Re: IPSec to encrypt SMB traffic?

From: Research Services (key_at_lamar.n0-sp@m.colostate.edu.NO)
Date: 01/19/05


Date: Wed, 19 Jan 2005 09:37:08 -0700

Another general question -

Can Etercap sniffer/interceptor defeat IPSec? We've seen how Etercap uses
ARP poisoning to grab the router IP and then have the ability to decrypt SSL
traffic - can it do the same thing on IPSec traffic? Or is there a way to
configure IPSec to prevent this?

"Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
news:uztw71W$EHA.1188@tk2msftngp13.phx.gbl...
>I have read through much of the documentation in the link you provided.
>
> Our environment is a Child Domain in an Active Directory Forest. We have
> 2000 and 2003 DCs in our Child Domain. All clients are Windows XP and all
> of our clients are within our own Domain.
>
> I want to encrypt file sharing traffic between all of our clients and a
> particular Windows 2003 file server. Basically, I don't want Word and
> Excel files saved on the file server to be sent across the network in
> plain text.
>
> If I understand it correctly, I must create a "server" IPSec policy on the
> Windows 2003 box, and I must create "client" IPSec polices on all of the
> Windows XP boxes. For testing purposes, I have created the IPSec polices
> in the Local Security Policy on each computer (later I will move them to
> being Group Policy-controlled).
>
> Below I will explain how I created my policies - can you take a look and
> see if there is anything wrong or not recommended? They do appear to be
> working correctly when we packet sniff.
>
>
>
> 1) Created a new IP Security Policy (CLIENT)
>
> a. Removed all entries under Key Exchange Security Method except
> for: 3DES/SHA1
>
> 2) Created a new Rule (leaving the Default Response rule intact)
>
> 3) Created a new IP Filter List (leaving the All IP & ICMP Traffic
> default lists intact) - this new list is the Selected one (Radio Button)
>
> a. Mirrored: Yes
>
> b. Protocol: TCP
>
> c. Source Port: ANY
>
> d. Destination Port: 445
>
> e. Source IP Address: 'My IP Address'
>
> f. Destination Address: <IP Address of File Server>
>
> 4) Authentication Method: Kerberos
>
> 5) Tunneling: NO
>
> 6) Connection Type: All Network Connections
>
> 7) Filter Action: Selected 'Require Security'
>
> a. Negotiate Security
>
> b. Removed all entries except: 3DES/SHA1
>
> c. Uncheck all option boxes on Security Methods Tab
>
>
>
> 1) Created a new IP Security Policy (SERVER)
>
> a. Removed all entries under Key Exchange Security Method except
> for: 3DES/SHA1
>
> 2) Created a new Rule (leaving the Default Response rule intact)
>
> 3) Created a new IP Filter List (leaving the All IP & ICMP Traffic
> default lists intact) - this new list is the Selected one (Radio Button)
>
> a. Mirrored: Yes
>
> b. Protocol: TCP
>
> c. Source Port: ANY
>
> d. Destination Port: 445
>
> e. Source IP Address: <IP Address of Test Client>
>
> f. Destination Address: <IP Address of File Server>
>
> 4) Authentication Method: Kerberos
>
> 5) Tunneling: NO
>
> 6) Connection Type: All Network Connections
>
> 7) Filter Action: Selected 'Require Security'
>
> a. Negotiate Security
>
> b. Removed all entries except: 3DES/SHA1
>
> c. Uncheck all option boxes on Security Methods Tab
>
>
>
>
>
> Once these were created, I assigned them on both the server and the
> clients, encrypted communications works fine.
>
> Questions:
>
> 1) If I have a small number of clients, can I just add Filters with
> each of the client IP addresses to the Server IP Filter List? (Eventually
> I will add a 'Specific IP Subnet')
>
> 2) It looks like only 1 Filter List can be selected with a Radio
> Button, so is this the only one in the list that is being acted on? If
> so, is that the same case for the 'Filter Action'?
>
> 3) Can I edit the 'Default Response' Rule? Or is it best to leave it
> untouched? In particular, I'd like to remove all but the 3DES/SHA1
> Encryption and Integrity Security Method.
>
> 4) Can I safely change the Connection Type: to: LAN if the only way
> for these clients to access the file server is through the LAN. (We don't
> have any 'remote access' servers in the mix)
>
> 5) Is there anything else I can do to "streamline" this IPSec policy
> (i.e., remove any of the other default rules or lists)?
>
> 6) I did notice the increased CPU load on the server when copying
> large files across the encrypted connection, is there any way to 'help
> out' the CPU short of lowering the encryption to DES or removing
> encryption altogether? (hardware or software solution.?)
>
>
>
> Thank you for taking to time to review these and help me sort this out!
>
>
>
>
>
>
> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:OOun04M$EHA.2032@tk2msftngp13.phx.gbl...
>> Do you require encryption of this traffic, or just authentication?
>>
>> You can use IPsec transport mode to secure communications such that any
>> machine that can not AuthN with IKE will be unable to communicate. This
>> means that a user will never get prompted for credentials since IKE
>> fails.
>>
>>
>>
>> "Research Services" <key@lamar.n0-sp@m.colostate.edu.NO> wrote in message
>> news:uWsyCHp%23EHA.3236@TK2MSFTNGP15.phx.gbl...
>>>
>>> Are there any MS KB articles or whitepapers that detail how to use IPSec
>>> to encrypt SMB traffic?
>>>
>>> We are in an Active Directory Forest, and would like to use Group Policy
>>> to configure IPSec to encrypt SMB traffic between all of our Windows XP
>>> clients and our Windows 2003 File Servers (using Kerberos). Is it
>>> possible to set this up so _only_ TCP 445 on _particular_ servers will
>>> always be encrypted when communicating with our XP clients?
>>> We are not currently using IPSec and would like to enable encryption for
>>> ONLY the case mentioned above if possible.
>>>
>>> Thanks for any information.
>>>
>>>
>>
>>
>
>



Relevant Pages

  • Re: IPSec to encrypt SMB traffic?
    ... Can Etercap sniffer/interceptor defeat IPSec? ... > particular Windows 2003 file server. ... Removed all entries under Key Exchange Security Method except ... > Encryption and Integrity Security Method. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IPSec to encrypt SMB traffic?
    ... >> particular Windows 2003 file server. ... Removed all entries under Key Exchange Security Method except ... >> Encryption and Integrity Security Method. ...
    (microsoft.public.windows.server.security)
  • Re: IPSec to encrypt SMB traffic?
    ... >> particular Windows 2003 file server. ... Removed all entries under Key Exchange Security Method except ... >> Encryption and Integrity Security Method. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: security of Exchange FE / BE
    ... encryption on one of the mail server. ... I read some documentation that BE server cannot use SSL. ... Is it possible to enabled SSL on FE/BE servers. ... Can we enable SSL and Create IPsec at the same time? ...
    (microsoft.public.exchange2000.general)
  • Re: SBS Server keeps shutting down
    ... as we have had a few power cuts recently and the server kept chugging along. ... I have no idea what IPSec is ... multiple reboot mentioned above and some other troubleshooting steps ...
    (microsoft.public.windows.server.sbs)