Introduction to IPSec

   In this article I will talk about IPSec (Internet Protocol Security), a protection mechanism that enables Windows machines to secure network packets using encryption algorithms. IPSec can be used to protect network traffic within a VPN connection or between network devices. Note that this protection mechanism is not available only on Windows machines, it can be configured on different devices and different Operating Systems. IPSec provides two main functions, it encrypts data sent between two devices and it provides data authentication. Authentication refers to the fact that data received by one device is not sent from a source that is not trusted. Internet Protocol Security will verify each time that the sending machine is trusted and will ensure that data is not modified from source to destination. To ensure that packets are not subject to interception, IPSec will check each packet and will verify if the packets are duplicated and unique.
IPSec can be configured using:

Connection security rules (which generally negotiates authentication) – are an IPSec feature that provides a mechanism for analyzing network traffic and performing certain actions. Unlike IPSec Policies, connection security rules are not so granular and they do not offer that level of flexibility such as filtering based on ports and services. They are used to block/allow traffic sent/received for certain servers, IP addresses or subnets. Such rule will first try to authenticate the machines and if this step is successfully completed, it will allow the flow. Connection security rules offer authentication capabilities primarily but, they can also be configured to provide encryption mechanisms. These rules can be configured locally using Windows Firewall Advanced settings or by using Group Policy console. We will see in a future article how to configure Connection security rules.

IPSec Policies are configured using Group or Local Security Policy and generally negotiate authentication and encryption:
IPSec Policies
   In an Active Directory domain, you can group multiple computers under a certain IPSec policy. When configuring a policy you must define one or more rules which determines how is the traffic protected against interception. An IPSec Policy rule is defined with an IP filter list and an action filter. An IP filter list can contain one ore more IP filters. These filters are used to monitor network traffic and thus checking each network packet. Filters can be configured with hostnames, application ports (TCP and UDP), source or/and destination IP addresses, IP ranges or different server types like DNS, DHCP, etc. When traffic is analyzed, if a certain packet matches one IP filter, the associated action will be triggered. In this situation a packet can either be permitted, blocked or it can negotiate security.
After the authentication process is successfully completed, the communication channel between the transmitting nodes must be secured. The process of securing the information between two transmitting nodes is called a Security Association or simply, SA. The SA provides two functions: data and identity protection. These functions are made using two protocols: AH (Authentication header) and ESP (Encapsulating Security Protocol). In turn, each protocol is responsible for one part of the communication process:

  • AH – authentication, anti-replay and identity protection for each packet in the SA
  • ESP – data authentication, data encryption, data integrity and anti-reply protection for the ESP payload.
Some steps needs to be completed before an IPSec connection is established between devices. The protocol responsible for establishing the secured connection is IKE or Internet Key Exchange. IKE sets the security services, cryptographic keys and protection mechanisms that will be used to configure and secure the channel. These are the steps for establishing an IPSec connection:

Step1 – the main mode negotiation is made using an SA to secure the second negotiation
Step2 – the encryption algorithms and protection mechanisms are agreed between nodes
Step3 – the quick mode negotiation with another SA is configured. Quick mode is used to protect the actual data sent between devices. After this step is complete, information can be securely sent/received.

  Before the connection is established, the two devices must agree on the protection and encryption protocols. By default, IPSec uses L2TP or Layer Two Tunneling Protocol to establish a tunnel in the Internet. This IPSec mode is also known as transport node because it’s often used by IPSec VPN connections. Both nodes must support this protocol before they can establish a tunnel. If this protocol is not supported, IPSec can be used in tunnel mode. In this mode, a packet is protected and then re-encapsulated in an unprotected header. Remember that tunnel mode is used when the L2TP/IPSec or PPTP (Point-to-Point Tunneling Protocol) are not supported and is not compatible with VPN connections.
   That’s it for this article folks, hope you’ve enjoyed it. In the following article we will further discover IPSec features and in the end, we will put in practice everything we’ve learned. Please share your thoughts about this one and share it to others. Have a great day and stay tuned for the following article from IT training day.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s