Cryptography can be applied in communication of data and information, which you will see in the form of IPsec, SSL, and PGP. In this section we will examine these protocol suites and see how cryptography fits in.
Internet Protocol Security (IPsec) is a set of protocols designed to protect the confidentiality and integrity of data as it flows over a network. The set of protocols is designed to operate at the Network layer of the OSI model and process packets according to a predefined group of settings.
Some of the earliest mechanisms for ensuring security worked at the Application layer of the OSI model. IPsec is a new technology that has proven to be more successful than many of the previous methods.
IPsec has been widely adopted not only because of its tremendous security benefits but also because of its ability to be implemented without major changes to individual computer systems.
IPsec is especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks.
IPsec provides two mechanisms for protecting information: Authentication Header and Encapsulating Security Payload. The two modes differ in what they provide:
- Authentication Header (AH) provides authentication services and provides a way to authenticate the sender of data.
- Encapsulating Security Payload (ESP) provides a means to authenticate information as well as encrypt the data.
Working with IPsec In this exercise you will learn how to create a simple IPsec policy in the Windows operating system.
The following steps show you how to create an IPsec Negotiation policy on a Windows computer:
1. On Computer A, click Start ➢ All Programs ➢ Administrative Tools, and then select Local Security Policy.
2. Right-click IP Security Policies on the Local Computer node, and then choose
Create IP Security Policy.
3. On the Welcome screen of the IP Security Policy Wizard, click Next.
4. In the Name field, type Secure21. In the Description field, type Policy to encrypt FTP, and then click Next.
5. On the Default Response Rule Authentication Method screen, choose the option Use This String To Protect The Key Exchange (Preshared Key) and type password.
6. On the Completing The IP Security Policy Wizard screen, ensure that Edit Properties is selected, and then click Finish.
7. In the Secure21 Properties dialog box, click Add.
8. On the Welcome To The Create IP Security Rule Wizard screen, click Next.
9. On the Tunnel EndPoint screen, click This Rule Does Not Specify A Tunnel. Click Next.
10. On the Network Type screen, click All Network Connections, and then click Next.
11. On the IP Filter List screen, click Add.
12. In the IP Filter List dialog box that appears, type Link1986, and then click Add.
13. On the Welcome screen of the IP Filter Wizard, click Next.
14. In the Description field, type 21 IPsec Filter. Click Next.
15. On the IP Traffic Source screen, click Any IP Address, and then click Next.
16. On the IP Traffic Destination screen, click Any IP Address, and then click Next.
17. On the IP Protocol Type screen, click TCP in the drop-down list, and then click Next.
18. On the Protocol Port screen, select From This Port, type 21 in the text box, select To Any Port, and then click Next.
19. On the Completing The IP Filter Wizard screen, click Finish, and then click OK.
20. In the IP Filter list, select Link1986, and then click Next
. 21. In the Filter Action dialog box, click Add
. 22. In the Filter Action Wizard dialog box, click Next.
23. In the Filter Action Name dialog box, type Secure21Filter, and then click Next.
24. In the Filter Action General Options dialog box, select Negotiate Security, and then click Next.
25. On the Communicating With Computers That Do Not Support IPsec screen, select Do Not Allow Unsecured Communications, and then click Next.
26. On the IP Traffic Security screen, select Integrity and Encryption, and then click
27. On the Completing The IP Security Filter Action Wizard screen, click Finish.
28. In the Filter Action dialog box, select Secure21Filter, and then click Next.
29. In the Authentication Method dialog box, select Use This String To Protect The Key Exchange (Preshared Key), type password, and then click Next.
30. On the Completing The Security Rule Wizard screen, click Finish.
31. In the Secure21 Properties dialog box, click OK. Once you’ve created the policy, you must activate it, so let’s do that.
On Computer A:
1. Click Start ➢ All Programs ➢ Administrative Tools ➢ Local Security Policy.
2. Select the Local Computer node ➢ IP Security Policies, and in the right pane right-click the Secure21 policy and click Assign.
On Computer B:
1. In the Local Security Policy Microsoft Management Console (MMC), on the Local Computer node right-click IP Security Policies, select All Tasks, and then click Export Policies.
2. In the Save As dialog box, type C:\IPsecPolicy\IPsecurityPolicy21.ipsec, and then click Save. You must then save the IPsec policy.
Import the security policy to a Windows machine.
Next, configure a Security Association rule in the Windows Firewall with Advanced Security MMC:
1. On Computer A, click Start ➢ Administrative Tools ➢ Windows Firewall With Advanced Security.
2. Select and then right-click Connection Security Rules, and then click New Rule.
3. In the New Connection Security Rule Wizard, select Server-To-Server, and then click Next.
4. On the Endpoints screen, select Any IP Address for both options, and then click Next.
5. On the Requirements screen, select Require Authentication For Inbound And Outbound Connections, and then click Next.
6. On the Authentication Method screen, select Preshared Key, type password in the text box, and then click Next.
7. On the Profile screen, verify that the Domain, Private, and Public options are selected, and then click Next.
8. In the Name text box, type Secure Server Authentication Rule, and then click Finish.
9. Perform steps 1–8 on Computer B.