Internet Protocol Security |
IPSec protects the data so that an attacker finds it extremely difficult or impossible to interpret. The level of protection provided is determined by the strength of the security levels specified in your IPSec policy structure.
IPSec has a number of features that significantly reduce or prevent the attacks discussed previously:
Sniffers, Lack of Privacy IPSec's Encapsulating Security Payload (ESP) protocol provides data privacy by encrypting the IP packets.
Data Modification IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a digital checksum for each IP packet. Any modifications to the packet data alter the checksum, which indicates to the receiving computer that the packet was modified in transit.
Identity Spoofing, Password-Based, Application-Layer, and Denial-of-Service IPSec allows the exchange and verification of identities without exposing that information to interpretation by an attacker. Mutual verification (authentication) is used to establish trust between the communicating systems; only trusted systems can communicate with each other.
Man-in-the-Middle IPSec combines mutual authentication with shared, cryptography-based keys.
Denial-of-Service IPSec uses IP packet filtering methodology as the basis for determining whether communication is allowed, secured, or blocked, according to the IP address ranges, protocols, or even specific protocol ports.
Usually the level of protection that IPSec provides requires system modification. However, IPSec's strategic implementation at the IP transport level (network Layer 3) enables a high level of protection transparently for most all applications, services and upper layer protocols, with little overhead: deploying IPSec requires no changes to existing applications or operating systems, and policies can be centrally defined in Active Directory™ or managed locally on a computer.
The implementation of security at Layer 3 provides protection for all IP and upper layer protocols in the TCP/IP protocol suite, such as TCP, UDP, ICMP, Raw (protocol 255), and even custom protocols that send traffic at the IP layer. (See "Introduction to TCP/IP" in this book for more information about the network layer model.) The primary benefit of securing information at a lower layer is that all applications and services using IP for transport of data can be protected with IPSec without any modification to those applications or services.
Other security mechanisms that operate above Layer 3, such as Secure Sockets Layer (SSL), only provide security to applications that know how to use SSL (such as Web browsers). To protect communications for all your applications on your computer with SSL requires modifications to each application. Security mechanisms that operate below layer 3, such as link layer encryption, are only protecting the link, not necessarily all links along the data path. This makes link layer encryption unsuitable for end-to-end data protection on Internet or routed intranet scenarios.
Although stronger security methods based on cryptography have become necessary to fully protect communication, it can often greatly increase administrative overhead. IPSec avoids this with its use of policy-based administration.
IPSec policies, rather than applications programming interfaces (APIs) or operations systems, are used to configure IPSec security services. The policies provide variable levels of protection for most traffic types in most existing networks.
IPSec provides access control by enabling an administrator to designate specific filters and filter actions in an IPSec policy. Two types of access control are provided: simple IP packet filtering and successful authentication. Additionally, permit and block actions (see "Filter Actions" later in this chapter), allow control over the type of IP packets a computer may send or receive, or the addresses with which a computer may communicate.
Your network security administrator can configure IPSec policies to meet the security requirements of a user, group, application, domain, site, or global enterprise. Windows 2000 provides an administrative interface, called IPSec Policy Management, to define IPSec policies for computers at the Active Directory level for any domain members, or on the local computer for non-domain members.
To achieve secure communications with a low cost of ownership, Windows 2000 simplifies the deployment of IPSec with the following features:
Integration with the Windows 2000 Security Framework IPSec uses the Windows 2000 secure domain as a trust model. By default, IPSec policies use the Windows 2000 default authentication method (Kerberos v5 authentication) to identify and trust communicating computers. Computers that are members of a Windows 2000 domain and in trusted domain can easily establish IPSec secured communications.
Centralized IPSec Policy Administration at the Active Directory Level IPSec policies can be assigned through the Group Policy features of Active Directory. This allows the IPSec policy to be assigned at the domain or organizational unit level, which eliminates the administrative overhead of configuring each computer individually.
Transparency of IPSec to Users and Applications Tight integration at the IP layer (Layer 3) provides security for any protocol in the TCP/IP suite. You do not need separate security packages for each protocol in the TCP/IP suite, because applications using TCP/IP pass the data to the IP protocol layer, where it is secured.
Flexible Security Configuration The security services within each policy can be customized to meet the majority of security requirements for the network and data traffic.
Automatic Key Management Internet Key Exchange (IKE) services dynamically exchange and manage cryptography-based keys between communicating computers.
Automatic Security Negotiation Internet Key Exchange (IKE) services dynamically negotiate a mutual set of security requirements between communicating computers, eliminating the need for both computers to have identical policies.
Public Key Infrastructure Support Using public key certificates for authentication is supported, to allow trust and secure communication with computers that do not belong to a Windows 2000 trusted domain, with non-Windows 2000-based systems, between computers which have membership in untrusted domains, or where computer access must be restricted to a smaller group than what domain authentication allows.
Pre-Shared Key Support If authentication using the Kerberos v5 protocol or public key certificates is not possible, a pre-shared authentication key can be configured. For more information, see the sections titled "Authentication" and "Best Practices" later in this chapter.