Logo
programming4us
programming4us
programming4us
programming4us
 Home
programming4us
 XP
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone
 
Windows Server

Windows Server 2012 : Configuring IPsec (part 1) - Understanding connection security

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
10/20/2014 9:13:09 PM

Understanding connection security

IPsec can be implemented using Windows Firewall with Advanced Security by creating and configuring connection security rules. A connection security rule is a set of criteria configured in Windows Firewall with Advanced Security that specifies how IPsec will be used to secure traffic between the local computer and other computers on the network. Connection security rules can be used to specify whether a network connection between two computers must first be authenticated before data can be exchanged between them. Connection security rules can also be used to make sure any data exchanged between the computers is encrypted to protect against eavesdropping or modification.

To understand how connection security can be implemented using IPsec, you first need to understand the following IPsec concepts:

  • Encapsulation

  • IPsec protocols

  • Security associations

  • Key-exchange algorithms

  • Authentication methods

  • Data-integrity algorithms

  • Data-encryption algorithms

The sections that follow go into more detail about these concepts as they apply to Windows Server 2012 and Windows 8.

Note

Encapsulation

IPsec protects data sent over an unsecure network by encapsulating a payload of network packets. This can be done in two ways:

  • Transport mode The payload is encapsulated with an IPsec header.

  • Tunnel mode The payload is encapsulated with an additional IP header.

IPsec protocols

IPsec supports two protocols for encrypting the payload of packets, encapsulating the payload of packets, or both:

  • Authentication Header (AH) This mechanism provides data-origin authentication, data integrity, and anti-replay protection for the entire packet (both the IP header and the data payload carried in the packet), except for the fields in the IP header that are allowed to change in transit. It does not provide data confidentiality, which means that it does not encrypt the data. The data is readable but protected from modification.

  • Encapsulating Security Protocol (ESP) This mechanism provides data-origin authentication, data integrity, anti-replay protection, and the option of confidentiality for the IP payload only. ESP in transport mode does not protect the entire packet with a cryptographic checksum, and the IP header is not protected.

Security associations

A security association (SA) is a mutually agreed-upon collection of cryptographic keys and policies that one IPsec-enabled computer uses for secure unicast communications with another IPsec-enabled computer. An SA can be thought of as a kind of contract that specifies how the computers will use IPsec to securely exchange information between them.

To establish an SA between them, the computers can use one of the following IPsec protocols:

  • Internet Key Exchange (IKE) This mechanism is defined in RFC 2409 and combines the Internet Security Association and Key Management Protocol (ISAKMP) of RFC 2408 with the Oakley Key Determination Protocol (Oakley) of RFC 2412.IKE is supported on computers that are running Windows 2000 or later.

  • Authenticated IP (AuthIP) This mechanism is a Microsoft proprietary extension of IKE that provides improved negotiation of authentication methods and supports additional authentication methods not included in IKE. AuthIP is supported on computers running Windows Vista, Windows Server 2008, or later.

When two computers negotiate to establish IPsec communications between them, key exchange is performed during two phases:

  • Main mode This phase of IPsec negotiation is performed first and is used to generate a shared master key that the computers can use to securely exchange keying information.

  • Quick mode This phase of IPsec negotiation uses the master key from main mode to generate one or more session keys that can be used to ensure data integrity and encryption.

Because each SA defines only one-way communications, an IPsec session requires two SAs.

Note

REAL WORLD Making VPN connections more reliable

Support for Internet Key Exchange version 2 (IKEv2), a virtual private networking (VPN) tunneling protocol described in RFC 4306, was first introduced in Windows 7 and Windows Server 2008 R2. Beginning with Windows Server 2012, IKEv2 now supports additional scenarios, including IPsec end-to-end, transport-mode connections and support for Suite B (RFC 4869) requirements. From a practical standpoint, this improvement means that a Windows Server 2012 VPN server now allows a security association to remain unchanged despite changes in the underlying connection.

Key-exchange algorithms

In cryptographic systems, keys are used to encrypt and decrypt communications between different entities. To send and receive encrypted traffic over a network, IPsec-enabled computers must have access to the same shared session key. The key must first be securely exchanged between the computers. This sharing of keys is accomplished through a process called key exchange.

The key-exchange algorithms supported for IPsec communications in Windows 8 and Windows Server 2012 are as follows:

  • Diffie-Hellman Group 1 (DH Group 1) This algorithm is not recommended and is provided for backward compatibility only.

  • DH Group 2 This algorithm is stronger than DH Group 1.

  • DH Group 14 This algorithm is stronger than DH Group 2.

  • DH Group 24 This algorithm is new in Windows Server 2012 and is stronger than DH Group 14.

  • Elliptic Curve Diffie-Hellman P-256 This algorithm is stronger than DH Group 2. It has medium resource usage and is compatible only with Windows Vista and later.

  • Elliptic Curve Diffie-Hellman P-384 This algorithm has the strongest security but also the highest resource usage. It is compatible only with Windows Vista and later.

Authentication methods

In reference to IPsec, an authentication method refers to a process by which IPsec-enabled computers verify their identity with each other before secure communications can begin. A number of authentication methods are supported for IPsec communications in Windows 8 and Windows Server 2012. The authentication methods available depend on whether they are being used for first or second authentication.

The authentication methods available for first authentication are as follows:

  • Computer (Kerberos V5) This authentication method is compatible with Windows 2000 or later.

  • Computer (NTLMv2) This authentication method can be used on networks that include systems running an earlier version of the Windows operating system and on standalone systems.

  • Computer certificate The default signing algorithm for this authentication method is RSA, but Elliptic Curve Digital Signature Algorithm (ECDSA)–P256 and ECDSA-P384 are also supported signing algorithms. You can also use an intermediate certificate authority (CA) as a certificate store in addition to using a root CA, and certificate-to-account mapping is also supported. Note that first authentication can also be configured to accept only health certificates when using a network access protection (NAP) infrastructure.

  • Pre-shared key This authentication method is not recommended except for test environments.

The authentication methods available for second authentication are as follows:

  • User (Kerberos V5) This authentication method is compatible with Windows 2000 or later.

  • User (NTLMv2) This authentication method can be used on networks that include systems running an earlier version of the Windows operating system and on standalone systems.

  • User certificate The default signing algorithm for this authentication method is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms. You can also use an intermediate CA as a certificate store in addition to using a root CA, and certificate-to-account mapping is also supported.

  • Computer health certificate The default signing algorithm for this authentication method is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms. You can also use an intermediate CA as a certificate store in addition to using a root CA, and certificate-to-account mapping is also supported.

Data-integrity algorithms

Data integrity ensures that the data exchanged between IPsec-enabled computers has not been modified in transit between them. Data integrity is accomplished by the uses of message hashes, which are used to digitally sign packets so that the computer receiving them can be sure that the packets haven’t been tampered with.

The data-integrity algorithms supported for IPsec communications in Windows 8 and Windows Server 2012 are as follows:

  • Message-Digest algorithm 5 (MD5) This algorithm is not recommended and is provided for backward compatibility only.

  • Secure Hash Algorithm 1 (SHA-1) This algorithm is stronger than MD5 but uses more resources.

  • SHA 256-bit (SHA-256) This algorithm can be used for main mode only and is supported on Windows Vista SP1 and later.

  • SHA-384 This algorithm can be used for main mode only and is supported on Windows Vista SP1 and later.

  • Advanced Encryption Standard-Galois Message Authentication Code 128 bit (AES-GMAC 128) This algorithm can be used for quick mode only and is supported on Windows Vista SP1 and later. It is equivalent to AES-GCM 128 for integrity.

  • AES-GMAC 192 This algorithm can be used for quick mode only and is supported on Windows Vista SP1 and later. It is equivalent to AES-GCM 192 for integrity.

  • AES-GMAC 256 This algorithm can be used for quick mode only and is supported on Windows Vista SP1 and later. It is equivalent to AES-GCM 256 for integrity.

  • AES-GCM 128 This algorithm can be used for quick mode only and is supported on Windows Vista SP1 and later. It is equivalent to AES-GMAC 128 for integrity.

  • AES-GCM 192 This algorithm can be used for quick mode only and is supported on Windows Vista SP1 and later. It is equivalent to AES-GMAC 192 for integrity.

  • AES-GCM 256 This algorithm can be used for quick mode only and is supported on Windows Vista SP1 and later. It is equivalent to AES-GMAC 256 for integrity.

Data-encryption algorithms

Data encryption ensures that data exchanged between IPsec-enabled computers is protected from viewing. IPsec can regenerate encryption keys so that if one key is exposed, the entire data is not compromised.

The data-encryption algorithms supported for IPsec communications in Windows 8 and Windows Server 2012 are as follows:

  • Data Encryption Standard (DES) This algorithm is not recommended and is provided for backward compatibility only.

  • Triple-DES (3DES) This algorithm is more secure than DES but has higher resource usage.

  • Advanced Encryption Standard-Cipher Block Chaining 128-bit (AES-CBC 128) This algorithm is faster and stronger than DES. It is supported on Windows Vista and later.

  • AES-CBC 192 This algorithm is stronger than AES-CBC 128 and has medium resource usage. It is supported on Windows Vista and later.

  • AES-CBC 256 This algorithm has the strongest security but also the highest resource usage. It is supported on Windows Vista and later.

  • AES-GCM 128 This algorithm can be used for quick mode only. It is faster and stronger than DES and is supported on Windows Vista and later. Note that AES-GCM 128 must be specified for both data integrity and encryption if this algorithm is used.

  • AES-GCM 192 This algorithm can be used for quick mode only. It has medium resource usage and is supported on Windows Vista and later. Note that AES-GCM 192 must be specified for both data integrity and encryption if this algorithm is used.

  • AES-GCM 256 This algorithm can be used for quick mode only and is faster and stronger than DES. It is supported on Windows Vista and later.Note that AES-GCM 256 must be specified for both data integrity and encryption if this algorithm is used.
Other -----------------
- Microsoft Lync Server 2013 : Director Troubleshooting (part 3) - Synthetic Transactions,Telnet
- Microsoft Lync Server 2013 : Director Troubleshooting (part 2) - DNS Records, Logs
- Microsoft Lync Server 2013 : Director Troubleshooting (part 1) - Redirects, Certificates
- Microsoft Lync Server 2013 : Administration of the Director Role (part 4) - Services Management, Client Version Filter
- Microsoft Lync Server 2013 : Administration of the Director Role (part 3) - Topology Status
- Microsoft Lync Server 2013 : Administration of the Director Role (part 2) - Ports,Firewall Rules
- Microsoft Lync Server 2013 : Administration of the Director Role (part 1) - Services
- Microsoft Lync Server 2013 : Configuring the Director (part 2) - Web Services Ports,Reverse Proxy
- Microsoft Lync Server 2013 : Configuring the Director (part 1) - SRV Records, Web Services FQDN Overrides
- Sharepoint 2013 : SharePoint Designer 2013 (part 2) - Locking Down SharePoint Designer
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
 Natural Miscarriage
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Game Trailer