Understanding connection security
IPsec can be implemented using Windows Firewall with Advanced
Security by creating and configuring connection security rules. A
connection security rule is a set of criteria
configured in Windows Firewall with Advanced Security that specifies
how IPsec will be used to secure traffic between the local computer
and other computers on the network. Connection security rules can be
used to specify whether a network connection between two computers
must first be authenticated before data can be exchanged between them.
Connection security rules can also be used to make sure any data
exchanged between the computers is encrypted to protect against
eavesdropping or modification.
To understand how connection security can be implemented using
IPsec, you first need to understand the following IPsec
concepts:
The sections that follow go into more detail about these
concepts as they apply to Windows Server 2012 and Windows 8.
Note
Encapsulation
IPsec protects data sent over an unsecure network by
encapsulating a payload of network packets. This can be done in two
ways:
IPsec supports two protocols for encrypting the payload of
packets, encapsulating the payload of packets, or both:
-
Authentication Header (AH)
This mechanism provides data-origin authentication, data
integrity, and anti-replay protection for the entire packet
(both the IP header and the data payload carried in the packet),
except for the fields in the IP header that are allowed to
change in transit. It does not provide data confidentiality,
which means that it does not encrypt the data. The data is
readable but protected from modification.
-
Encapsulating Security Protocol
(ESP) This mechanism provides data-origin
authentication, data integrity, anti-replay protection, and the
option of confidentiality for the IP payload only. ESP in
transport mode does not protect the entire packet with a
cryptographic checksum, and the IP header is not
protected.
A security association (SA) is a mutually agreed-upon
collection of cryptographic keys and policies that one IPsec-enabled
computer uses for secure unicast communications with another
IPsec-enabled computer. An SA can be thought of as a kind of
contract that specifies how the computers will use IPsec to securely
exchange information between them.
To establish an SA between them, the computers can use one of
the following IPsec protocols:
-
Internet Key Exchange (IKE)
This mechanism is defined in RFC 2409 and combines the Internet
Security Association and Key Management Protocol (ISAKMP) of RFC
2408 with the Oakley Key Determination Protocol (Oakley) of RFC
2412.IKE is supported on computers that are running Windows 2000
or later.
-
Authenticated IP (AuthIP)
This mechanism is a Microsoft proprietary extension of IKE that
provides improved negotiation of authentication methods and
supports additional authentication methods not included in IKE.
AuthIP is supported on computers running Windows Vista, Windows
Server 2008, or later.
When two computers negotiate to establish IPsec communications
between them, key exchange is performed during two phases:
-
Main mode This phase of
IPsec negotiation is performed first and is used to generate a
shared master key that the computers can use to securely
exchange keying information.
-
Quick mode This phase of
IPsec negotiation uses the master key from main mode to generate
one or more session keys that can be used to ensure data
integrity and encryption.
Because each SA defines only one-way communications, an IPsec
session requires two SAs.
Note
REAL WORLD Making VPN
connections more reliable
Support for Internet Key Exchange version 2 (IKEv2), a
virtual private networking (VPN) tunneling protocol described in
RFC 4306, was first introduced in Windows 7 and Windows Server
2008 R2. Beginning with Windows Server 2012, IKEv2 now supports
additional scenarios, including IPsec end-to-end, transport-mode
connections and support for Suite B (RFC 4869) requirements. From
a practical standpoint, this improvement means that a Windows
Server 2012 VPN server now allows a security association to remain
unchanged despite changes in the underlying connection.
In cryptographic systems, keys are used to encrypt and decrypt
communications between different entities. To send and receive
encrypted traffic over a network, IPsec-enabled computers must have
access to the same shared session key. The key must first be
securely exchanged between the computers. This sharing of keys is
accomplished through a process called key
exchange.
The key-exchange algorithms supported for IPsec communications
in Windows 8 and Windows Server 2012 are as follows:
-
Diffie-Hellman Group 1 (DH Group
1) This algorithm is not recommended and is provided
for backward compatibility only.
-
DH Group 2 This algorithm
is stronger than DH Group 1.
-
DH Group 14 This algorithm
is stronger than DH Group 2.
-
DH Group 24 This algorithm
is new in Windows Server 2012 and is stronger than DH Group
14.
-
Elliptic Curve Diffie-Hellman
P-256 This algorithm is stronger than DH Group 2. It
has medium resource usage and is compatible only with Windows
Vista and later.
-
Elliptic Curve Diffie-Hellman
P-384 This algorithm has the strongest security but
also the highest resource usage. It is compatible only with
Windows Vista and later.
In reference to IPsec, an authentication
method refers to a process by which IPsec-enabled
computers verify their identity with each other before secure
communications can begin. A number of authentication methods are
supported for IPsec communications in Windows 8 and Windows Server
2012. The authentication methods available depend on whether they
are being used for first or second authentication.
The authentication methods available for first authentication
are as follows:
-
Computer (Kerberos V5) This
authentication method is compatible with Windows 2000 or
later.
-
Computer (NTLMv2) This
authentication method can be used on networks that include
systems running an earlier version of the Windows operating
system and on standalone systems.
-
Computer certificate The
default signing algorithm for this authentication method is RSA,
but Elliptic Curve Digital Signature Algorithm (ECDSA)–P256 and
ECDSA-P384 are also supported signing algorithms. You can also
use an intermediate certificate authority (CA) as a certificate
store in addition to using a root CA, and certificate-to-account
mapping is also supported. Note that first authentication can
also be configured to accept only health certificates when using
a network access protection (NAP) infrastructure.
-
Pre-shared key This
authentication method is not recommended except for test
environments.
The authentication methods available for second authentication
are as follows:
-
User (Kerberos V5) This
authentication method is compatible with Windows 2000 or
later.
-
User (NTLMv2) This
authentication method can be used on networks that include
systems running an earlier version of the Windows operating
system and on standalone systems.
-
User certificate The
default signing algorithm for this authentication method is RSA,
but ECDSA-P256 and ECDSA-P384 are also supported signing
algorithms. You can also use an intermediate CA as a certificate
store in addition to using a root CA, and certificate-to-account
mapping is also supported.
-
Computer health certificate
The default signing algorithm for this authentication method is
RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing
algorithms. You can also use an intermediate CA as a certificate
store in addition to using a root CA, and certificate-to-account
mapping is also supported.
Data-integrity algorithms
Data integrity ensures that the data
exchanged between IPsec-enabled computers has not been modified in
transit between them. Data integrity is accomplished by the uses of
message hashes, which are used to digitally sign packets so that the
computer receiving them can be sure that the packets haven’t been
tampered with.
The data-integrity algorithms supported for IPsec
communications in Windows 8 and Windows Server 2012 are as
follows:
-
Message-Digest algorithm 5
(MD5) This algorithm is not recommended and is provided
for backward compatibility only.
-
Secure Hash Algorithm 1
(SHA-1) This algorithm is stronger than MD5 but uses
more resources.
-
SHA 256-bit (SHA-256) This
algorithm can be used for main mode only and is supported on
Windows Vista SP1 and later.
-
SHA-384 This algorithm can
be used for main mode only and is supported on Windows Vista SP1
and later.
-
Advanced Encryption Standard-Galois
Message Authentication Code 128 bit (AES-GMAC 128) This
algorithm can be used for quick mode only and is supported on
Windows Vista SP1 and later. It is equivalent to AES-GCM 128 for
integrity.
-
AES-GMAC 192 This algorithm
can be used for quick mode only and is supported on Windows
Vista SP1 and later. It is equivalent to AES-GCM 192 for
integrity.
-
AES-GMAC 256 This algorithm
can be used for quick mode only and is supported on Windows
Vista SP1 and later. It is equivalent to AES-GCM 256 for
integrity.
-
AES-GCM 128 This algorithm
can be used for quick mode only and is supported on Windows
Vista SP1 and later. It is equivalent to AES-GMAC 128 for
integrity.
-
AES-GCM 192 This algorithm
can be used for quick mode only and is supported on Windows
Vista SP1 and later. It is equivalent to AES-GMAC 192 for
integrity.
-
AES-GCM 256 This algorithm
can be used for quick mode only and is supported on Windows
Vista SP1 and later. It is equivalent to AES-GMAC 256 for
integrity.
Data-encryption algorithms
Data encryption ensures that data exchanged between
IPsec-enabled computers is protected from viewing. IPsec can
regenerate encryption keys so that if one key is exposed, the entire
data is not compromised.
The data-encryption algorithms supported for IPsec
communications in Windows 8 and Windows Server 2012 are as
follows:
-
Data Encryption Standard
(DES) This algorithm is not recommended and is provided
for backward compatibility only.
-
Triple-DES (3DES) This
algorithm is more secure than DES but has higher resource
usage.
-
Advanced Encryption Standard-Cipher
Block Chaining 128-bit (AES-CBC 128) This algorithm is
faster and stronger than DES. It is supported on Windows Vista
and later.
-
AES-CBC 192 This algorithm
is stronger than AES-CBC 128 and has medium resource usage. It
is supported on Windows Vista and later.
-
AES-CBC 256 This algorithm
has the strongest security but also the highest resource usage.
It is supported on Windows Vista and later.
-
AES-GCM 128 This algorithm
can be used for quick mode only. It is faster and stronger than
DES and is supported on Windows Vista and later. Note that
AES-GCM 128 must be specified for both data integrity and
encryption if this algorithm is used.
-
AES-GCM 192 This algorithm
can be used for quick mode only. It has medium resource usage
and is supported on Windows Vista and later. Note that AES-GCM
192 must be specified for both data integrity and encryption if
this algorithm is used.
-
AES-GCM 256 This algorithm
can be used for quick mode only and is faster and stronger than
DES. It is supported on Windows Vista and later.Note that
AES-GCM 256 must be specified for both data integrity and
encryption if this algorithm is used.