Module 9:

Configuring IPsec
Module Overview
• Overview of IPsec

• Configuring Connection Security Rules

• Configuring IPsec NAP Enforcement

Lesson 1: Overview of IPsec
• Benefits of IPsec

• Recommended Uses of IPsec

• Tools Used to Configure IPsec

• What Are Connection Security Rules?

• Demonstration: Configuring General IPsec Settings

Benefits of IPsec

IPsec is a suite of protocols that allows secure, encrypted

communication between two computers over an unsecured network

• IPsec has two goals: to protect IP packets and to defend against

network attacks

• Configuring IPsec on sending and receiving computers enables the

two computers to send secured data to each other

• IPsec secures network traffic by using encryption and data signing

• An IPsec policy defines the type of traffic that IPsec examines,

how that traffic is secured and encrypted, and how IPsec peers
are authenticated
Recommended Uses of IPsec

Recommended uses of IPsec include:

• Authenticating and encrypting host-to-host traffic

• Authenticating and encrypting traffic to servers
• L2TP/IPsec for VPN connections
• Site-to-site tunneling
• Enforcing logical networks
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.
Tools Used to Configure IPsec

To configure IPsec, you can use:

• Windows Firewall with Advanced Security MMC

(used for Windows Server 2008 and Windows Vista)
• IP Security Policy MMC (Used for mixed environments
and to configure policies that apply to all Windows versions)
• Netsh command-line tool
What Are Connection Security Rules?

Connection security rules involve:

• Authenticating two computers before they
begin communications
• Securing information being sent between
two computers
• Using key exchange, authentication, data integrity,
and data encryption (optionally)

How firewall rules and connection rules are related:

• Firewall rules allow traffic through, but do not

secure that traffic
• Connection security rules can secure the traffic,
but creating a connection security rule does not
allow traffic through the firewall
Demonstration: Configuring General IPsec Settings

In this demonstration, you will see how to configure

General IPsec settings in Windows Firewall with Advanced
Security
Lesson 2: Configuring Connection Security Rules
• Choosing a Connection Security Rule Type

• What Are Endpoints?

• Choosing Authentication Requirements

• Authentication Methods

• Determining a Usage Profile

• Demonstration: Configuring a Connection Security Rule

Choosing a Connection Security Rule Type
Rule Type Description
Isolation Restricts connections based on authentication criteria
that you define

Authentication • Exempts specific computers, or a group or range of IP

Exemption addresses, from being required to authenticate
• Grants access to those infrastructure computers with
which this computer must communicate before
authentication occurs

Server-to-Server Authenticates two specific computers, two groups of

computers, two subnets, or a specific computer and a
group of computers or subnet

Tunnel Provides secure communications between two peer

computers through tunnel endpoints (VPN or L2TP IPsec
tunnels)

Custom Enables you to create a rule with special settings

 What Are Endpoints?
ESP Transport Mode

IP HDR Data

ESP Encrypted ESP ESP

IP HDR HDR TRLR Auth
Data

ESP Tunnel Mode

IP HDR Data

New ESP Encrypted ESP ESP

IP HDR HDR IP Packet TRLR Auth
 Choosing Authentication Requirements
Option Description

Request Authentication for inbound and Ask that all inbound/outbound traffic be
outbound connections authenticated, but allow the connection
if authentication fails

Require authentication for inbound • Require inbound be authenticated or it

connections and request authentication will be blocked
for outbound connections
• Outbound can be authenticated but will
be allowed if authentication fails

Require authentication for inbound and Require that all inbound/outbound traffic
outbound connections be authenticated or the traffic will be
blocked
 Authentication Methods
Method Key Points
Default Use the authentication method configured on the IPsec
Settings tab
Computer and User You can request or require both the user and computer
(Kerberos V5) authenticate before communications can continue; domain
membership required
Computer (Kerberos Request or require the computer to authenticate using
V5) Kerberos V5
Domain membership required
User (Kerberos V5) Request or require the user to authenticate using Kerberos
V5; domain membership required
Computer certificate • Request or require a valid computer certificate, requires at
least one CA
• Only accept health certificates: Request or require a valid
health certificate to authenticate, requires IPsec NAP
Advanced Configure any available method; you can specify methods for
First and Second Authentication
Determining a Usage Profile

Security Settings can change dynamically with the network location

type

Windows supports three network types, and programs can use these
locations to automatically apply the appropriate configuration options:

• Domain: selected when the computer is a domain member

• Private: networks trusted by the user (home or small
office network)
• Public: default for newly detected networks, usually the most
restrictive settings are assigned because of the security risks
present on public networks

The network location type is most useful on portable computers which

are likely to move from network to network
Demonstration: Configuring a Connection
Security Rule

In this demonstration, you will see how to configure a

Connection Security rule
Lesson 3: Configuring IPsec NAP Enforcement
• IPsec Enforcement for Logical Networks

• IPsec NAP Enforcement Processes

• Requirements to Deploy IPsec NAP Enforcement

IPsec Enforcement for Logical Networks
HRA
VPN
802.1X NAP administration server
DHCP Network policies
NPS proxy NAP health policies
SHAs Connection request policies
NAP agent SHVs
NAP ECs

SHAs
NPS servers NAP agent
NAP enforcement
Non-compliant servers NAP ECs
NAP client
Certificate services
E-mail servers
NAP policy servers
Compliant NAP
client
Non-NAP Secure
capable client Remediation servers
servers

Restricted Boundary Secure Network

Network Network
 IPsec NAP Enforcement Processes
IPsec NAP Enforcement
includes:
• Policy validation
VPN Server
• NAP enforcement
Active IEEE 802.1X
• Network restriction Directory Devices

• Remediation
• Ongoing monitoring
of compliance

Health
Registration
Authority
Internet
NAP Health
DHCP Server
Perimeter Intranet Policy Server
Network

Restricted
Network

Remediation
NAP Client with
Servers
limited access
Requirements to Deploy IPsec NAP Enforcement

Requirements for deploying IPsec NAP Enforcement:

 Active Directory

 Active Directory Certificate Services

 Network Policy Server

 Health Registration Authority

Lab: Configuring IPsec NAP Enforcement
• Exercise 1: Preparing the Network Environment for IPsec
NAP Enforcement
• Exercise 2: Configuring and Testing IPsec NAP
Enforcement

Logon information
Virtual machines NYC-DC1, NYC-CL1,
NYC-CL2
User name Administrator
Password Pa$$w0rd

Estimated time: 60 minutes

Lab Review
• What would the implication be if you installed the
Certificate Server as an Enterprise CA, as opposed to a
Standalone CA, and you have workgroup computers that
need to be NAP compliant?
• Under what circumstances would Authentication
Exemption be useful in a Connection Security Rule?
Module Review and Takeaways
• Review Questions

• Common Misconceptions About IPsec

• IPsec Benefits

• Tools
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.
Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.