IPSec authentication methods and in-build policies


In this article we will continue our IPSec journey. In the last article we’ve got acquainted with some of the elements used with IPSec technology. In today’s post we will discover what authentication mechanisms are used with IPSec.
So far we’ve learned that IPsec provides authentication and encryption before data can be sent safely between devices. This means that the authentication mechanism and encryption algorithms must be compatible and agreed by devices. IPSec supports three authentication mechanisms:
Kerberos – this is the main authentication mechanism used in Active Directory infrastructures. IPSec can take advantage of this protocol to authenticate network devices before creating the communication tunnel. Whenever possible, you should use Kerberos for IPSec authentication. Once devices are joined within a domain, IPSec authentication is easily made using Kerberos.
Certificate – using certificates, the two computers must first import and install a computer certificate from a public or a private CA (Certification Authority). The only prerequisite of using certificates is that each computer involved in the IPSec communication must trust the CA of the other certificate.
Using Preshared keys – this authentication mechanism takes advantage of a shared key between devices that is used for encryption and decryption. You can create secured SA using preshared keys but, remember that these are stored in plain text on each machine so, it does not offer the same protection level as using Kerberos or certificate authentication. It is recommended that you use this authentication method only in testing environments, not in production.
As a conclusion, always use Kerberos when there is an Active Directory infrastructure available. When Kerberos is not available, use certificates to authenticate computers and try not to use preshared keys.
In a large domain infrastructure, you would normally configure IPSec policies using group policy management console. When creating a new GPO, if we navigate to the IP Security Policies on Active Directory there are three in-build policies as follows:
IP Security Policies on Active Directory
Client (Respond Only) – a computer that is set to use this policy will never start the IPSec communication. Computers will negotiate and establish IPSec connection but, only when other devices are performing the initial request. This policy is often used when securing communications between servers and network hosts.
Secure Server (Require Security) – this policy will enable servers to accept both secure and unsecured traffic but, they will always attempt to establish a secure channel. This policy is applied when there are devices that are not IPSec compatible but, still need to communicate with the server. Using this method, the server will be able to communicate with non-compatible IPSec devices and still communicate with IPSec compatible computers using a secured channel.
Server (Request Security) – Servers running under this policy will always establish a secure channel.
When creating a new GPO using Group Policy Management Console, you can use one of these three in-build policies. The assignment method is pretty simple, right click the desired policy and click Assign:

IPSec policy
You can then save the GPO and apply it to one or more computers. The un-assignment method is made in the same way. Note that only one policy can be assigned on one computer. If you add another policy, the first one will be overwritten. Also, local assigned policies have lower priority then those configured using group policy.
That’s it for this article folks, we will continue discussing about IPSec in the following articles. Wish you all the best!
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s