IP Security

IPSec is another new feature of Windows 2000. IPSec uses cryptography-based security to provide access control, connectionless integrity, data origin authentication, protection against replays, confidentiality, and limited traffic flow confidentiality. Because IPSec is provided at the IP layer, its services are available to the upper-layer protocols in the stack, and is transparently available to existing applications.

IPSec enables a system to select security protocols, decide which algorithms to use for the services, and to establish and maintain cryptographic keys for each security relationship. IPSec can protect paths between hosts, between security gateways, or between hosts and security gateways. The services available and required for traffic are configured using IPSec policy. IPSec policy can be configured locally on a computer, or can be assigned through Windows 2000 Group Policy mechanisms using Active Directory™. When using Active Directory, hosts detect policy assignment at startup, retrieve the policy, and periodically check for policy updates. The IPSec policy specifies how computers trust each other. The easiest trust to use is the Windows 2000 domain trust based on the Kerberos protocol. Predefined IPSec policies are configured to trust computers in the same or other trusted Windows 2000 domains.

Each IP datagram processed at the IP layer is compared against a set of filters that are provided by the security policy, which is maintained by an administrator for a computer, user, group, or a whole domain. IP can do one of three things with a datagram:

  • Provide IPSec services to it

  • Allow it to pass unmodified

  • Discard it

Setting up IPSec involves describing the traffic characteristics on which to filter (such as source or destination IP address, protocol, and port) and then specifying what service characteristics to apply to traffic that matches the filters. For example, in a very simple case, two stand-alone computers can be configured to use IPSec between them by being members of the same Windows 2000 domain and activating the lockdown policy. If the two computers are not members of the same domain or a trusted domain, then trust must be configured using a password or "pre-shared" key in lockdown mode by:

  • Setting up a filter that specifies all traffic between the two hosts.

  • Choosing an authentication method. (Select pre-shared key, and enter a password.)

  • Selecting a negotiation policy ("lockdown" in this case, indicating that all traffic matching the filters must use IPSec).

  • Specifying a connection type (LAN, dial-up, or all).

Once the policy has been put in place, traffic matching the filters use the services provided by IPSec. When IP traffic (including something as simple as a ping in this case) is directed at one host by another, a Security Association (SA) is established via a short conversation over UDP port 500, (using the Internet Security Architecture Key Management Protocol, or ISAKMP), and then the traffic begins to flow.

Because IPSec typically encrypts the entire IP payload, capturing an IPSec datagram sent after the SA is established reveals very little of what is actually in the datagram. The only parts of the packet that can be parsed by Network Monitor are the Ethernet and IP headers.

IPSec features and implementation details are described in detail in "Internet Protocol Security" in this book.