Internet Protocol Security in NT 5.0

Early this year, hackers tore down NT systems in many sites with a denial of service attack called Teardrop2. (Teardrop2 sends an NT system deliberately constructed IP fragments that form invalid packets. The NT system receiving the packets allocates kernel memory to accommodate them. If the system receives a large number of the invalid packets, it will hang and stop working.) Although Microsoft immediately responded to these attacks with a hotfix that defends NT's IP stack against Teardrop2, NT remains a favorite target of hackers. Attacks such as these could happen again, unless network managers upgrade their NT networks' IP protocol to IP Security (IPSec).

The Internet Engineering Task Force (IETF) developed IPSec as a security protocol of the next generation IP--IPv6. IPSec is also an optional extension for the implementation of IPv4, the current-version IP. IPv4 is widespread on the Internet and in corporate networks, but its design does not include security provisions. IPSec provides confidentiality and integrity to information transferred over IP networks through network-layer encryption and authentication. IPSec protects your IP network from attacks, including denial of service, man-in-the-middle, and spoofing. (For more information about IPv6 and the development of IPSec, see my article, "The Next Generation IP in Action," June 1998.)

Microsoft is building IPSec into NT 5.0, which will let you implement a secure NT network without having to change your existing applications and network hardware. With NT 5.0 IPSec, you can define security policies for your entire organization, departments, groups, or individuals, and you can specify whom your NT computers can trust and talk to and what security methods those computers can use for communication. IPSec in NT 5.0 will be an important component of your network security. Study IPSec and perhaps test it to develop a good implementation plan for when NT 5.0 hits the street. In this article I'll help you understand IPSec, NT 5.0 IP security policy, and NT 5.0's implementation of IPSec.

IPSec Basics
The IETF defined the IPSec protocol in Request for Comments (RFC) 1825-1829 and several Internet Drafts. IPSec protects IP traffic with two protocols: the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol.

AH integrity ensures data integrity by authenticating a packet's IP header and payload (i.e., packet content). If a hacker alters an IP packet and replays it, AH lets the intended recipient know that the packet underwent modification during transmission. ESP confidentiality guarantees data confidentiality by encrypting IP packets so that hackers can't decode them. ESP confidentiality is mandatory in IPSec. The difference between AH integrity and ESP integrity is that ESP integrity doesn't authenticate IP headers. ESP integrity is an option in IPSec implementation, but Microsoft recommends using both ESP confidentiality and ESP integrity for high security. However, if you use a Network Address Translator (NAT) to translate your private IP addresses into Internet legitimate addresses, you can use only ESP integrity, because ESP integrity doesn't manipulate IP headers, as AH integrity does.

IPSec operates in two modes: transport mode and tunnel mode. In transport mode, AH or ESP resides in the original IP packet between the IP header and upper-layer extension header information (to learn about the content of IP headers, see the June 1998 sidebar "What's New in the IPv6 Header"). IPSec uses the transport mode to provide end-to-end security between two end systems: for instance, between an NT workstation and an NT server. In the tunnel mode, IPSec places an original IP packet in a new IP packet and inserts AH or ESP between the IP header of the new packet and the original IP packet. The new IP header points to the tunnel endpoint, and the original IP header specifies the ultimate destination of the packet. You can use the tunnel mode to set up an IPSec tunnel between two end systems, between an end system and a security gateway, or between two security gateways. A security gateway can be a tunnel server, router, firewall, or Virtual Private Network (VPN) device. One example of implementing tunnel mode is securing remote access to your corporate network through the Internet. When you have a tunnel server at the perimeter of your network, telecommuters must go through the tunnel server before reaching an internal system. The tunnel in this example is between the Internet and the tunnel server (i.e., between an end system and a security gateway).