IPSec Security Considerations
Securing the Network
When planning for and implementing network security, the activities which you should be performing would typically involve the following:
-
Planning how the network infrastructure will be secured from both internal and external threats.
-
Defining and creating internal and external security boundaries.
-
Implementing network security technologies and mechanisms that can assist the organization in meeting its security requirements.
-
Implementing server security technologies and mechanisms.
-
Implementing application security technologies and mechanisms.
-
Implementing user security technologies and mechanisms.
-
Planning and implementing an auditing strategy.
-
Implementing network monitoring.
A few methods of securing your network infrastructure are listed here:
-
Physically securing all mission-critical network servers.
-
Using the NTFS file system and its security features.
-
Using the Encrypting File System (EFS).
-
Securing network access points.
-
Enforcing user authentication.
-
Securing network access.
-
Enforcing the use of strong passwords.
-
Securing confidential network service data as it moves over the network.
-
Securing confidential application data as it moves over the network.
-
Securing confidential user data as it moves over the network.
IPSec is a framework of open standards which can be used for encrypting TCP/IP traffic within networking environments. IPSec works by encrypting the information contained in IP datagrams through encapsulating. This in turn provides network level data integrity, data confidentiality, data origin authentication, and replay protection. To secure data moving over the intranet, extranet, and Internet, IPSec can be used. IPSec can also be used to secure remote access connections.
A few security features provided by IPSec are listed here:
-
Authentication; a digital signature is used to verify the identity of the sender of the information. IPSec can use Kerberos, a preshared key, or digital certificates for authentication.
-
Data integrity; a hash algorithm is used to ensure that data is not tampered with. A checksum called a hash message authentication code (HMAC) is calculated for the data of the packet.
-
Data privacy; encryption algorithms are utilized to ensure that data being transmitted is undecipherable.
-
Anti-replay; prevents an attacker from resending packets in an attempt to gain access to the private network.
-
Nonrepudiation; public key digital signatures are used to prove message origin.
-
Dynamic rekeying; keys can be created during data sending to protect segments of the communication with different keys.
-
Key generation; the Diffie-Hellman key agreement algorithm is used to enable two computers to exchange a shared encryption key.
-
IP Packet filtering; the packet filtering capability of IPSec can be used to filter and block specific types of traffic, based on either of the following elements or on a combination of them:
-
IP addresses
-
Protocols
-
Ports
-
Considering all the security features provided by IPSec, it makes sense that you need to fist determine which security methods you need to implement when you deploy IPSec security.
Determining the Encryption Algorithm to use
IPSec ensures data confidentiality by applying encryption algorithms to data before it is sent over the network. If the data is intercepted, encryption ensures that the intruder cannot interpret the data. To ensure data confidentiality, IPSec can use either of the following encryption algorithms:
-
Data Encryption Standard (DES): This is the default encryption algorithm used in Windows Server 2003 which uses 56-bit ecryption.
-
Triple DES (3DES): Data is encrypted with one key, decrypted with another key, and encrypted again with a different key.
-
40-bit DES: This is the least secure encryption algorithm.
DES and 3DES are regarded as block ciphers. This basically means that DES and 3DES works by encrypting a block of fixed length plaintext to a block of cipher text of exactly the same length. 3DES is the strongest encryption algorithm because it uses three unique 56-bit keys, thereby making the key length 168 bits.
You can use 3DES in encrypt-encrypt-encrypt (EEE) mode or in encrypt-decrypt-encrypt (EDE) mode. In EEE mode, the following occurs:
-
One key is used to encrypt a block of plaintext to cipher text.
-
Another key is used to encrypt this cipher text.
-
And the last key is then used to encrypt that cipher text.
Determining the Diffie-Hellman Group to use
Diffie-Hellman Key Agreement enables two computers to create a shared private key that authenticates data and encrypts an IP datagram. IPSec in Windows Server 2003 includes support for the Group 3 2048-bit Diffie-Hellman key exchange.
The different Diffie-Hellman groups are listed here:
-
Group 1: Provides 768-bit key strength.
-
Group 2: Provides 1024-bit key strength.
-
Group 3: Provides 2048-bit key strength.
The Group 3 key is much stronger and more complex than the Group 2 1024-bit Diffie-Hellman key exchange. If however you need backward compatibility with Windows 2000 and Windows XP, then you have to use the Group 2 1024-bit Diffie-Hellman key exchange. If you need to provide the best security, then you should Group 3 key exchange.
Determining the Authentication Method to use
Authentication deals with verifying the identity of the computer sending the data, or the identity of the computer receiving the data. The methods which IPSec can use to authenticate the sender or receiver of data are:
-
Digital certificates: Provides the most secure means of authenticating identities. Certificate authorities (CAs) such as Netscape, Entrust, VeriSign, and Microsoft provide certificates which can be used for authentication purposes.
-
Kerberos authentication: A downside of using the Kerberos authentication protocol is that the identity of the computer remains unencrypted up to the point that the whole payload is encrypted at authentication.
-
Preshared keys: You should only use preshared keys when none of the former authentication methods can be used.
Because preshared keys is considered the least secure supported authentication method, you should only use preshared keys when you cannot use the digital certificates or the Kerberos v5 authentication protocol. Preshared keys should really only be used in testing environments.
You can define more than one authentication method and then set the order of precedence for the authentication methods.
Comments - No Responses to “IPSec Security Considerations”
Sorry but comments are closed at this time.