Shulou(Shulou.com)06/01 Report--

Host Hardening with IPSec

1 Introduction

The beauty of the Internet is that you and everyone can connect to each other.

The scary thing about the Internet is that everyone can connect to you.

2 *** Common ** Methods

? network listen

? data tampering

? deceive

? Intermediary ***

? password cracking

? buffer overflow

//The document you see is from the Guo Lecture Hall

3 Four standards in cybersecurity

? data confidentiality

? data integrity

? authentication

? non-repudiation

4 What is IPSec?

Ipsec is a standard in the network security industry, not a tool or function specially brought by Windows, but supported by many other systems such as Unix, Linux, MAC, etc.(Windows 2000 has built Ipsec into the system kernel);

//The document you are looking at is from Host Hardening with IPSec

5 What is IPSec Policy?

? IPSec uses policies and rules to improve network security

? rule contains

filter

Filter Action

authentication method

? Default policy (existed in earlier systems)

Client(RespondOnly)

Server(RequestSecurity)

SecureServer(RequireSecurity)

6 What IPSEC Can Do

? disable protocol

? encrypted data

? close port

? authentication

?….

6.1 Open IPSec6.1.1 Open via Start Run command

Enter Secpol.msc (Local Security Policy) in Start> Run;

6.1.2 Opening via MMC

Enter MMC in Start> Run, click File> Add/Remove Snap-in>IP Security Policy Management in the console, click Add option, and select Local Computer in the pop-up confirmation dialog box OK;

6.2 Disable Protocol 6.2.1 Example: Disable PING Protocol 6.2.2 Create Policy

Right-click in the blank position of the right window of IP Security Policy and select Create IP Security Policy> Next> Enter Custom Name and click Next> Next> Finish;

6.2.3 New Safety Rules

Cancel Use Add Wizard and click Add;

6.2.4 Add filters (define data types: what traffic from where to where)

Click Add to enter a custom name in the filter list, cancel Use Add Wizard click Add;

Select "Any IP Address" as the source address and "My IP Address" as the destination address under the Address option;

//Mirrors: After IPSEC policy is completed, set here to allow others to PING themselves. If Mirrors is checked, they cannot PING others (back and forth in ICMP protocol, even if Mirrors is not checked, they cannot ping each other);

Switch to the "Protocol" emoji, select ICMP protocol, click "OK> OK" after selecting;

//You can set a rule that only allows specific IP hosts to PING themselves, and add another rule that does not allow any IP hosts to PING themselves. The final result is that only specific IP hosts are allowed to PING, and other hosts cannot PING;

6.2.5 Selection filter operations

Check the data stream "PING" built in the previous step, switch to the "Filter Operation" tab, cancel "Use Add Wizard" and click "Add";

Select "Organization" under the Security Methods tab;

//Permit: Allow; Block: Deny; Negotiate Security: Encrypt; Pass;

Fill in the custom name under the General tab, which is NO here, and click "Apply> OK" after filling in;

Check the newly created "NO" under "Filter Action" and click "Apply> OK> OK;"

6.2.6 Enabling policies

At this time, the policy will temporarily take effect after it is created. Select the policy and right-click Assign.

6.3 Close port 6.3.1 Example: Close port 80 6.3.2 View native open ports

Run netstat -na on the CMD command line;

6.3.3 Creating a Policy

Right-click in the blank position of the right window of IP Security Policy and select Create IP Security Policy> Next> Enter Custom Name and click Next> Next> Finish;

6.3.4 New Safety Rules

Cancel Use Add Wizard and click Add;

6.3.5 Add filters (define data types: what traffic goes from where)

Click Add to enter a custom name in the filter list, cancel Use Add Wizard click Add;

Select "Any IP Address" as the source address and "My IP Address" as the destination address under the Address option;

Switch to the "Protocol" emoji, select TCP protocol, port is, from any port to port 80, click "OK> OK" after selecting;

6.3.6 Select Filter Actions

Check the data stream "Deny80" built in the previous step, switch to the "Filter Operation" tab, check the "NO" built in the previous step, and click "Apply> OK";

6.3.7 Enabling policies

At this time, the policy will temporarily take effect after it is created. Select the policy and right-click Assign.

6.4 Encrypted Data/Authentication 6.4.1 Installation Configuration Package Capture Software

Install Windows package capture tool Nwtmon here, download address:

http://blogs.technet.com/b/netmon/p/downloads.aspx

http://www.microsoft.com/en-us/download/details.aspx? id=4865

6.4.2 Capture packets (plaintext)

Check the network card that needs to be captured, and then create a new capture;

Click to start capturing packages;

ping this machine 192.168.202.23 using another server 192.168.202.24;

6.4.3 View Results

Click the "Stop" button in the menu bar, select the target IP address "192.168.202.24" to be analyzed in the left column, click one of the 8 packages in the right pane (ping 4 times, each package has a round trip, so there are 8 records), and you can see some English letters in the lower right corner, which proves that this package is not encrypted;

6.4.4 A Host Configuration IPSec Encryption Policy

//IPSec encryption data policy, two hosts communicating with each other need to configure IPSec policy and use the same encryption and decryption algorithm;

1. IP filter list

2. filter action

//Description of relevant options;

Integrity only

This option does not encrypt the data only through the has algorithm to ensure that the data is not tampered with. Once the data is tampered with, the data will not be received.

Encryption disease guarantees integrity

Both data integrity and data encryption are guaranteed;

Integrity of data and address book encryption (custom option)

Integrity only;

Data integrity and encryption (custom option)

Only the integrity of the data (excluding the address) is guaranteed and the data is encrypted;

Session key settings (custom option)

The frequency of key generation, the smaller the value, the safer and slower the speed;

3. authentication method

Configuring data encryption requires configuring authentication methods;

//Description of relevant options;

Active Directory defaults

This option requires the presence of an AD domain environment, authenticated through its Kerberos protocol;

Use certificates issued by this certification authority

A certificate server is required, and authentication is carried out through certificates;

using the pre-shared key

authentication by shared key without AD domain environment and certificate server (the configuration of hosts on both sides of communication needs to be the same);

6.4.5 B Host Configuration IPSec Encryption Policy

Use the same method to configure IPSec policy on host B;

6.4.6 Packet Capture (Ciphertext)

Check the network card that needs to be captured, and then create a new capture;

Click to start capturing packages;

ping this machine 192.168.202.23 using another server 192.168.202.24;

6.4.7 View Results

This time, when looking at the specific data packet, I found that it was no longer a recognizable character, but a "random code" indicating that the data was encrypted;

//ESP means encrypted communication data;

//The document you are looking at is from Host Hardening with IPSec

7 Reference links 7.1 Course download address

https://msevents.microsoft.com/CUI/EventDetail.aspx? EventID=1032320936&Culture=zh-CN

7.2 Software download address

http://blogs.technet.com/b/netmon/p/downloads.aspx

http://www.microsoft.com/en-us/download/details.aspx? id=4865

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.