NAT and ICS
In the previous section all of the security systems and methods are for securing
operating system and data on physical hard disk. This security system is of no use if an
attacker is able to sniff network packets.
Network Address Translation (NAT), is used to mask internal IP addresses with the IP
address of the external Internet connection. Networks require NAT in their security
policies to add an additional security "layer" between the Internet and the intranet.
NAT fictions by taking a request from an internal client and making that request to
the Internet on behalf of the internal client. In this configuration clients on the internal
network, on local LAN, are not required to have a public IP address, thus conserving
publics IP addresses. The internal clients can be provided with an IP address from the
private network blocks. Private IP addresses are not routed on the Internet and the
address ranges are:
Private IP Address
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
However, Microsoft has designated a range for private addressing, 169.254.0.0 -
169.254.255.255.
NAT is an integral part of Routing and Remote Access Services (RRAS), as well as
part of Internet Connection Sharing (ICS). The version of NAT used by ICS is scaled
down form tile full version, and does not allow for the level of configuration that the
RRAS NAT allows. ICS is for a small office or for a home network, where there is
one Internet connection that is to be shared by the entire network. All users connect
via a single interface, usually connected via a modern, DSL, or cable access point.
The Windows 2000 RRAS is made of several components, including: (1)Network Address
Translation (NAT), (2) Routing protocols (RIP, OSPF), (3) VPN support (L2TP and
PPTP), and (4) Demote Authentication Dial-In Service (RADIUS).
The Remote Access Server of RRAS allows for PPP connections and accomplish
required authentication. For authentication, RRAS can use the Remote Authentication
Dial-In User Service (RADIUS), or Windows Authentication. If RRAS is using
RADIUS, when a user request for authentication is made to the RRAS server, the
dial-in credentials are passed to the RADIUS server. The RADIUS server then
performs the authentication and authorization to access for the client to access the
network.
The Remote Access Policy is controlled via the Internet Access Server (IAS), which
is the Microsoft version of RADIUS. The RRAS server itself does not control the
Remote Access Policy. The IAS performs several functions for remote users of the
network, including authentication, authorization, auditing, and accounting to those users
who connect to the network via dial-up and VPN connections. For authentication, IAS
allows for great flexibility, accepting PAP, CHAP, MS-CHAP, and EAR EAP is
Extensible Authentication Protocol, and is used in coelution with technologies such
as: Smart Cards, Token Cards, and One-time passwords.
IPSec
Management41
IPSec is a framework for ensuring secure private communication over IP networks.
IPSec provides security for transmission of critical and sensitive information over
unprotected networks such as the Internet. lpsec VPNs use the services defined
within Ipsec to ensure confidentiality, Integrity, and authenticity of data communications
over the public network, like Internet. IPSec operates at the network layer, protecting
arid authenticating IP packets between participating IPSec devices. The IPSec
provides the following network security services.
Data Confidentiality - The IPSec sender can encrypt packets before transmitting
them across a network.
Data Integrity - The receiver can authenticate packets sent by the IPSec sender
to ensure that the data has not been altered during transmission.
Data Origin Authentication - The IPSec receiver can authenticate the source of
the IPSec packets sent. This service is dependent upon the data integrity service.
Anti-Replay - The IPSec receiver can detect and reject replayed packet.
In Windows 2000, you have two options for IPSec implementation, Transport Mode,
and L2TP Tunnel Mode. Transport mode is designed for securing communication,
between nodes on an internal network. L2TP Tunnel Mode is designed for securing
comniunications between two networks
IPSec Features
Two high level features of IPSec are the Authentication Header (AH) and the
Encapsulated Security Payload (ESP). The AH is used to provide data commnunication
with both integrity checking and source authentication and ESP is used to provide
confidentiality. When using IPSec to secure communication, both the sender and the
receiver (and only those two) know the security key used. Once authenticated, the
receiver knows that the communication in-fact comes from the sender, and that the
data has not been modified.
Since IPSec is works at the IP layer, it is able to secure communications with multiple
protocols, including TCP, UDP, and ICMP. From a user viewpoint, the implementation
of lPSec is transparent; the user is not required to modify user's environment in any
way to use IPSec.
Windows 2000 IPSec Components
The Windows 2000 implementation of IPSec uses three components; (1) IPSec Policy
Agent Service, (2) Internet Key Exchange (IKE), and Security Associations (SA). The
IPSec Policy Agent Service gets the IPSec policy as configured in Active Directory, or
the Registry, and provides that information to the IKE. Every Windows 2000 machine
runs the IPSec Policy Agent Service, and the policy is pulled when the system starts as
Active Directory settings are applied.
The IKE manages Security Associations (SA) and creates and manages the actual
authentication keys that are used to secure the communications. This happens in two
distinct steps; (1) in the first step is the establishment of a secure authenticated channel
of communication, and (2) the second step the Security Associations are determined.
That as are used to specify both the security protocol and the key that will be
implemented.
IPSec Implementation Options
The configuration may be applied in Active Directory or directly to the Registry. IPSec
policies may bk applied to to computer, domains, OUs, or other GPOs in the Active Directory. The IPSec options are in Group Policy, under Security Settings
There exist three policy options that are predefined for IPSec implementations. They
are: Client (Respond Only), Server (Request Security), and Server (Require Security).
Client (Respond only) - As per this policy the secure communications are nct
secured most of the time. Computers with this policy respond to a request for
secure communication by using ;I default response. If a client needs to access a
secured server, it can use normal communications.
o Server (Request Security) - Communication must be secured most of the time,
and will allow unsecured communicatio~~s from non IPSec-computers. It will
request IPSec from the client first, and open a secured communication channel is
the client can respond securely.
0 Server (Require Security) - This policy states that communication must always
be secured and all traffic must use IPSec or it will not be accepted, and the
connection will be dropped.