SlideShare ist ein Scribd-Unternehmen logo

Ip sec talk

Als PPT, PDF herunterladen
A
anoean

ipsec talk

Technologie
1 von 47
1 IP Security (IPSec) Thomas Lee Chief Technologist –QA thomas.lee@qa.com
2 Agenda  What is IPSec?  How does IPSec Work?  Configuring/Using IPSec  Issues  Best Practices  Resources
3 What is IPSec?  Framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks  IPSec provides authenticated and encrypted traffic between hosts at the IP protocol level  Provides aggressive protection against private network and Internet attacks through end-to-end security.  Protects communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roving clients.  IPSec is the long-term direction for secure networking
4 IPSec Objectives  To protect the contents of IP packets.  To provide a defense against network attacks through packet filtering  To enforce trusted communication based on either local or central policy  These objectives are met through the use of cryptography-based protection services, security protocols, dynamic key management and Windows Group Policy.
5 Why IPSec?  IPv4 not designed with security in mind  Attacks possible with IPv4 • Eavesdropping • Data modification • Identity spoofing (IP address spoofing) • Denial-of-service attack • Man-in-the-middle attack  These can be avoided by use of IPSec
6 IPSec Protection  Eavesdropping • The Encapsulating Security Payload (ESP) protocol in IPSec provides data confidentiality by encrypting the payload of IP packets  Data modification • Cryptography-based keys, shared only by the sending and receiving computers, are use to create a cryptographic checksum for each IP packet. • Modification of the data alters the checksum, which indicates to the receiving computer that the packet was modified in transit  Identity spoofing • IPSec allows verification of identities without exposing that information to an attacker. • Mutual authentication establishes trust between the hosts.  Man-in-the-middle attacks • IPSec combines mutual authentication with shared, cryptography-based keys.  Denial-of-service attacks • IPSec uses IP packet filtering allow, secure, or block traffic based on IP address ranges, IP protocols, or even specific TCP/UDP ports.
7 Agenda  What is IPSec?  How does IPSec Work?  Configuring/using IPSec  Issues  Best Practices  Resources
8 filtersfiltersfiltersfilters How Components Interacts?  Internet Key Exchange (IKE) - Identity Protect Mode – defined in RFC 2409  Phase 1 “Main Mode” establishes IKE SA – trusted channel between systems, negotiation establishes encrypted channel, mutual trust, and dynamically generates shared secret key (“master” key)  Phase 2 “Quick Mode” establishes IPSec SAs – for data protection, one SA for each direction identified by packet label (SPI), algorithms and packet formats agreed, generates shared “session” secret keys derived from “master” key NICNIC TCPIPTCPIP ApplicationApplication Server or GatewayServer or Gateway IPSecIPSec DriverDriver IPSecIPSec PolicyAgentPolicyAgentIKE (ISAKMP)IKE (ISAKMP) IPSecIPSec DriverDriver IPSecIPSec PolicyPolicy AgentAgent IKE (ISAKMP)IKE (ISAKMP) NICNIC TCPIPTCPIP Application/ServiceApplication/Service clientclient ““IKE Responder”IKE Responder”““IKE Initiator”IKE Initiator” UDP port 500UDP port 500 negotiationnegotiation 1 IKE SA1 IKE SA 2 IPSec SAs2 IPSec SAs IP protocol 50/51IP protocol 50/51
9 IPSec Policy  One Active IPSec Policy • Multiple IPSec Policies can be defined  Policy Consists of • ISAKMP Policy • IPSec rules – An IPSec policy can have many rules  IPSec Rules • Filter – identifies the traffic to secure/drop/etc • Filter action – drop, deny, authenticate, encrypt • Authentication, encryption, etc
10 IPSec Policy Components  Polling interval used to detect changes in policy  IKE parameters, such as encryption key lifetimes.  IPSec behavior for the policy  The types of traffic to which an action is applied  Permit, block, or secure  Kerberos, certificate, or preshared key  LAN, Dialup, or both
11 IPSec packet filtering  Filters allow and block traffic  Filters can overlap • Most specific match determines action  NO stateful inspection  Example: to open only port 80 on the IIS: From IP To IP Protocol Src Port Dest Port Action Any My Internet IP Any n/a n/a Block Any My Internet IP TCP Any 80 Permit
12 Negotiation of Protection  Require two messages • Initiator to Responder : (contains proposals) • Responder to Initiator: (contains a selected proposal) • Details later!  Protection suites: Attribute Attribute Value Encryption algorithm DES, 3DES, Null Integrity algorithm MD5, SHA-1, Null Authentication method Kerberos, preshared key, certificate Diffie-Hellman group Group 1 (768-bit), Group 2 (1024-bit)
13 IPSec Modes  Transport mode • Used for IPSec peers doing end-to-end security • Provides protection for upper-layer protocol data units (PDUs)  Tunnel mode • Used by network routers to protect IP datagrams passing across insecure network • Provides protection for entire IP datagrams
14 Security Associations  Combination of mutually agreed security services, protection mechanisms, and cryptographic keys  ISAKMP SA  IPSec SAs • One for inbound traffic • One for outbound traffic  Security Parameters Index (SPI) • Helps identify an SA  Creating SAs • Main Mode for ISAKMP SA • Quick Mode for IPSec SAs
15 Agenda  What is IPSec?  How does IPSec Work? (at the packet level!)  Configuring/using IPSec  Issues  Best Practices  Resources
16 Internet Key Exchange  How IPSec peers establish SAs  Combines ISAKMP and the Oakley Key Determination Protocol • ISAKMP is used to identify and authenticate peers, manage SAs, and exchange key material • Oakley Key Determination Protocol is used to generate secret key material for secure communications (Diffie- Hellman key exchange algorithm)
17 ISAKMP Message Structure IP header ISAKMP payloads UDP message IP datagram UDP header ISAKMP header ISAKMP uses UDP source/destination port 500
18 ISAKMP Header Initiator Cookie Responder Cookie Next Payload Major Version Minor Version Exchange Type Flags Message ID LengthA
19 ISAKMP Payloads  SA  Proposal  Transform  Vendor ID  Nonce  Key Exchange  Notification  Delete  Identification  Hash  Certificate Request  Certificate  Signature
20 IPSec Headers  IPSec Headers live inside IP datagrams and define IPSec contents  Authentication Header (AH) • Provides data origin authentication, data integrity, and replay protection for the entire IP datagram  Encapsulating Security Payload (ESP) • Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP- encapsulated portion of the packet
21 AH Transport Mode IP Upper layer PDU IP AH Authenticated Upper layer PDU
22 AH Tunnel Mode AH Authenticated IP IP IP (new) Upper layer PDU Upper layer PDU
23 Next Header Payload Length Reserved Security Parameters Index Sequence Number Authentication Data Payload . . . Authentication Header (AH) . . .
24 ESP Transport Mode IP ESP ESP Auth Data Encrypted Authenticated IP Upper layer PDU Upper layer PDU
25 ESP with AH Transport Mode IP ESP ESP ESP Auth Encrypted Authenticated with AH IP AH Upper layer PDU Upper layer PDU Authenticated with ESP
26 ESP Tunnel Mode IP (new) ESP ESP Auth Data IP Encrypted Authenticated IP Upper layer PDU Upper layer PDU
27 Security Parameters Index Sequence Number Payload Padding Padding Length Next Header Authentication Data . . . . . . . . . ESP Header and Trailer
28 Internet Key Exchange  Standard that defines a mechanism to establish SAs  Combines ISAKMP and the Oakley Key Determination Protocol • ISAKMP is used to identify and authenticate peers, manage SAs, and exchange key material • Oakley Key Determination Protocol is used to generate secret key material for secure communications (Diffie- Hellman key exchange algorithm)
29 Main Mode Negotiation  Phases of main mode negotiation: 1. Negotiation of protection suites 2. A Diffie-Hellman exchange 3. Authentication  Six ISAKMP messages • 1, 2 – all authentication types • 3, 4, 5, and 6 - vary by Authentication type
30 Authentication in MM Negotiation  Kerberos Authentication • Kerberos Tokens exchanged and validated  Certificate Authentication • Certificates and signatures exchanged and validated  Preshared Key Authentication • Hash payloads exchanged and validated
31 Main Mode Negotiation Messages  Message 1 • Sent by initiator • Contains proposed security association details, vendor ID  Message 2 • Sent by responder • Contains acceptable SA proposal, vendor ID  These messages negotiate: • Encryption (DES, 3DES) • Identity Algorithm (MD5, SHA-1) • Authentication Method (Kerberos, Pre-shared key, Certificate) • Diffie-Hellman group (768-bit, 1024-bit, 2048-bit)
32 Main Mode – Kerberos Authentication  Message 3 - Sent from initiator • Contains key exchange, Nonce, initiator’s Kerberos Token, NAT Discovery information  Message 4 - Sent from responder • Contains key exchange, Nonce, responder’s Kerberos Token , NAT Discovery information  Message 5 - Sent from initiator (encrypted) • Contains identification (of initiator), plus hash  Message 6 - Sent from responder (encrypted) • Contains identification (of responder), plus hash
33 Main Mode – Certificate Authentication  Message 3 - Sent from initiator • Contains key exchange, Nonce, NAT Discovery information  Message 4 - Sent from responder • Contains key exchange, Nonce, NAT Discovery information • Also contains certificate request (list of trusted root CAs)  Message 5 - Sent from initiator (encrypted) • Contains Initiator’s Certificate, signature  Message 6 - Sent from responder (encrypted) • Contains Responder’s certificate, signature
34 Main Mode – Pre-Shared Key Authentication  Message 3 - Sent from initiator • Contains Key Exchange, Nonce, NAT Discovery  Message 4 - Sent from responder • Contains Key Exchange, Nonce, NAT Discovery  Message 5 - Sent from initiator (encrypted) • Contains Identification (of initiator), hash  Message 6 - Sent from responder (encrypted) • Contains Identification (of responder), hash
35 Quick Mode Negotiation  Four ISAKMP messages to determine traffic to be secured and how it is secured  Initiator and responder exchange: • SA payloads (how to secure traffic) • Identification payloads (the traffic to secure)
36 IPSec On the WireIPSec On the Wire OrOr Fun With NetMon!Fun With NetMon! Demo
37 Agenda  What is IPSec?  How does IPSec Work?  Configuring/Using IPSec  Issues  Best Practices  Resources
38 Issues with IPSec  Need for machine certificates  Interoperability  Performance/Overhead  NAT traversal
39 Need for Machine Certificates/Keys  IPSec is based on machine to machine communication • User credentials not used • You therefore need machine certificates  For Kerberos • Machine is the security principal • Only works for Windows 2000/2003/XP  For Certificate based authentication • How to manage/deliver certificates
40 Performance/Overhead  IPSec incurs three sets of overhead: • Startup • Wire protocol overheads • Speed of encryption  Start up over-head • Main Mode – 6 packets • Quick Mode – 10 packets
41 Wire Protocol Overhead Mode Inbound Outbound Total Bytes Normal IP Traffic 2,084,031 94,646,227 96,730,257 AH Traffic 2,700,627 96,174,275 98,874,902 ESP Traffic 2,867,099 96,941,132 99,808,231 AH Overhead 616,596 1,528,048 2,144,645 ESP Overhead 783,068 2,294,905 3,077,974 % AH Overhead 29.59% 1.61% 2.22% % ESP Overhead 37.57% 2.42% 3.18%
42 IPSec Hardware Acceleration  IPSec per-packet hardware acceleration for 10/100 Ethernet  Client/Svr cards retail circa $100  3Com • 3CR990B-97 - 10/100 UTP • 3CR990B-FX-97 – 10/100 Fiber • Wire Speed IPSec • Max 75 SAs supported • http://www.3com.com/other/pdfs/products/en/400833.pdf - Or - • http://tinyurl.com/3er3f  Intel • Intel® PRO/100 S Desktop/Server • http://www.intel.com/network/connectivity/resources/doc_library/documents/ pdf/intel_ipsec_final.pdf - Or - • http://tinyurl.com/37hcn
43 XP IPSec Performance Improvements  Doubled number of new SAs per minute  Reliable delete handling in IKE  Doubled packet filtering speed (throughput)  Client LDAP retrieval of AD policy 5 times faster than Windows 2000  Both Intel and 3Com 32bit x86 10/100Ethernet offload support shipping in the box
44 IPSec NAT-T  Network Address Translators (NATs) invalidate IPSec packet protections  IPSec NAT Traversal (NAT-T): • Encapsulates ESP-protected payloads with a UDP header • Defines additional Main Mode payloads to detect IPSec NAT-T-capable peers and whether either is behind a NAT • Defines an additional Quick Mode payload to indicate untranslated addresses • Allows ESP-protected traffic to traverse a NAT
45 Agenda  What is IPSec?  How does IPSec Work?  Configuring/Using IPSec  Issues  Best Practices  Resources
46 Scripting  NETSH –C IPSEC – with Windows Server 2003  Netsh IPsec  No dump command  • It is included • It does nothing!  Help text has few examples  Error messages generally totally unhelpful  Lots of trial and error seems to be needed!
47 Best Practices  Establish an IP Security deployment plan  Avoid Pre-shared keys  Configuration of certificate requests  Script, script, script

Empfohlen

Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 

Empfohlen

Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
IP security
IP securityIP security
IP securityshraddha mane
 
ip security
ip securityip security
ip securityChirag Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Networkshubham ghimire
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
IPsec
IPsecIPsec
IPsecabdullah roomi
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6koolkampus
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 

Weitere ähnliche Inhalte

Was ist angesagt?

Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Networkshubham ghimire
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6koolkampus
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 

Was ist angesagt? (20)

IP security
IP securityIP security
IP security
 
ip security
ip securityip security
ip security
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Ip security
Ip security Ip security
Ip security
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Network
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Ip security
Ip securityIp security
Ip security
 
IPsec
IPsecIPsec
IPsec
 
Ip security
Ip security Ip security
Ip security
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)
 
IP Security
IP SecurityIP Security
IP Security
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 

Ähnlich wie Ip sec talk

ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
I psec
I psecI psec
I psecnlekh
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006Nate Lawson
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 

Ähnlich wie Ip sec talk (20)

ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 
IP Security
IP SecurityIP Security
IP Security
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 
Websecurity
Websecurity Websecurity
Websecurity
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
Web Security
Web SecurityWeb Security
Web Security
 
I psec
I psecI psec
I psec
 
TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006TLS/SSL Protocol Design 201006
TLS/SSL Protocol Design 201006
 
I psec
I psecI psec
I psec
 
IPSEC
IPSECIPSEC
IPSEC
 
The Security layer
The Security layerThe Security layer
The Security layer
 
Ip sec
Ip secIp sec
Ip sec
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Kürzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Ip sec talk

  • 1. 1 IP Security (IPSec) Thomas Lee Chief Technologist –QA thomas.lee@qa.com
  • 2. 2 Agenda  What is IPSec?  How does IPSec Work?  Configuring/Using IPSec  Issues  Best Practices  Resources
  • 3. 3 What is IPSec?  Framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks  IPSec provides authenticated and encrypted traffic between hosts at the IP protocol level  Provides aggressive protection against private network and Internet attacks through end-to-end security.  Protects communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roving clients.  IPSec is the long-term direction for secure networking
  • 4. 4 IPSec Objectives  To protect the contents of IP packets.  To provide a defense against network attacks through packet filtering  To enforce trusted communication based on either local or central policy  These objectives are met through the use of cryptography-based protection services, security protocols, dynamic key management and Windows Group Policy.
  • 5. 5 Why IPSec?  IPv4 not designed with security in mind  Attacks possible with IPv4 • Eavesdropping • Data modification • Identity spoofing (IP address spoofing) • Denial-of-service attack • Man-in-the-middle attack  These can be avoided by use of IPSec
  • 6. 6 IPSec Protection  Eavesdropping • The Encapsulating Security Payload (ESP) protocol in IPSec provides data confidentiality by encrypting the payload of IP packets  Data modification • Cryptography-based keys, shared only by the sending and receiving computers, are use to create a cryptographic checksum for each IP packet. • Modification of the data alters the checksum, which indicates to the receiving computer that the packet was modified in transit  Identity spoofing • IPSec allows verification of identities without exposing that information to an attacker. • Mutual authentication establishes trust between the hosts.  Man-in-the-middle attacks • IPSec combines mutual authentication with shared, cryptography-based keys.  Denial-of-service attacks • IPSec uses IP packet filtering allow, secure, or block traffic based on IP address ranges, IP protocols, or even specific TCP/UDP ports.
  • 7. 7 Agenda  What is IPSec?  How does IPSec Work?  Configuring/using IPSec  Issues  Best Practices  Resources
  • 8. 8 filtersfiltersfiltersfilters How Components Interacts?  Internet Key Exchange (IKE) - Identity Protect Mode – defined in RFC 2409  Phase 1 “Main Mode” establishes IKE SA – trusted channel between systems, negotiation establishes encrypted channel, mutual trust, and dynamically generates shared secret key (“master” key)  Phase 2 “Quick Mode” establishes IPSec SAs – for data protection, one SA for each direction identified by packet label (SPI), algorithms and packet formats agreed, generates shared “session” secret keys derived from “master” key NICNIC TCPIPTCPIP ApplicationApplication Server or GatewayServer or Gateway IPSecIPSec DriverDriver IPSecIPSec PolicyAgentPolicyAgentIKE (ISAKMP)IKE (ISAKMP) IPSecIPSec DriverDriver IPSecIPSec PolicyPolicy AgentAgent IKE (ISAKMP)IKE (ISAKMP) NICNIC TCPIPTCPIP Application/ServiceApplication/Service clientclient ““IKE Responder”IKE Responder”““IKE Initiator”IKE Initiator” UDP port 500UDP port 500 negotiationnegotiation 1 IKE SA1 IKE SA 2 IPSec SAs2 IPSec SAs IP protocol 50/51IP protocol 50/51
  • 9. 9 IPSec Policy  One Active IPSec Policy • Multiple IPSec Policies can be defined  Policy Consists of • ISAKMP Policy • IPSec rules – An IPSec policy can have many rules  IPSec Rules • Filter – identifies the traffic to secure/drop/etc • Filter action – drop, deny, authenticate, encrypt • Authentication, encryption, etc
  • 10. 10 IPSec Policy Components  Polling interval used to detect changes in policy  IKE parameters, such as encryption key lifetimes.  IPSec behavior for the policy  The types of traffic to which an action is applied  Permit, block, or secure  Kerberos, certificate, or preshared key  LAN, Dialup, or both
  • 11. 11 IPSec packet filtering  Filters allow and block traffic  Filters can overlap • Most specific match determines action  NO stateful inspection  Example: to open only port 80 on the IIS: From IP To IP Protocol Src Port Dest Port Action Any My Internet IP Any n/a n/a Block Any My Internet IP TCP Any 80 Permit
  • 12. 12 Negotiation of Protection  Require two messages • Initiator to Responder : (contains proposals) • Responder to Initiator: (contains a selected proposal) • Details later!  Protection suites: Attribute Attribute Value Encryption algorithm DES, 3DES, Null Integrity algorithm MD5, SHA-1, Null Authentication method Kerberos, preshared key, certificate Diffie-Hellman group Group 1 (768-bit), Group 2 (1024-bit)
  • 13. 13 IPSec Modes  Transport mode • Used for IPSec peers doing end-to-end security • Provides protection for upper-layer protocol data units (PDUs)  Tunnel mode • Used by network routers to protect IP datagrams passing across insecure network • Provides protection for entire IP datagrams
  • 14. 14 Security Associations  Combination of mutually agreed security services, protection mechanisms, and cryptographic keys  ISAKMP SA  IPSec SAs • One for inbound traffic • One for outbound traffic  Security Parameters Index (SPI) • Helps identify an SA  Creating SAs • Main Mode for ISAKMP SA • Quick Mode for IPSec SAs
  • 15. 15 Agenda  What is IPSec?  How does IPSec Work? (at the packet level!)  Configuring/using IPSec  Issues  Best Practices  Resources
  • 16. 16 Internet Key Exchange  How IPSec peers establish SAs  Combines ISAKMP and the Oakley Key Determination Protocol • ISAKMP is used to identify and authenticate peers, manage SAs, and exchange key material • Oakley Key Determination Protocol is used to generate secret key material for secure communications (Diffie- Hellman key exchange algorithm)
  • 17. 17 ISAKMP Message Structure IP header ISAKMP payloads UDP message IP datagram UDP header ISAKMP header ISAKMP uses UDP source/destination port 500
  • 18. 18 ISAKMP Header Initiator Cookie Responder Cookie Next Payload Major Version Minor Version Exchange Type Flags Message ID LengthA
  • 19. 19 ISAKMP Payloads  SA  Proposal  Transform  Vendor ID  Nonce  Key Exchange  Notification  Delete  Identification  Hash  Certificate Request  Certificate  Signature
  • 20. 20 IPSec Headers  IPSec Headers live inside IP datagrams and define IPSec contents  Authentication Header (AH) • Provides data origin authentication, data integrity, and replay protection for the entire IP datagram  Encapsulating Security Payload (ESP) • Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP- encapsulated portion of the packet
  • 21. 21 AH Transport Mode IP Upper layer PDU IP AH Authenticated Upper layer PDU
  • 22. 22 AH Tunnel Mode AH Authenticated IP IP IP (new) Upper layer PDU Upper layer PDU
  • 23. 23 Next Header Payload Length Reserved Security Parameters Index Sequence Number Authentication Data Payload . . . Authentication Header (AH) . . .
  • 24. 24 ESP Transport Mode IP ESP ESP Auth Data Encrypted Authenticated IP Upper layer PDU Upper layer PDU
  • 25. 25 ESP with AH Transport Mode IP ESP ESP ESP Auth Encrypted Authenticated with AH IP AH Upper layer PDU Upper layer PDU Authenticated with ESP
  • 26. 26 ESP Tunnel Mode IP (new) ESP ESP Auth Data IP Encrypted Authenticated IP Upper layer PDU Upper layer PDU
  • 27. 27 Security Parameters Index Sequence Number Payload Padding Padding Length Next Header Authentication Data . . . . . . . . . ESP Header and Trailer
  • 28. 28 Internet Key Exchange  Standard that defines a mechanism to establish SAs  Combines ISAKMP and the Oakley Key Determination Protocol • ISAKMP is used to identify and authenticate peers, manage SAs, and exchange key material • Oakley Key Determination Protocol is used to generate secret key material for secure communications (Diffie- Hellman key exchange algorithm)
  • 29. 29 Main Mode Negotiation  Phases of main mode negotiation: 1. Negotiation of protection suites 2. A Diffie-Hellman exchange 3. Authentication  Six ISAKMP messages • 1, 2 – all authentication types • 3, 4, 5, and 6 - vary by Authentication type
  • 30. 30 Authentication in MM Negotiation  Kerberos Authentication • Kerberos Tokens exchanged and validated  Certificate Authentication • Certificates and signatures exchanged and validated  Preshared Key Authentication • Hash payloads exchanged and validated
  • 31. 31 Main Mode Negotiation Messages  Message 1 • Sent by initiator • Contains proposed security association details, vendor ID  Message 2 • Sent by responder • Contains acceptable SA proposal, vendor ID  These messages negotiate: • Encryption (DES, 3DES) • Identity Algorithm (MD5, SHA-1) • Authentication Method (Kerberos, Pre-shared key, Certificate) • Diffie-Hellman group (768-bit, 1024-bit, 2048-bit)
  • 32. 32 Main Mode – Kerberos Authentication  Message 3 - Sent from initiator • Contains key exchange, Nonce, initiator’s Kerberos Token, NAT Discovery information  Message 4 - Sent from responder • Contains key exchange, Nonce, responder’s Kerberos Token , NAT Discovery information  Message 5 - Sent from initiator (encrypted) • Contains identification (of initiator), plus hash  Message 6 - Sent from responder (encrypted) • Contains identification (of responder), plus hash
  • 33. 33 Main Mode – Certificate Authentication  Message 3 - Sent from initiator • Contains key exchange, Nonce, NAT Discovery information  Message 4 - Sent from responder • Contains key exchange, Nonce, NAT Discovery information • Also contains certificate request (list of trusted root CAs)  Message 5 - Sent from initiator (encrypted) • Contains Initiator’s Certificate, signature  Message 6 - Sent from responder (encrypted) • Contains Responder’s certificate, signature
  • 34. 34 Main Mode – Pre-Shared Key Authentication  Message 3 - Sent from initiator • Contains Key Exchange, Nonce, NAT Discovery  Message 4 - Sent from responder • Contains Key Exchange, Nonce, NAT Discovery  Message 5 - Sent from initiator (encrypted) • Contains Identification (of initiator), hash  Message 6 - Sent from responder (encrypted) • Contains Identification (of responder), hash
  • 35. 35 Quick Mode Negotiation  Four ISAKMP messages to determine traffic to be secured and how it is secured  Initiator and responder exchange: • SA payloads (how to secure traffic) • Identification payloads (the traffic to secure)
  • 36. 36 IPSec On the WireIPSec On the Wire OrOr Fun With NetMon!Fun With NetMon! Demo
  • 37. 37 Agenda  What is IPSec?  How does IPSec Work?  Configuring/Using IPSec  Issues  Best Practices  Resources
  • 38. 38 Issues with IPSec  Need for machine certificates  Interoperability  Performance/Overhead  NAT traversal
  • 39. 39 Need for Machine Certificates/Keys  IPSec is based on machine to machine communication • User credentials not used • You therefore need machine certificates  For Kerberos • Machine is the security principal • Only works for Windows 2000/2003/XP  For Certificate based authentication • How to manage/deliver certificates
  • 40. 40 Performance/Overhead  IPSec incurs three sets of overhead: • Startup • Wire protocol overheads • Speed of encryption  Start up over-head • Main Mode – 6 packets • Quick Mode – 10 packets
  • 41. 41 Wire Protocol Overhead Mode Inbound Outbound Total Bytes Normal IP Traffic 2,084,031 94,646,227 96,730,257 AH Traffic 2,700,627 96,174,275 98,874,902 ESP Traffic 2,867,099 96,941,132 99,808,231 AH Overhead 616,596 1,528,048 2,144,645 ESP Overhead 783,068 2,294,905 3,077,974 % AH Overhead 29.59% 1.61% 2.22% % ESP Overhead 37.57% 2.42% 3.18%
  • 42. 42 IPSec Hardware Acceleration  IPSec per-packet hardware acceleration for 10/100 Ethernet  Client/Svr cards retail circa $100  3Com • 3CR990B-97 - 10/100 UTP • 3CR990B-FX-97 – 10/100 Fiber • Wire Speed IPSec • Max 75 SAs supported • http://www.3com.com/other/pdfs/products/en/400833.pdf - Or - • http://tinyurl.com/3er3f  Intel • Intel® PRO/100 S Desktop/Server • http://www.intel.com/network/connectivity/resources/doc_library/documents/ pdf/intel_ipsec_final.pdf - Or - • http://tinyurl.com/37hcn
  • 43. 43 XP IPSec Performance Improvements  Doubled number of new SAs per minute  Reliable delete handling in IKE  Doubled packet filtering speed (throughput)  Client LDAP retrieval of AD policy 5 times faster than Windows 2000  Both Intel and 3Com 32bit x86 10/100Ethernet offload support shipping in the box
  • 44. 44 IPSec NAT-T  Network Address Translators (NATs) invalidate IPSec packet protections  IPSec NAT Traversal (NAT-T): • Encapsulates ESP-protected payloads with a UDP header • Defines additional Main Mode payloads to detect IPSec NAT-T-capable peers and whether either is behind a NAT • Defines an additional Quick Mode payload to indicate untranslated addresses • Allows ESP-protected traffic to traverse a NAT
  • 45. 45 Agenda  What is IPSec?  How does IPSec Work?  Configuring/Using IPSec  Issues  Best Practices  Resources
  • 46. 46 Scripting  NETSH –C IPSEC – with Windows Server 2003  Netsh IPsec  No dump command  • It is included • It does nothing!  Help text has few examples  Error messages generally totally unhelpful  Lots of trial and error seems to be needed!
  • 47. 47 Best Practices  Establish an IP Security deployment plan  Avoid Pre-shared keys  Configuration of certificate requests  Script, script, script

Hinweis der Redaktion

  1. #
  2. IPSec driver compares each outbound IP packet against filters contained in IPSec policy If packet matches a filter, stall packet in queue and call IKE to negotiate IPSec security associations
  3. Right click on IPSec policies and click Manage IP filter lists and filter actions Click Add on IP filter list In the IP Filter List dialog, click the Add button. The IP filter wizard starts. Call the Filter Inbound Web Traffic and unclick use Add Wizard The source address is Any IP address. The destination address is A specific IP address. Enter the IP address of the interface that’s connected to the Internet or use My IP address instead. Choose the appropriate IP protocol. In this example, it’s TCP. Under ports change the destination port by clicking To this port and enter 80. Finally, finish the wizard. Add another filter for SSL but change the port to 443 Under Manage Filter Action create a Block option. Click on Add name the action Block and click Block from the options Now create IPSec policy called it Allow Web Traffic Uncheck Activate the default response rule. Click the Add button to begin the wizard for adding a rule to the policy. The steps are: For the tunnel endpoint, choose The rule does not specify a tunnel. The network type is All network connections. The authentication method is Windows 2000 default (Kerberos V5 protocol). It’s important to understand the following: since your rule actually won’t be negotiating security, it doesn’t matter which authentication method you choose. No authentication happens when rules simply block or allow traffic. Leaving the setting at its default (Kerberos) simplifies the rule creation process, however. Choose the filter list you created earlier. Following the example, you’d pick Inbound web protocols. Choose the Permit filter action and click Finish the wizard. Repeat the process once more, this time associating the All IP Traffic filter list with the Block filter action. Finish and assign the new policy