• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Microsoft IPSec Articles
• Understanding IPSec
• Configuring and Managing IPSEC
• IPSec Policies
• IPSec Security Consideration
• Monitor IPSEC
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Understanding IPSec

IPSec Overview

IPSec is a suite of protocols which was designed by Internet Engineering Task Force (IETF) to protect data by signing and encrypting data before it is transmitted over public networks. The IETF Request for Comments (RFCs) 2401-2409 defines the IPSec protocols with regard to security protocols, security associations and key management, and authentication and encryption algorithms. IPSec is a framework of open standards for encrypting TCP/IP traffic within networking environments. IPSec works by encrypting the information contained in IP datagrams through encapsulating. This in turn provides network level data integrity, data confidentiality, data origin authentication, and replay protection.

The primary features of IPSec are:

• Authentication; protects the private network and the private data it contains. IPSec secures private data from man-in-the-middle attacks, from attackers attempting to access the network, and from an attacker changing the contents of data packets.
• Encryption; conceals the actual content of data packets so that it cannot be interpreted by unauthorized parties.

IPSec can be used to provide packet filtering capabilities. It can also authenticate traffic between two hosts and encrypt traffic passed between the hosts. IPSec can be used to create a virtual private network (VPN). IPSec can also be used to enable communication between remote offices and remote access clients over the Internet.

IPSec operates at the network layer to provide end-to-end encryption. This basically means that data is encrypted at the source computer sending the data. All intermediate systems handle the encrypted portion of the packets as payload. Intermediate systems such as routers merely forward the packet to its end destination. Intermediate systems do not decrypt the encrypted data. The encrypted data is only decrypted when it reaches the destination.

IPSec interfaces with the TCP/UDP transport layer and the Internet layer, and is applied transparently to applications. IPSec is transparent to users as well. This basically means that IPSec can provide security for most of the protocols within the TCP/IP protocol suite. When it comes to applications, all applications that use TCP/IP can enjoy the security features of IPSec. You do not have to configure security for each specific TCP/IP based application. By using rules and filters, IPSec can receive network traffic and select the required security protocols, determine which algorithms to use, and can apply cryptographic keys required by any of the services.

The security features and capabilities of IPSec can be used to secure the private network and private confidential data from the following

• Denial-of-service (Dos) attacks
• Data pilfering.
• Data corruption.
• Theft of user credentials

In Windows Server 2003, IPSec uses the Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol to provide data security on:

• Client computers
• Domain servers
• Corporate workgroups
• Local area networks (LANs)
• Wide area networks (WANs)
• Remote offices

The security functions and features provided by IPSec are summarized below:

• Authentication; a digital signature is used to verify the identity of the sender of the information. IPSec can use Kerberos, a preshared key, or digital certificates for authentication.
• Data integrity; a hash algorithm is used to ensure that data is not tampered with. A checksum called a hash message authentication code (HMAC) is calculated for the data of the packet. When a packet is modified while in transit, the calculated HMAC changes. This change will be detected by the receiving computer.
• Data privacy; encryption algorithms are utilized to ensure that data being transmitted is undecipherable.
• Anti-replay; prevents an attacker from resending packets in an attempt to gain access to the private network.
• Nonrepudiation; public key digital signatures are used to prove message origin.
• Dynamic rekeying; keys can be created during data sending to protect segments of the communication with different keys.
• Key generation; the Diffie-Hellman key agreement algorithm is used to enable two computers to exchange a shared encryption key.
• IP Packet filtering; the packet filtering capability of IPSec can be used to filter and block specific types of traffic, based on either of the following elements or on a combination of them:
• IP addresses
• Protocols
• Ports

What New in Windows Server 2003 IPSec

A few new IPSec features have been included in Windows Server 2003, together with enhancements to some IPSec features which existed in previous Windows operating systems:

• Windows Server 2003 includes the new IP Security Monitor tool which is implemented as an MMC snap-in. The IP Security Monitor tool provides enhanced IPSec security monitoring. With the IP Security Monitor tool, you can perform the following administrative activities:
• Customize the IP Security Monitor display
• Monitor IPSec information on the local computer.
• Monitor IPSec information on remote computers.
• View IPSec statistics.
• View information on IPSec policies
• View security associations information.
• View generic filters
• View specific filters
• Search for specific filters based on IP address
• You can configure IPSec using the Netsh command-line utility. The netsh command-line utility replaces the previously used Ipsecpol.exe command-line utility.
• IPSec supports the new Resultant Set of Policy (RSoP) feature of Windows Server 2003. The Resultant Set of Policies (RSoP) calculator can be used to determine the policies which have been applied to a particular user or computer. Resultant Set of Policy (RSoP) sums all group policies which are applied to a user and computer in a domain. This includes all filters and exceptions. You can use the feature through the Resultant Set Of Policy (RSoP) Wizard or from the command-line to view the IPSec policy that is applied.
• IPSec integration with Active Directory enables you to centrally manage security policies.
• Kerberos 5 authentication is the default authentication method used by IPSec policies to verify the identity of computers.
• IPSec is backward compatible with the Windows 2000 Security Framework.
• If a local policy or Active Directory based policy cannot be applied to a computer, you now have the option of creating a persistent policy for the specific computer. The characteristics of persistent policies are:
• Persistent policies can only be configured through the Netsh command-line utility.
• Persistent policies are always positive.
• Persistent policies cannot be overridden.
• In Windows Server 2003 IPSec deployments, only Internet Key Exchange (IKE) traffic is exempt from IPSec. Previously, Resource Reservation Protocol (RSVP) traffic, Kerberos traffic, and IKE traffic was exempt from IPSec.
• IPSec in Windows Server 2003 includes support for the Group 3 2048-bit Diffie-Hellman key exchange. The Group 3 key is much stronger and more complex than the previous Group 2 1024-bit Diffie-Hellman key exchange. If however you need backward compatibility with Windows 2000 and Windows XP, then you have to use the Group 2 1024-bit Diffie-Hellman key exchange.
• IPSec ESP packets can pass over Network Address Translation (NAT) through User Datagram Protocol-Encapsulating Security Payload (UDP-ESP) encapsulation in Windows Server 2003 IPSec deployments.

Understanding IPSec Terminology

This section of the Article lists the commonly used IPSec terminology and concepts:

• Authentication Header (AH): This is one of the main security protocols used by IPSec. AH provides data authentication and integrity, and can therefore be used on its own when data integrity and authentication are relevant factors and confidentiality is not. This is because AH does not provide for encryption, and therefore cannot provide data confidentiality. Authentication Header (AH) and Encapsulating Security Payload (ESP) are the main security protocols used in IPSec. These security protocols and can be used separately, or together.
• Encapsulating Security Payload (ESP): This is one of the main security protocols used by IPSec. ESP ensures data confidentiality through encryption, data integrity, data authentication, and other features that support optional anti-replay services. To ensure data confidentiality, a number of symmetric encryption algorithms are used.
• Certificate Authorities (CAs): This is an entity that generates and validates digital certificates. The CA adds its own signature to the public key of the client. CAs issue and revoke digital certificates.
• Diffie-Hellman groups: Diffie-Hellman Key Agreement enables two computers to create a shared private key that authenticates data and encrypts an IP datagram. The different Diffie-Hellman groups are listed here:
• Group 1; provides 768-bit key strength
• Group 2; provides 1024-bit key strength
• Group 3; provides 2048-bit key strength
• Internet Key Exchange (IKE): The IKE protocol is used by computers to create a security association (SA) and to exchange information to generate Diffie-Hellman keys. IKE manages and exchanges cryptographic keys so that computers can have a common set of security settings. Negotiation occurs on which authentication method, and encryption algorithm and hashing algorithm the computers will use.
• IPSec Driver: The IPSec driver performs a number of operations to enable secure network communication, including the following:
• Creates IPSec packets
• Generates checksums.
• Initiates the IKE communication
• Adds the AH and ESP headers
• Encrypts data before it is transmitted.
• Calculates hashes and checksums for incoming packets.
• IPSec Policies: IPSec policies define when and how data should be secured, and defines which security methods to use for securing data. IPSec policies contain a number of elements:
• Actions.
• Rules
• Filter lists
• Filter actions.
• IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either the Windows registry or in Active Directory.
• Oakley key determination protocol: The Diffie-Hellman algorithm is used for two authenticated entities to negotiate and be in agreement on a secret key.
• Security Association (SA): A SA is a relationship between devices that define how they use security services and settings.
• Triple Data Encryption (3DES): This is a strong encryption algorithm used on client machines running Windows, and on Windows Server 2003 computers. 3DES uses 56-bit keys for encryption.

Understanding How IPSec Works

A security association (SA) has to first be established between two computers before data can be securely passed between the computers. A Security Association (SA) is a relationship between devices that define how they use security services and settings. The SA provides the information necessary for two computers to communicate securely. Internet Security Association and Key Management Protocol (ISAKMP) and the IKE protocol are the mechanism that enables two computers to establish security associations. When an SA is established between two computers, the computers negotiate on which security settings to utilize to secure data. A security key is exchanged and used to enable the computers to communicate securely.

The security association (SA) contains the following:

• The policy agreement which dictates which algorithms and key lengths the two computers will use to secure data.
• The security keys used to secure data communication.
• The security parameters index (SPI).

With IPSec, two separate SAs are established for each direction of data communication:

• One SA secures inbound traffic.
• One SA secures outbound traffic.

In addition to the above, there is a unique SA for each IPSec security protocol. There are therefore basically two types of SAs:

• ISAKMP SA: When traffic flow is two directional and IPSec needs to establish a connection between computers, an ISAKMP SA is established. The ISAKMP SA defines and handles security parameters between the two computers. The two computers agree on a number of elements to establish the ISAKMP SA:
• Determine which connections should be authenticated.
• Determine the encryption algorithm to use.
• Determine the algorithm to verify message integrity.

After the above elements have been negotiated between the two computers, the computers use the Oakley protocol to agree on the ISAKMP master key. This is the shared master key which will be used with the above elements to enable secure data communication.

After a secured communication channel is established between the two computers, the computers start to negotiate the following elements:

• Determine whether the Authentication Header (AH) IPSec protocol should be used for the connection.
• Determine the authentication protocol which should be used with the AH protocol for the connection.
• Determine whether the Encapsulating Security Payload (ESP) IPSec protocol should be used for the connection.
• Determine the encryption algorithm which should be used with the ESP protocol for the connection.
• IPSec SA: IPSec SAs pertain to the IPSec tunnel and IP packet, and define security parameters to use during a connection. The IPSec SA is derived from the above four elements just negotiated between the two computers.

To secure and protect data, IPSec uses cryptography to provide the following capabilities:

• Authentication: Authentication deals with verifying the identity of the computer sending the data, or the identity of the computer receiving the data. The methods which IPSec can use to authenticate the sender or receiver of data are:
• Digital certificates: Provides the most secure means of authenticating identities. Certificate authorities (CAs) such as Netscape, Entrust, VeriSign, and Microsoft provide certificates which can be used for authentication purposes.
• Kerberos authentication: A downside of using the Kerberos v5 authentication protocol is that the identity of the computer remains unencrypted up to the point that the whole payload is encrypted at authentication.
• Pre-shared keys; should be used when none of the former authentication methods can be used.

Anti-replay ensures that the authentication data cannot be interpreted as it is sent over the network. In addition to authentication, IPSec can provide nonrepudiation. With nonrepudiation, the sender of the data cannot at a later stage deny actually sending the data.

• Data integrity: Data integrity deals with ensuring that the data received at the recipient has not been tampered with. A hashing algorithm is used to ensure that the data is not modified as it is passed over the network. The hashing algorithms which can be used by IPSec are:
• Message Digest (MD5); a one-way hash that results in a 128-bit hash which is used for integrity checking.
• Secure Hash Algorithm 1 (SHA1); a 160-bit secret key to generate a 160-bit message digest which provides more security than MD5.
• Data confidentiality: IPSec ensures data confidentiality by applying encryption algorithms to data before it is sent over the network. If the data is intercepted, encryption ensures that the intruder cannot interpret the data. To ensure data confidentiality, IPSec can use either of the following encryption algorithms:
• Data Encryption Standard (DES); the default encryption algorithm used in Windows Server 2003 which uses 56-bit encryption.
• Triple DEC (3DES); data is encrypted with one key, decrypted with another key, and encrypted again with a different key.
• 40-bit DES; the least secure encryption algorithm.

Understanding the IPSec Modes

IPSec can operate in one of the following modes:

• Tunnel mode: IPSec tunnel mode can be used to provide security for WAN and VPN connections that use the Internet as the connection medium. In tunnel mode, IPSec encrypts the IP header and the IP payload. With tunneling, the data contained in a packet is encapsulated inside an additional packet. The new packet is then sent over the network.

Tunnel mode is typically used for the following configurations:

• Server to server
• Server to gateway
• Gateway to gateway

The process of communication that occurs when tunnel mode is defined as the IPSec mode is detailed below:

1. Data is transmitted using unprotected IP datagrams from a computer on the private network.
2. When the packets arrive at the router, the router encapsulates the packet using IPSec security protocols.
3. The router then forwards the packet to the router at the other end of the connection.
4. This router checks the integrity of the packet.
5. The packet is decrypted.
6. The data of the packet is then added to unprotected IP datagrams and sent to the destination computer on the private network.
• Transport Mode: This is the default mode of operation used by IPSec in which only the IP payload is encrypted through the AH protocol or ESP protocol. Transport mode is used for end-to-end communication security between two computers on the network.

IPSec Components

The primary two components installed when IPSec is deployed are:

• IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either the Windows registry or in Active Directory. The main functions which the IPSec Policy Agent provides are listed below:
• The IPSec Policy Agent passes information to the IPSec driver.
• The IPSec Policy Agent accesses IPSec policy information from the local Windows registry when the computer does not belong to a domain.
• The IPSec Policy Agent accesses IPSec policy information from the Active Directory when the computer is a member of a domain.
• The IPSec Policy Agent scans IPSec policies for any configuration changes.
• IPSec driver: The IPSec driver performs a number of operations to enable secure network communication, including the following:
• Creates IPSec packets
• Generates checksums.
• Initiates the IKE communication
• Adds the AH and ESP headers
• Encrypts data before it is transmitted.
• Calculates hashes and checksums for incoming packets

Understanding the IPSec Protocols

As mentioned previously, the main IPSec security protocols are the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. There are other IPSec protocols such as ISAKMP, IKE, and Oakley that use the Diffie-Hellman algorithm.

Authentication Header (AH) Protocol

The AH protocol provides the following security services to secure data:

• Authentication
• Anti-replay
• Data integrity

The AH protocol ensures that data is not modified as it moves over the network. It also ensures that the data originated from the sender.

The AH protocol does not though provide data confidentiality because it does not encrypt the data contained in the IP packets. This basically means, that if the AH protocol is used by itself; intruders that are able to capture data would be able to read the data. They would not though be able to change the data. The AH protocol can be used in combination with the ESP protocol if you need to ensure data confidentiality as well.

The communication process which occurs when the AH protocol is used is shown here:

1. One computer transmits data to another computer.
2. The IP header, AH header, and the data itself is signed to ensure data integrity.
3. The AH header is inserted between the IP header and IP payload to provide authentication and integrity.

The fields within a AH header, together with the role performed by each field is listed here:

• Next Header; used to specify the type of IP payload through the IP protocol ID that exists after this AH header.
• Length; indicates the length of the AH header.
• Security Parameters Index (SPI); indicates the correct security association for the communication through a combination of the following:
• IPSec security protocol.
• Destination IP address
• Sequence Number; used to provide IPSec anti-replay protection for the communication. The sequence number commences at 1, and is incremented by 1 in each ensuing packet. Packets that have the same sequence number and security association are discarded.
• Authentication Data; holds the integrity check value (ICV) calculated by the sending computer to provide data integrity and authentication. The receiving computer calculates the ICV over the IP header, AH header, and IP payload, and then compares the two ICV values.

Encapsulating Security Payload (ESP) protocol

The ESP protocol provides the following security services to secure data:

• Authentication
• Anti-replay
• Data integrity
• Data confidentiality

The primary difference between the AH protocol and the ESP protocol is that the ESP protocol provides all the security services provided by the AH protocol, together with data confidentiality through encryption. ESP can be used on its own, and it can be used together with the AH protocol. In transport mode, the ESP protocol only signs and protects the IP payload. The IP header is not protected. If the ESP protocol is used together with the AH protocol, then the entire packet is signed.

ESP inserts an ESP header and ESP trailer, which basically encloses the payload of the IP datagram. All data after the ESP header to the point of the ESP trailer, and the actual ESP trailer is encrypted.

The fields within an ESP header, together with the role performed by each field are listed here:

• Security Parameters Index (SPI); indicates the correct security association for the communication through a combination of the following:
• IPSec security protocol.
• Destination IP address
• Sequence Number; used to provide IPSec anti-replay protection for the communication. The sequence number commences at 1, and is incremented by 1 in each ensuing packet. Packets that have the same sequence number and security association are discarded.

The fields within an ESP trailer, together with the role performed by each field are listed here:

• Padding; required by the encryption algorithm to ensure that byte boundaries are present.
• Padding Length; indicates the length (bytes) of the padding which was used in the Padding field.
• Next Header; used to specify the type of IP payload through the IP protocol ID.
• Authentication Data; holds the integrity check value (ICV) calculated by the sending computer to provide data integrity and authentication. The receiving computer calculates the ICV over the IP header, AH header, and IP payload, and then compares the two ICV values.

Understanding IPSec Security Filters, Security Methods, and Security Policies

Security filters basically match security protocols to a specific network address. IPSec filters can be used to filter out unauthorized traffic. The filter contains the following information:

• Source and destination IP address
• Protocol used
• Source and destination ports

Each IP address contains a network ID portion and a host ID portion. Through security filters, you can filter traffic according to the following:

• Traffic allowed to pass through
• Traffic to secure
• Traffic to block

Security filters can be grouped into a filter list. There is no limit to the number of filters which can be included in a filter list. IPSec policies uses IP filters to ascertain whether an IP security rule should be used in a packet.

You can use a security method to specify the manner in which an IPSec policy should deal with traffic matching an IP filter. Security methods are also referred to as filter actions. The filter actions result in either of the following events:

• Drops traffic
• Allows Traffic
• Negotiates security.

To apply security in your network, IPSec policies are used. The IPSec policies define when and how data should be secured. The IPSec policies also determine which security methods to use when securing data at the different levels in your network. You can configure IPSec policies so that different types of traffic are affected by each individual policy.

IPSec policies can be applied at the following levels within a network:

• Active Directory domain
• Active Directory site
• Active Directory organizational unit
• Computers
• Applications

The different components of an IPSec policy are listed here:

• IP filter; informs the IPSec driver on the type of inbound traffic and outbound traffic which should be secured.
• IP filter list; used to group multiple IP filters into a single list in order to isolate a specific set of network traffic.
• Filter action; used to define how the IPSec driver should secure traffic.
• Security method; refers to security types and algorithms used for the key exchange process and for authentication.
• Connection type: identifies the type of connection which the IPSec policy impacts.
• Tunnel setting; the tunnel endpoint's IP address/DNS name.
• Rule; a grouping of the following components to secure a specific subset of traffic in a particular manner:
• IP filter
• Filter action.
• Security method
• Connection type
• Tunnel setting.

Bookmark Understanding IPSec

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum