Internet Protocol Security part 2

[bogdi19]

IPSec policies determines which IP traffic should be secured and which IP packets should be not be secured, what type of security should be appplied to the IP packets. IPSec polices contain IPSec rules and IPSec rules contain filter lists and filter actions.

There are three default IPSec policies in Windows Server 2003. We can assign only one policy at a time.

Client (Respond Only): Client (Respond Only) IPSec policy allows the computer to attempt unsecured communications first and switch to secured communications if requested.. This policy contains the default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on the requested protocol and port traffic for the communication the system is securing.

Server (Request Security): Server (Request Security) IPSec policy configured systems can request secure IP communications whenever possible but will fall back to clear-text IP communication if non IPSec-aware computers or systems not configured using a Client (Respond Only) policy request communication.

Secure Server (Require Security): Systems configured with a Secure Server (Require Security) IPSec policy require secure communications. The filters for this policy require all communication from the given system to be secure, with the exception of the initial inbound communication request. Non IPSec aware devices and the devices which are not configured with Client (Respond Only) IPSec policy will not be able to communicate with a device configured with Server (Request Security) IPSec policy.

The default polices can be viewed at group policy editor. If you are working in a Windows 2003 Domain Controller, select Start > Programs > Administrative Tools > Domain Controller Security Policy.

In this lesson and following lessons you will learn how to configure Internet Protocol Security (IPSec) in a Windows 2003 network and how to secure Telnet traffic using Internet Protocol Security (IPSec).

Telnet is a network protocol and is commonly used to refer to an application that uses that protocol. The application is used to connect to remote computers. Telnet listens at TCP well known port 23. Telnet is a terminal emulator software and is used to gain access to a command-line interface on a remote machine.

Securing Telnet Traffic using Internet Protocol Security (IPSec) - Scenario

You have four Windows 2003 servers, SERV03.omnisecu.com is a domain controller and SERV01.omnisecu.com, SERV02.omnisecu.com and SERV04.omnisecu.com are member servers.

Figure 10: Scenario - Configure Internet Protocol Security in a Windows 2003 network.

You want to allow Internet Protocol Security (IPSec) secure Telnet traffic to your Windows 2003 domain controller SERV03.omnisecu.com from SERV04.omnisecu.com, which is a windows 2003 member server and to block Telnet access from all other servers to Windows 2003 domain controller SERV03.omnisecu.com.

You cannot use the default IPSec policies, because there is no default Internet Protocol Security (IPSec) policy to block Telnet traffic specifically.

Here we need to create a new Internet Protocol Security (IPSec) policy to permit secure Telnet access to the domain controller SERV03.omnisecu.com only from SERV04.omnisecu.com, and block Telnet traffic from all other servers.

In this lesson, you have learned an overview about telnet. You have four Windows 2003 servers. One is a Windows 2003 domain controller and other three are member servers. You want to allow only secure Telnet traffic to Windows 2003 domain controller from member server, SERV04.omnisecu.com. Click "Next" to continue.

In this lesson, you will learn how to create Internet Protocol Security (IPSec), in Windows 2003 domain controller (SERV03.omnisecu.com). You can learn how to secure Telnet traffic from a member server (SERV04.omnisecu.com) and block Telnet traffic from all other servers using Internet Protocol Security (IPSec) in coming lessons.

Login to domain controller (SERV03.omnisecu.com) as Administrator and open "Domain Controller Security Policy" MMC snap-in from "Administrative Tools". (Select Start > Programs > Administrative Tools > Domain Controller Security Policy). Right click IP Security Policies on Active Directory and select "Create IP Security Policy" from the context menu. (Domain Controller Security Policy is selected because SERV03.omnisecu.com is a domain controller. You have to select appropriate Group Policy when you configure IPSec for a different situation)

"Welcome to the IP Security Policy Wizard" will fire up.

Click "Next" in IP Security Policy Wizard to continue.

Insert a meaning-ful name for the IPSec Policy and description here and click "Next" IP Security Policy Wizard to continue.

In "Requests for Secure Communications" screen of IP Security Policy Wizard, uncheck the "Activate the default response rule" checkbox.

"Default Response rule" is an IPSec rule that is used to ensure that the computer responds to requests for secure communication. If the active IPSec policy does not have a rule defined for a computer that is requesting secure communication, the default response rule is applied for secure IPSec communication.

Click "Next" to continue.

Uncheck "Edit Properties" checkbox (We will edit these settings later) and click "Finish" to complete IPSec policy wizard.

You can now see the new "Secure Telnet" Internet Protocol Security (IPSec) policy, you have just created in the MMC snap-in.

You have learned how to create an Internet Porotocol Security (IPSec) policy on a windows 2003 domain controller. You will learn how to create a Internet Porotocol Security (IPSec) Policy Rule in next lesson.

In this lesson , you will learn how to create Internet Protocol Security (IPSec) rule, in a Windows 2003 Server.

An Internet Protocol Security (IPSec) rule consists of IP filter list, filter action, Authentication methods, Tunnel endpoint and Connection type. Internet Protocol Security (IPSec) rules specifies when and how the computer should use IPSec. We can assign only one Internet Protocol Security (IPSec) policy at a time, but an Internet Protocol Security (IPSec) policy can contain more than one Internet Protocol Security (IPSec) rule.

Here we will create two rules, one rule will block all the Telnet Traffic from all the computers to the domain controller SERV03.omnisecu.com, and other will allow secure traffic from member server SERV04.omnisecu.com.

To create a new Internet Protocol Security (IPSec), right click the new Internet Protocol Security (IPSec) policy you have created and select the "Properties" from the context menu.

Properties box of the "Secure Telnet" Internet Protocol Security (IPSec) policy will fire up, as shown below. Remember to unckeck "Use Add Wizard" checkbox.

Click "Add" button to create a new Internet Protocol Security (IPSec) rule. Once again, Internet Protocol Security (IPSec) rule consists of IP Filter List, Filter Action, Authentication methods, Tunnel endpoint and Connection type.

.

"New Rule Properties" box will fire up.

There are five tabs in "New Rule Properties" box.

1) IP Filter Lists

2) Filter Action

3) Authentication Methods

4) Tunnel Setting

5) Connection Type

In this lesson you have started learning how to create an Internet Protocol Security (IPSec) rule. Internet Protocol Security (IPSec) rule contains IP filter lists and filter actions. Next lesson you will learn how to create an IP filter list. Click "Next" to continue.