين قانون پيروي كند 

بااين كار هر دو آدرس با Port 1800 خود به ديگر سيستم ها Attach مي كند براي ارتباط بر قرار كردن 

From this port:1800    To any port

Filter settings

Each filter defines a particular subset of inbound or outbound network traffic which should be secured. You must have a filter to cover any traffic to which the associated rule applies. A filter contains the following settings:

The source and destination address of the IP packet. This may be configured at a granular level, using a single IP address or DNS name, or groups of addresses, subnets, or networks.

The protocol over which the packet is being transferred. This automatically defaults to cover all protocols in the TCP/IP protocol suite. However, it can be configured to an individual protocol level to meet special requirements, including custom protocols.

The source and destination port of the protocol for TCP and UDP. By default, all ports are covered, but this can be configured to apply to only a specific port.

Filter actions 

يك فيلتر چندين حالت مي تواند داشته باشد كه در زير آنها را بررسي مي كنيم 

Permit

در زماني كه يك فيلتر در اين حالت باشد اجازه عبور Traffic Secure را نمي دهد تذكر Broadcasting Packet نبايد داراي Traffic Secure باشند 

Block

سيستم هايي در شبكه كه اجازه ارتباط را ندارند اين نوع فيلتر بر روي آنها اعمال مي شوند 

Accept unsecured communication but always respond using IPSec

در زماني كه يك سيستم در اين حالت فيلتري دارا باشد رفتارآن سيستم درمقابل سيستم هايي كه IPsec را پشتيباني نمي كنند بدين صورت است كه اگر جواب Secure

نباشد آن را قبول مي كند واگر Secure باشد نيز آن را قبول مي كند در اين حالت سيستم با هر دو نوع سازگاري دارد البته توصيه نمي شود اين نوع فيلتر چون Risk

 بالاي آن در شبكه خطر ناك مي باشد 

Enable Session Key Perfect Forward Secrecy PFS

در يك فيلتر مي توان تعريف كرد كه هر Session ارتباطي بين دوسيستم با يك Key مخصوص كد شود اين كار بسيار مفيد مي باشد چون ارتباط ميان دو سيستم

به طور دائم داراي Key Code هاي متغير مي باشد 

Specify security requirements

نوع آخر همان ارتباط و Negotiation  از نوع Secure مي باشد كه تركيب آن با PFS مي تواند Maximum Security در يك Filter را ايجاد كند 

در اين حالت تمامي سيستم ها بايد بتوانند ترافيك Secure را پشتيباني كنند 

در بالا حالت Require Security مد نظر مي باشد 

IPSec security methods 

 سه نوع Method براي Secure كردن وجود دارد High=ESP Protocol و Medium=AH Protocol

نوع سومي وجود دارد كه تركيب اين دو نوع مي باشد در مورد اين دو Method كاملا در قسمت Understanding Internet Protocol Security توضيح

داده شده اند در اين ميان بهتر است كه Key Lifetimes يا همان PFS را در هر دوي اين Method ها در نظر بگيريد براي بالا بردن Security

در شكل بالا Properties نوع سوم كه تركيبي از هر دو نوع مي باشد را مي بينيد 

Security Protocols

Both AH and ESP may be enabled in a custom security method, if you require IP header integrity and data encryption. If you chose to enable both, you do not need to specify a second integrity algorithm for ESP; the algorithm you select for AH will provide integrity.

Integrity

Message Digest 5 (MD5), which produces a 128-bit key.

Secure Hash Algorithm (SHA), which results in a 160-bit key. Longer key lengths provide greater security, so SHA would be considered stronger.

Confidentiality

3DES is the most secure of the DES combinations, and somewhat slower in performance. 3DES processes each block three times, using a unique key each time.

DES is to be used when the high security and overhead of 3DES is not necessary, or for interoperability. DES uses only 56 bits of keying material.

 IPSec authentication 

 Kerberos V5 

اولين راه براي شناسايي افرا همان Kerberos V5 مي باشد كه پيش فرض نيز مي باشد

A public key certificate

دومين روش مي باشد البته اين روش با شبكه هايي كه داراي Kerberos  هستنند سازگاري ندارد 

A preshared key

شومين روش شناسايي افراد مي باشد اين روش كمي متفاوت مي باشد  زماني كه دوسيستم بخواهند همديگر را در شبكه شناسايي كنند اين اسم رمز را بايد از همديگر

 بگيرنند اگر يكسان باشد همديگر را شناسايي كرده و ترافيك IPsec  را به هم ارسال مي كنند در اين قسمت فقط يك Text  بايد تايپ شود 

 

IPSec tunneling 

This rule does not specify an IPSec tunnel (default). Disables IPSec tunneling for communications covered by the rule.

 IPSec connection types 

سه گزينه براي انتخاب يك Interface در IPsec وجود دارد 

All Network Connections

كليه Network Adaptor يك سيستم را در بر مي گيرد حتي Modem

Local Area Network  LAN

فقط LAN داخلي را در بر مي گيرد 

Remote Access

Modem و سيستم هايي كه از طريق RRAS و يا همان Dial-up به سيستم وصل مي شونند 

Advanced IPSec settings

Key exchange methods 

در اين قسمت شما مي توانيد بر اساس الگوريتم هاي  كه در قسمت IPSec security methods   معرفي شد تعريفي از چگونگي ساختن يك كليد را مشخص كنيد

To create key exchange methods

In IP Security Policy Management, right-click the policy you want to modify, and then click Properties.

Click the General tab, click Advanced, and then click Methods.

Click Add, or if you are reconfiguring an existing method, click the security method, and then click Edit.

Select an Integrity Algorithm:

Click MD5 to use a 128-bit value.

Click SHA to use a 160-bit value (stronger).

Select a Confidentiality Algorithm:

Click 3DES to use the highest security algorithm.

Click DES if you are required to connect to computers that do not have 3DES or if you do not need the higher security and overhead of 3DES. For more information on cryptographic settings, see Special Considerations.

Select a Diffie-Hellman Group to set the length of base keying material used to generate the actual keys:

Click Low (1) to use 768 bits as a basis.

Click Medium (2) to use 1024 bits as a basis (stronger).

 IPSec scenarios

 Domain, Peer to Peer: IPSec 

در يك LAN كه داراي چند Server با درجات مختلف Security مي باشد بهترين كار براي ايجاد يك يا چند بخش امنيتي بالا  و متوسط بايداز Group policy در

هر OU استفاده كرد 

 در بالا مشاهده مي شود كه يك سري از  سرورها در يك Highest Security OU مي باشند و يك سري در Secure Server OU مي باشند 

كليه اين تعاريف در ADS بايد معرفي شود و بسيار مهم است كه درجه Secure بودن هر سرور توسط Administrator مشخص شود 

 Remote communications: IPSec

Secure, remote communication is achieved by combining the Layer 2 Tunneling Protocol (L2TP) and IPSec. L2TP is used to build the tunnel through which the data will travel, and IPSec secures the data.

Roving clients

A common requirement is securing communications between remote clients and the enterprise network. This may be a sales consultant who spends most of the time on the road, or an employee working from a home office.

In this figure, the remote gateway is a server which provides edge security for the enterprise's intranet. The remote client represents a roving user who needs regular access to network resources and information. The client may or may not be going through an Internet service provider (ISP); it is shown here to represent the path of communication if the client is using an ISP to access the remote gateway. L2TP is combined with IPSec to provide a simple, efficient way to build the tunnel and protect the data across the Internet. The tunnel itself is between the Remote Client and the remote gateway, since it is used only to protect communication through the Internet.

Branch offices

A large enterprise will often have multiple sites which need to communicate, for example, a corporate office in New York, and a sales office in Washington. As in the previous scenario, L2TP is combined with IPSec to provide the tunnel and protect the data between the sites.

In this figure, the Windows 2000 routers provide edge security and a communication route between the two sites. The routers may have a lease line, demand dial, or other type of connection. The tunnel runs between the routers only, since it is being used to protect communication through the Internet. However, the virtual private network (VPN) extends between the intranet computers at each site that are exchanging data.

Securing remote communication

Instead of configuring IPSec policies, these remote communication scenarios require configuration of the L2TP security properties in Windows 2000.

When L2TP is configured to use IPSec for security:

The required IP filter and filter action lists are dynamically set in the IPSec Policy Agent for the duration of the connection.

Authentication is determined by L2TP, which requires a computer public key certificate and its associated private key.

Default key exchange settings are in effect.

The level of Internet Protocol security that is used for the duration of the connection is dependent upon the L2TP security configuration:

No encryption. IPSec still requires a certificate and will negotiate AH.

Optional encryption. If the other computer requests or requires secured communication, IPSec can offer security levels ranging from ESP/3DES to AH/MD5.

Session key Perfect Forward Secrecy is not enabled unless the other computer requests it.

You can fall back to unsecured communication.

Required encryption. The computer will require secured communication. The security that is offered is identical to that under optional encryption, except that you cannot fall back to unsecured communication.