Can a certification body start public practice

Planning an IPSec infrastructure

Preface
You can enable IPSec for your entire domain with a few clicks of the mouse - but that wouldn't be wise. If it
is not configured correctly, IPSec can cause minor problems, such as a network user
that can do less, or bigger problems like total loss of network connectivity. Only by
careful planning can ensure that IPSec is implemented successfully. This planning includes the
Choosing an authentication method, deciding how to integrate IPSec and Active Directory and the
are compatible with your planned IPSec configuration.

Active Directory Considerations

For companies with many computers that need to be consistently managed, IPSec policies are best
through GPOs (Group Police Object, group policy objects). You can use local IPSec guidelines
Assign computers that are not members of a trusted domain to distribute IPSec policies
and maintaining IPsec policy configuration and trusts is much more time consuming
Computers that are not domain members.

Another benefit of using an Active Directory-based IPSec policy is that the permissions over
the container can pass on IP security policies in Active Directory so that certain administrators
can manage IPSec across the company. However, these administrators do not necessarily have to have the
Have permissions to directly manage the individual computers that receive the IPSec policy. This is very
important for companies in which the responsibility for security matters lies between different groups.
is shared.

In order to pass permissions in the IP security policy container, you need an editing program
from Active Directory, such as ADSI-Edit. ADSI edit. is a Windows support tool that Active
Directory Service Interfaces (ADSI) used. The Windows Support Tools can be found in the \ Support \ Tools folder
Installed on the Windows 2000 and Windows Server 2003 operating system CDs.

Most of the time, an IPSec Policy Administrator needs write access to all IPSec Policy Objects. You should get the
Do not assign permissions for individual IPSec policies. If there are many administrators in your company
If you want to manage Active Directory-based IPSec policies, you should replace all IPSec changes with existing
Let domain administrators pass it on. The people who make changes to an IPSec policy
can configure local IPSec policies in a test environment and then domain administrator or a
another administrator to export. The domain administrator or another administrator to export.
The domain administrator who can change an IPSec policy, which reduces the risk of errors that
can negatively affect an IPSec policy.

If an Active Directory-based IPSEc policy is also suitable for securing most communications
for a group of servers, you may still need an IPSec policy for a particular server
is need to do this by using the IPSec command line utility in Windows XP Professional or Windows
Use Server 2003 to create a dynamic IPSec policy.

Authentication for IPSec

Peer authentication is the process of ensuring that an IPSec peer is the computer it is facing.
there to be. By using peer authentication, IPSec can determine whether to communicate with
another computer should be allowed before this communication begins. You can choose from three auth-
Choose authentication methods: Kerberos v5, public key certificates, and preloaded keys.

If you have deployed a Windows 2000 or Windows Server 2003 Active Directory environment and all of them
Hosts using IPSec are part of this domain (or members of a trusted domain) then should
You are using Kerberos. If you communicate with other companies and your partner has a web-based
Using a certification authority, you can use public key certificates. If neither of these methods
is available, you can use a pre-installed key.

You can also use authentication methods together if necessary. For example, you can
Configure your public web server so that internal clients are authenticated by Kerberos and ex-
internal clients through public key certificates. After you have configured IPSec, it compares the source
IP address of the remote host with an IPSec policy rule to determine which authentication method
should be used.


Kerberos v5 authentication

Kerberos v5 is the authentication standard in Windows Server 2003 and Windows 2000 domains. This authentic
The authentication method can be used by any computer in the domain or a trusted domain.
Kerberos is the most natural form of IPSec authentication and is easy to configure. There are, however, a few
important considerations.

In previous versions of Windows, Kerberos traffic was automatically passed through IPSec filters. In win-
However, dows Server 2003 will discard a Kerberos packet if an IPSec rule specifies that the traffic
should be blocked. If you want to enable Kerberos authentication, you need filters in the IPSec
Create a policy that specifically allows all traffic to your domain controllers.

Second, you need to use fully qualified domain names to configure the trust relationships with
Kerberos authentication can be used with a cross-forest trust. Additional
You have to configure the IPSec client in such a way that communication with every domain controller in the overall
structure domain hierarchy is allowed so that IPSec receives a Kerberos ticket from a domain controller in the
Domain of the IPSec peer.


Authentication with public key certificates

A public key infrastructure (PKI) can be used to facilitate communication for
Authenticate and verify many different applications, including web applications, email, and IPSec
key. Applying public key certificates is not as easy as using
Kerberos, however, there are certain circumstances in which certificates are the logical choice for authentication in IPSec
are. You should use public key certificates especially when you are dealing with external business partners.
need to communicate with or with other computers that do not support the Kerberos v5 authentication protocol.

IPSec's use of certification authentication is compatible with many different PKI structures and IP
Sec has relatively few requirements for the content of a certificate. Usually computers that use a common
have lonely trusted trunk or their certificates are mutual through a trust relationship
Certifications can chain together, lagging to use IPSec authentication. To obtain certificates for the IPSec authentication
To use certification, define an ordered list of acceptable root certification authority names
(Certification Authority, CA) in the authentication method. This list controls which certificates
IPSec can choose and which certificates IPSec will choose.

If IPSec authentication fails, you cannot re-authenticate using any other method.
recover. For this reason, before you apply an IPSec policy that uses certification for authentication
fikate can ensure that all target computers have the correct root CA certificates that have
Have appropriate cross certificates and valid computer certificates. In addition, to ensure correct func-
ction certificate authentication to ensure your PKI infrastructure with various configuration of the
Test IPSec policies before propagating.

In Windows 2000 and Windows Server 2003, you can use Certificate Services to perform root certification
place to implement. Certificate services are integrated into Active Directory and Group Policy. this function
simplifies certificate distribution by enabling automatic certificate registration and renewal and
by making configurable certificate templates available. In addition, you can use certificate services to provide IPSec
to restrict access to network services by adding the computer certificate as an attribute of the
Issue domain computer account

You can also use third-party certification authorities, which is particularly useful if you are familiar with
communicate with external partners. IPSec supports various third-party X.509 PKI systems in addition to Win-
dows 2000 Server or Windows Server 2003 Certificate Services. Windows Server 2003 IKE is compatible with some
Certificate services, including those from Microsoft, Entrust, VeriSign, to be able to issue certificates to computers
and the certificates in the Windows CryptoAPI (Cryptographic Application Programming Interface) certificate store
save.


Authentication with pre-installed keys

If both IPSec peers are not in the same domain and do not have access to the certification authority, then
a pre-installed key can be used. A stand-alone computer on a network that is not connected to the in-
Internet is connected, for example, can use a preinstalled key, since neither Kerberos authentication
Access to the certification authority on the Internet is still possible via the computer's domain account. A pre-installed
Use the ized key as there is neither Kerberos authentication nor access via the computer's domain account
on the certification authority on the Internet is possible. A pre-installed key is a shared secret key
ssel (a password) that administrators have to manually configure their systems to allow
the same pre-installed key is used.

When authenticating with pre-installed keys, symmetric encryption is used to access the hosts
authenticate, which is very secure, but which requires that the two communicating hosts with a prior
configured password. Unfortunately, this key is not securely stored on the IPSec hosts. The
The authentication key is stored in clear text format in the system registry and is hex-coded in the Active
Directory-based IPSec policy. If attackers gain access to your registry, they can use your preinstalled
Find the key and thus decrypt your data traffic or impersonate a host. Use
Do not use preinstalled key authentication unless a stronger method cannot be used.

If you need to use authentication with pre-installed keys, use a local IPSec
Policy, a key value of 25 or more characters, and a different preinstalled key for each IP
Address pair. In this way you ensure that there are different safety rules for each destination and that a knocked out
A preinstalled key only endangers the computers that share the key.


Testing IPSec

Be sure to do extensive testing before making any changes to your infrastructure. This
is especially true if you plan to use IPSec. IPSec can affect the entire network
communication and therefore can interfere with network applications that your company uses.

First test IPSec in a training environment, configure computers with the client and server side of the
critical applications simulated in practice. In your practice environment, computers should communicate with each of the potential
Support IPSec functions. Develop and collect a performance metric for each of your applications
basic performance data that you can use for comparison if IPSec has been provided. Give
then continue IPSec guidelines on the training computers.

Not all networks support the same IPSec functions and you should use the test phase to get the best
Which network devices need to be reconfigured or updated. Add to the practice environment
Firewalls, proxy servers and routers were added to simulate how these interact with IPSec communication in practice.
work. If you want to use IPSec for remote access, you should also have a RAS-
Have client connecting from a typical remote network. If employees use IPSec to
To connect to your internal network from home, test IPSec is not enabled along with
Servers on which IPSec is activated. Also, if you plan to push IPSec across all computers, there is
but a transition period during which some computers have not yet received the IPSec configuration.

After IPSec clients and network equipment have been configured in the training environment, test the radio
functionality of the applications. If you run into problems, document them along with the solutions,
so that these problems can be quickly resolved when they arise in practice. Don't just acknowledge that
Applications work, but so does IPSec. If you allow IPSec clients to use unsecured communications
tion, if the IPSec negotiations fail, the applications may be compromised with IPSec
Seems to work when the computers failed to create an IPSec session.

After you have confirmed that all of your applications are compatible with IPSec and that you have documented the changes
that are necessary to ensure compatibility, compare the results of your performance
tests with the results you collected before IPSec was enabled. If your tests were accurate,
they will be a slight decrease in the time it takes to establish network connections as well as a
show a slight increase in processor utilization. Make a note of the required performance. Watch computers
in practice to ensure that the performance impact is minimized.

Start the practical introduction of IPSec with a pilot introduction. During the pilot phase, IPSec communication
unication may not be necessary on any computer. All computers should allow non-IPSec communication in order to
support computers that are not part of the pilot test. You cannot force IPSec communication until all
Computers that have received IPSec configurations. Watch the pilot computers to confirm that IPSec
works properly. When users report problems, identify whether IPSec is causing the problem and document
animal a problem solution. If you roll out IPSec gradually, that reduces problems for users, and that
in turn, saves your company money.

Created by: Ha├člinger Stefan
In: 2006