Sunday, July 31, 2005

Policy, Process, and Technology

The policy is what tells us the solution we want to achieve. After we have that goal, we can define the appropriate processes to achieve it, and only then can we create a technology solution to implement the processes.

The security policy is what tells you what threats you are facing, which ones you are willing to accept, and which ones you want to mitigate.

Adopted from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

Why a Security Policy Is Necessary

Here is why:
  • Policies enable management to make a statement about the value of info to the business
  • Policies can permit actions that would otherwise backfire
  • A policy is necessary to define what constitutes appropriate behavior
  • A policy provides fondation for prosecution or human resources action

Howerver, none of these are really the main management driver behind policy. Management likes policies that provide a shield. A policy largely is legal risk management; it is how senior management keeps the corporation from the legal wrongdoing of a few bad apples.

Adopted from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

Thursday, July 28, 2005

Security in Winsows Vista: UAP and NAP Framework

Windows Vista improves the Windows privilege model to help prevent users from running programs that attempt to perform operations that the user doesn’t really intend or authorize with User Account Protection (formerly called Least-privileged User Account, or LUA), which enables users to run at low privilege most of the time, while being able to easily run applications requiring more privilege as necessary.

In addition, the Network Access Protection (NAP) framework enables system administrators to define and enforce policies that require network clients to establish their trustworthiness and compatibility with the network before being given a specified access. Developers use API-level access to NAP and the Windows Filtering Platform (WFP) to reduce user and administrator security workloads by providing application-specific security settings supporting Firewall and NAT transversal, allowing more detailed (down-to-packet-level) screening of data transmissions, and isolating and validating new tools and their configurations prior to fully installing and integrating them into a running system.

Adopted from by John Montgomery. He also talked about many other features in Windows Vista in his post.

Monday, July 25, 2005

Using IPsec for Domain Isolation

You can use IPsec for domainisolation. You first add this IPsec policy to your default domain group policy:
  • Filter list - use the existing All IP Traffic example filter list
  • Filter action - ESP only, null encryption, SHA-1 integrity; require security; don't communicate with non-IPsec machines
  • Rule - link the list with the action; all interfaces; no tunnel; Kerboros authentication; no default response

You also need to create a rule that exempts your domain controllers, because you need to communicate with them to authticate and get the Kerberos ticket that's used for all other communications:

  • Filter list - filters with the addresses or address ranges of your domain controllers
  • Filter action - permit
  • Rule - link the list with the action; all interfaces; no tunnel; any authentication method (it doesn't matter because there's no IPsec security association here)

You also need similar exceptions for devices that can't participate in IPsec, such as network printers, computers with older OS that can't run IPsec, and so on.

Notes are taken from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

Using IPsec to Protect Servers

You can use a block-all-except policy to protect servers. On extremely heavily loaded servers, performance under IPsec block/allow policies can suffer. RRAS packet filters do better but they aren't manageable.

Notes are taken from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

Sunday, July 24, 2005

IPsec over NAT

One of the biggest deployment blockers for IPsec is the presence of NAT (network address translation). IPsec authenticates computers; NAT hides them. So they are fundamentally at odds.

Three problems loomed over IPsec and NAT:
  • AH integrity violation
  • IPsec "helpers"
  • IKE fragmentation

It's now possible to deploy L2TP+IPsec VPNs even if NAT is present on Windows 2003 Servers. UDP-ESP combined with NAT-T is used.

Notes are taken from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

Saturday, July 23, 2005

Notes on IPsec

IPsec is a name that's been given to a suite of security protocols used to secure IP traffic between computers.

When two computers (peers) use IPsec to communicate, they create two kinds of security associations. In the first, called main mode or phase one, the peers mutually authenticate themselves to each other, thus establishing trust between the computers. In the second, called quick mode or phase two, two peers negotiate the particulars of the security association, including how they digitally sign and encrypt traffic between them.

A computer can have only one IPsec policy assigned at a time. The policy can have any number of rules, each of which has a filter list and a filter action. Filter lists contain one or more filters that specify: source and destination addresses, source and destination port numbers, and protocol types. Filter actions specify the behaviors of the rule: whether to permit traffic, block traffic, or negotiate the pair of IPsec security associations. Actions that specify negotiating security can have many options, including encryption suites, per-packet authentication methods, how often to generate new keys, how to respond to incoming insecure requests, and whether to communicate with computers that don't support IPsec.

Each rule in an IPsec policy combines:
  • One filter list with one filter action
  • The security association's mode (transport or tunnel)
  • One of three phase-one authentication methods

Traffic that matches a particular filter list is processed according to the settings in the linked filter action.

The three phase-one authentication methods are preshared keys, digital certificates, and Kerberos.

Filter actions that negotiate security can choose one or both of two different phase two security methods (protocols): Authentication Header (AH) and Encapsulating Security Payload (ESP). They can be run individually or on top of one another. In addition, they both support two distinct modes of operation: transport and tunnel. AH provides only authentication and integrity protection; it doesn't encrypt the channel. ESP provides full CIA on the channel, but costs a bit more in terms of bandwidth. Ferguson and Schneier recommend ESP in tunnel mode as the only option. Keith Brown further suggests that you use ESP in transport mode for securing communications within your organization. L2TP+IPsec VPNs use tranport mode. In Windows IPsec, tunnel mode is supported only for site-to-site VPNs on RRAS gateways and not for any kind of client-to-client or client-to-server communications.

Transport mode and tunnel mode are the two kinds of phase one security association modes.

Key exchange is described by a couple of layered standards: Internet Security Association Key Management Protocol (ISAKMP), and Internet Key Exchange (IKE). A Security Association (SA) is identified by a triplet that consists of a peer's IP address, a protocol identifier (AH or ESP), and an index to a set of parameters (such as what encryption and hash algorithms should be used to protect packets). One of the things that the key exchange protocols do is help establish an SA between two machines.

IPsec is thus very useful for protecting communications between machines, but it doesn't help a server implement any form of user authentication or authorization.

In Windows, you enable IPsec via security policy. Either you can edit the local security policy of individual machines or you can use domain group policy to configure IPsec in a consistent way on a whole group of machines.

To configure IPsec related settings, it's recommended to use the ESP protocol using 3DES encryption with HMAC-SHA1 integrity protection. Another option you should enable is called "Session key perfect forward secrecy (PFS)."


Tuesday, July 19, 2005

SSL Session Key and Key Pair

If you select the Require 128-bit Encryption check box in IIS, you configure your Web server to require a 128-bit minimum session-key strength for all Secure Sockets Layer (SSL) communications. This is the default session-key strength for Microsoft Windows Server 2003. The session key is not the same as an SSL key pair, which is used to negotiate and establish a secure communication link.

Tuesday, July 05, 2005

Notes on VPN

I know almost nothing about VPN before. The following are my notes from various resources.

To be considered a VPN, the technology must perform at least two functions: authenticate the end user and assign the remote node an IP address routable on the local network. A VPN is virtual because it rides atop some real network; it's private because the communication between the client node and the VPN server are encrypted.

There are two VPN types: PPTP and L2TP+IPsec.

  • Used only IP-based networks
  • Uses PPP (MPPE) encryption
  • Allows IP, IPX, and NetBEUI traffic to be encrypted
  • Tunnel authentication
  • Works over NAT
  • Port 1723/tcp and IP protocol 47


  • Support any point-to-point connection, including IP, ATM, and trame relay
  • Encryption is hnadled by IPsec
  • Allows IP traffic to be encrypted
  • No tunnel authentication
  • Both machine-level (IPsec) and user-level (L2TP) authentication are provided
  • IPsec transport mode is used
  • Doesn't work with NAT until Windows Server 2003
  • Windows Server 2003 includes a basic VPN quarantine function
  • Port 1701/udp and IP protocol 50

Unless you have a need to inspect all traffic between VPN clients and the internal network, the best place to locate your VPN server is alongside your firewall.