邱腾 Chiu Teng
网际协议安全(IPSec) Internet Protocol Security (IPSec)
网际协议安全(IPSec) 可以对专用网络和Internet 攻击的主动保护,同时保持易用性。 Internet Protocol Security (IPSec) can be a private network and Internet attacks, active protection, while maintaining ease of use. 并且,它是一套基于加密术的保护服务以及安全协议。 Also, it is a set of encryption-based protection services and security protocols. 它采用端对端的安全保护模式,保护工作组、局域网计算机、域客户和服务器、距离很远的分公司、Extranet、漫游客户以及远程管理计算机间通讯的能力。 It uses end to end security model to protect the working group, local area network computers, domain clients and servers, it is far from the branch, Extranet, and remote management of roaming customers the ability to communicate between computers.
IPSec IPSec
作为安全网络的长期方向,是基于密码学的保护服务和安全协议的套件。 As a long-term direction of the secure network is based on cryptography and security protocols to protect service package. 因为它不需要更改应用程序或协议,您可以很容易地给现有网络部署IPSec。 Because it does not change the application or protocol, you can easily deploy to the existing network IPSec.
Windows 2000 的IPSec 实现基于Internet 工程任务组(IETF) IPSec 工作组开发的工业标准。 IPSec for Windows 2000-based Internet Engineering Task Force (IETF) IPSec working group developed the industry standard.
Windows2000的安全策略模式 Windows2000 security policy model
更为强大的基于加密术的安全方法可能导致大幅度增加管理开销。 More powerful encryption-based security methods may lead to a substantial increase in administrative overhead. Windows 2000 通过实现基于策略的网际协议安全(IPSec) 管理避免了该缺陷。 Windows 2000 by enabling policy-based Internet Protocol security (IPSec) managed to avoid the defect.
可以使用策略而非应用程序或操作系统来配置IPSec 。 You can use policies rather than the application or operating system to configure IPSec. 网络安全管理员可以配置多种IPSec 策略,从单台计算机到Active Directory 域、站点或组织单位。 Network security administrator can configure multiple IPSec policies, from a single computer to an Active Directory domain, site, or organizational unit. Windows 2000 提供集中管理控制台、IP 安全策略管理来定义和管理IPSec 策略。 Windows 2000 provides centralized management console, IP Security Policy Management to define and manage IPSec policies. 在大多数已有网络中,可以配置这些策略为大多数交通类型提供各种级别的保护。 In most of the existing network, you can configure the type of traffic for most of these strategies provide various levels of protection.
IPSec 的数据保护方式 IPSec data protection mode
因为网络攻击可能导致系统停工、生产力损失和敏感数据的公开暴露,所以保护信息不被未经授权的第三方破译或修改是高度优先的事情。 Because cyber attacks can cause system downtime, lost productivity and public exposure of sensitive data, so protect information from unauthorized third party to decipher or to modify a high priority matter.
网络保护策略一般都是集中在周界安全方面,通过使用防火墙、安全网关和拨号访问的用户身份验证来防止来自私有网外部的攻击。 Network protection strategies are generally focused on perimeter security, through the use of firewalls, security gateways and dial-up access user authentication to prevent attacks from outside the private network. 然而,它并不保护不受来自网络内部的攻击。 However, it does not protect against attacks from within the network.
只集中在访问控制安全性(例如使用智能卡和Kerberos)可能不会带来全面的保护,因为这些方法依赖于用户名和密码。 Only focus on access control security (such as the use of smart cards and Kerberos) may not lead to full protection, because these methods depend on the user name and password. 有许多计算机是由多个用户共享使用的,由于它经常处于已登录状态而导致计算机的不安全。 Many computers are shared by multiple users to use, because it often has been logged in the insecurity caused by the computer. 另外,如果一个用户名或密码已被攻击者截获,单单基于访问控制的安全性不会防止非法访问网络资源。 In addition, if a user name or password has been intercepted by the attacker, just based on access control security does not prevent unauthorized access to network resources.
物理级的保护策略通常不使用,它保护物理的网线和访问点不被使用。 Physical level of protection strategies do not usually use it to protect the physical network cable and access points are not used. 然而,这好象不大可能保证整个网络路径的安全得到保护,因为数据将不得不从源到目的地传播。 However, this seems unlikely to guarantee the security of the entire network path to be protected, because the data will have to spread from the source to the destination.
一个完善的安全计划包含多个安全策略以获得深度的保护。 A comprehensive security plan that contains multiple security policies in order to obtain the depth of protection. 其中的任何一个策略都可以和IPSec Any one strategy can and IPSec
结合。 With. 这就通过保证发送端计算机在传输前,也就是每个IP 数据包到达网线之前对其实施保护,而接收端计算机只有在数据被接收和验证之后再解除对数据的保护,从而提供了另一层安全性。 This is by ensuring that transmission before sending the computer, that is, each IP packet arrives before its implementation to protect the network cable, but only in the receiving computer data is received and verified before release of data protection, thus providing another layer of security.
网络安全 Network Security
在IP 传输层(网络层3)实现IPSec 会启用开销很小的高级保护。 In the IP transport layer (network layer 3) is trivial to implement IPSec enables advanced protection. 配置使用IPSec 不需要更改已有的应用程序或操作系统。 Configured to use IPSec do not change the existing application or operating system. 可以配置IPSec 用于已有的企业方案,例如:工作组;局域网(LAN):客户/服务器,对等网;远程访问:漫游客户、Internet 访问、Extranet、远程办事处。 IPSec can be configured for an existing enterprise solutions, such as: working groups; local area network (LAN): client / server, peer; Remote Access: roaming clients, Internet access, Extranet, remote offices.
其他在网络层3以上运行的安全机制(例如安全套接层,SSL)仅保护会使用SSL 的应用程序,例如Web 浏览器。 Other than running at the network layer 3 security mechanisms (such as Secure Sockets Layer, SSL) SSL will be used only to protect the applications, such as a Web browser. 必须修改所有其他的应用程序以使用SSL 保护通讯。 Have to modify all other applications to use SSL to protect communications. 其他在网络层3 以下运行的安全机制(例如链接层加密)仅保护该链接,而不必保护数据路径上的所有链接。 Other operating at the network layer 3 the following security mechanisms (such as link layer encryption) to protect only the link, without having to protect all the links on the data path. 这使得链接层加密无法适用于Internet 或路由Intranet 方案上的端对端数据保护。 This makes the link layer encryption can not be applied to the program on the Internet or Intranet-end routing data protection.
在网络层3 上执行的IPSec 保护TCP/IP 协议簇中所有IP 和更高层的协议,例如TCP、UDP、ICMP、Raw(协议255),甚至保护在IP 层上发送通讯的自定义协议。 Performed on the network layer 3 IPSec protection TCP / IP protocol stack IP and all higher-level protocols, such as TCP, UDP, ICMP, Raw (protocol 255), and even protect the IP layer to send custom communications protocol. 保护此层信息的主要好处是所有使用IP 传输数据的应用程序和服务均可以使用IPSec 保护,而不必修改这些应用程序和服务。 This layer of information to protect the main advantage is that all data transmitted using IP applications and services can be protected using IPSec, without having to modify these applications and services. (要保护非IP 协议,数据包必须由IP 封装。) (To protect the non-IP protocol, IP packets must be encapsulated.)
IPSec 的密钥保护 IPSec key protection
IPSec 保护数据将让攻击者感到破解相当困难或根本不可能。 IPSec-protected data will allow an attacker to find very difficult or impossible to crack. 算法和密钥的组合用于保护信息。 Combination of algorithm and key used to protect information. 通过使用基于加密的算法和密钥获得高安全级。 Through the use of encryption algorithms and key-based access to high security level. 算法是用来保护信息的数学过程,密钥是需要读取、修改或验证所保护数据的密码或数字。 Algorithm is a mathematical process used to protect information, the key is to read, modify, or verify the data protected by a password or digital.
IPSec 使用以下特性大幅度地阻止并减少网络攻击: IPSec uses the following features and significantly reduce the network to prevent attacks:
自动密钥管理 Automatic key management
密钥生成 Key generation
要启用安全通讯,两台计算机必须可以建立相同的共享密钥,而不能通过网络在相互之间发送密钥。 To enable secure communication, two computers must be able to create the same shared key, and not sent through the network in between keys. IPSec 使用Diffie-Hellman 算法启用密钥交换,并为所有其他加密密钥提供加密材料。 IPSec uses the Diffie-Hellman key exchange algorithm to enable and provide for all other encryption keys encrypted material.
两台计算机启动Diffie-Hellman 计算,然后公开或秘密(使用身份验证)交换中间结果。 Two computers start Diffie-Hellman calculation, and then open or secret (use authentication) to exchange intermediate results. 计算机从来不发送真正的密钥。 Computer never sent the real key. 通过使用来自交换的共享信息,每台计算机都生成相同的密钥。 Through the use of shared information from the exchange, each computer to generate the same key. 专家级用户可以修改默认密钥交换及数据加密密钥设置。 Expert users can modify the default key exchange and data encryption key set.
密钥长度 Key length
每当密钥的长度增加一位,可能的密钥数会加倍,破解密钥的难度也会成倍加大。 Whenever the length of a key, will double the number of possible keys, difficult to crack the key will increase exponentially. 两台计算机之间的IPSec 安全协商生成两种类型的共享密钥:主密钥和会话密钥。 IPSec security between two computers negotiate a shared key to generate two types: primary key and the session key. 主密钥很长,有768 位或1023 位。 Master key is very long, there are 768 or 1023. 主密钥用作会话密钥的源。 Master key for the session key source. 会话密钥由主密钥通过一种标准方法生成,每种加密和完整性算法都需要会话密钥。 Session key from the master key is generated by a standard method, encryption and integrity algorithms for each session key is required.
如何管理会话密钥——密钥交换 How to manage the session key - key exchange
保护密钥交换阶段的密钥的强度通过以下特性被增强: Protect the key exchange phase of the key strength is enhanced by the following features:
1、密钥生命期 1, the key lifetime
生命期设置决定何时生成新密钥。 Lifetime set to decide when to generate a new key. 任何时候当密钥的生命期到达时,相关的SA 也将重新协商。 Whenever the key lifetime is reached, the SA will also be related to renegotiate. 在一定的时间间隔内重新生成新的密钥的过程被称为动态重新生成密钥或密钥重新生成。 Within a certain time interval to re-generate a new key in the process is called dynamic rekeying or key regeneration. 生命期允许您在一定的时间间隔后强制生成(重新生成)新的密钥。 Life in a certain period of time allows you to force the generation interval (rebuild) new key. 例如,如果通讯需要100 分钟并且您指定的密钥生命期为10 分钟,那么,在交换的过程中将生成10 个密钥,每10 分钟一个。 For example, if the communication takes 100 minutes and you specify a key lifetime is 10 minutes, then, in the exchange process will generate 10 keys, one every 10 minutes. 使用多个密钥保证了即使攻击者获得了一部分通讯的密钥,也不会危及全部通讯的安全。 Using multiple keys to ensure that even an attacker obtains a key part of communication, it will not endanger the safety of all communication. 密钥的自动重新生成由默认设置提供。 Keys are automatically regenerated by the default settings provided. 专家级用户可以覆盖默认值,通过会话密钥或“完整转寄保密”指定一个主密钥生命期(以分钟为单位)。 Expert users can override the default value, or by a session key "full forward secrecy" to specify a master key lifetime (in minutes).
设置不同的密钥生命期时应倍加小心,因为他们也将决定SA 的生命期。 Set different key lifetime should be doubly careful because they will determine the SA lifetime. 例如,设置主密钥生命期为8 小时(480 分钟),会话生命期(在“筛选器操作”中设置)为2 小时将导致在ISAKMP SA 过期后IPSec SA 仍保留2 小时。 For example, set the primary key lifetime of eight hours (480 minutes), the session lifetime (in the "Filter Action" is set) for 2 hours will result in the IPSec SA expired ISAKMP SA retained for 2 hours. 如果新的IPSec SA 正好在ISAKMP SA 过期前生成,就会发生这种情况。 If the new IPSec SA just to generate an ISAKMP SA expires, it will happen.
2、会话密钥限制 2, the session key limit
再三地从相同的主密钥重新生成密钥将最终危及该密钥的安全。 Repeatedly from the same master key to re-generate the key will eventually compromise the security of the key. 例如,假如计算机A 上的Bob 发送一条消息给计算机B 上的Alice,然后过了几分钟又发送一条消息给Alice,由于与该计算机刚建立安全关系,相同的密钥材料可以重用。 For example, if Bob on computer A to computer B to send a message on Alice, and then after a few minutes and send a message to Alice, just as with the computer to establish a secure relationship, the same key material can be reused. 如想限制该重用次数,专家级用户可以指定一个会话密钥限制。 To limit the number of reuse, expert users can specify a session key limit.
注意,如果您决定启用主密钥的“完整转寄保密”,会话密钥限制将被忽略;PFS 每次都强制重新生成密钥。 Note that if you decide to enable the primary key of the "complete forward secrecy", the session key limit will be ignored; PFS force each time re-keying. 例如,启用主密钥的“完整转寄保密”相当于将会话密钥限制指定为1。 For example, the master key to enable "full forward secrecy" is equivalent to the session key limit is specified as 1.
请注意,如果您既指定主密钥生命期(以分钟为单位),又指定会话密钥限制,任何一个首先到达的时间间隔将触发新的密钥。 Please note, if you specify both the master key lifetime (in minutes), and specify the session key limit, any time interval is reached first will trigger a new key.
3、主密钥“完整转寄保密”(PFS) 3, the master key "complete forward secrecy" (PFS)
确定新密钥是如何生成的。 Determine how the new key is generated. 启用PFS 保证密钥被用来保护传输,而无论在哪个阶段都不能够被用于生成其他的密钥。 PFS enabled to ensure that key is used to protect the transmission, regardless of at what stage can not be used to generate other keys. 另外,密钥的密钥材料不能用来生成任何新的密钥。 In addition, the key used to generate the key material can not be any new key.
应小心使用主密钥PFS,因为它需要重新进行身份验证。 Should be careful to use the master key PFS, as it requires re-authentication. 对于网上的域控制器来说,这可能导致额外的开销。 For the Internet domain controller, this may result in additional overhead. 这并不需要在两端都启用。 This does not require opening at both ends.
配置密钥交换 Configure key exchange
1. 在“IP 安全策略管理”中,右键单击要修改的策略,然后单击“属性”。 1 In the "IP Security Policy Management", right-click the policy you want to modify, then click "Properties."
2. 单击“常规”选项卡,然后单击“高级”。 2 Click the "General" tab, then click "Advanced."
3. 要强制重新加密每个会话密钥的主密钥,请单击“主密钥完全向前保密”。 3 to force a re-encryption key for each session master key, click the "master key perfect forward secrecy."
4. 如果需要不同的设置,可在“身份验证和生成新密钥间隔(以分钟计)”中输入一个值,这将导致在该间隔中重新进行身份验证和生成新密钥。 4 If you need different settings, in "new authentication and key generation interval (in minutes)" and enter a value, which will result in the re-authentication interval and generate a new key.
5. 如果需要不同的设置,可在“身份验证和生成新密钥间隔(以会话计)”中输入一个值,以设置重复使用主密钥或其基本密钥材料生成会话密钥的最大次数限制。 5 If you need different settings, in "new authentication and key generation interval (in session count)" Enter a value to set the re-use master key or key material generated session key basic maximum number of restrictions. 达到该限制值时将强制进行身份验证和新密钥生成。 Reached the limit value will force a new authentication and key generation.
6. 如果对密钥交换安全措施有特殊需求,可单击“方法”。 6 If the key exchange security with special needs, you can click "method."
创建密钥交换方法 Create key exchange method
1. 在“IP 安全策略管理”中,右键单击要修改的策略,然后单击“属性”。 1 In the "IP Security Policy Management", right-click the policy you want to modify, then click "Properties."
2. 单击“常规”,单击“高级”选项卡,再单击“方法”。 2 Click the "General", click "Advanced" tab, then click "method."
3. 单击“添加”,如果正重新配置现存的方法,请单击该安全措施,然后单击“编辑”。 3 Click "Add", if you are reconfiguring the existing methods, please click on the security measures, and then click "Edit."
4. 选择一种“完整性算法”: 4 Select the kind of "integrity algorithm":
o 单击“MD5”使用128 位值。 o Click the "MD5" using 128-bit value.
o 单击“SHA”使用160 位值(更强)。 o Click the "SHA" with 160 values (stronger).
5. 选择一种“加密算法”: 5 Select a "encryption algorithm":
o 单击“3DES”使用最高的安全算法。 o Click "3DES" use the highest security algorithms.
o 如果要连接到不具有3DES 功能的计算机,或者不需要更高的安全性和3DES 的开销,请单击“DES”。 o If you want to connect to the computer does not have the 3DES feature, or do not need higher security and overhead of 3DES, please click the "DES". 有关加密设置的详细信息,请参阅“特殊考虑”。 For more information about the encryption settings, see "special considerations."
6. 选择“Diffie-Hellman 小组”,设置要用于生成实际密钥的基本密钥材料的长度: 6 Select the "Diffie-Hellman Group", set to the actual key used to generate the basic length of the key material:
o 单击“低(1)”使用768 位作为基础。 o Click the "low (1)" Using the 768 as a basis.
o 单击“中(2)”使用1024 位作为基础(更强)。 o Click "in (2)" Using 1024 as the base (stronger).
动态重生成密钥 Dynamic re-generate the key
IPSec 可以在通讯的过程中自动生成新的密钥。 IPSec can be in the communication process automatically generate a new key. 这样可以防止攻击者只用一个破解的密钥就能获得完整的通讯数据。 This prevents an attacker with only a cracked key can get a complete communications data. 专家级用户可以修改默认的加密时间间隔。 Expert users can change the default encryption time interval.
安全服务 Security Services
完整性 Integrity
完整性保护信息在传输过程中免遭未经授权的修改,从而保证接收到的信息与发送的信息完全相同。 Completeness of the information during transmission to protect against unauthorized modification, in order to ensure the information received and sent messages are identical. 数学散列函数用来唯一地标记或“签发”每个包。 Mathematical hash function is used to uniquely mark or "issuance" of each package. 接收端的计算机在打开包之前检查签名。 Receiving end before the computer checks the signature on opening the package. 如果签名改变(因而,数据包当然也改变),数据包就会被丢弃以防止可能的网络攻击。 If the signature is changed (thus changing the course packet), the packet will be discarded to prevent possible attacks.
身份验证 Authentication
身份验证通过保证每个计算机的真实身份来检查消息的来源以及完整性。 Authentication by ensuring that the true identity of each computer to check the message source and integrity. 没有可靠的身份验证,不明来历的计算机发送的任何信息都是不可信的。 No reliable authentication, unknown to any computer to send information is credible. 在每一项策略中都会列出多种身份验证方法,以保证Windows 2000 域成员、没有运行Windows 2000 的计算机及远程计算机都能找到一个通用的身份验证方法。 In each policy will list a variety of authentication methods to ensure that Windows 2000 domain member, not a computer running Windows 2000 and the remote computer can be found in a common authentication method.
机密性(数据加密) Confidentiality (data encryption)
机密性保证只有预期的接收者才能读出数据。 Confidentiality ensures that only the intended recipient can read data. 当选择该特性后,将使用IPSec 数据包的封装安全负载(ESP) 格式。 When you select this feature, it will use the IPSec packet encapsulating security payload (ESP) format. 数据包在传输之前先加密,确保其在传输过程中即使被攻击者监视或截取也不会暴漏。 Packet is encrypted before transmission to ensure the transfer process to monitor or even if the attacker does not intercept storm drain. 只有具有共享密钥的计算机能够解释或修改数据。 Only with a shared key to the interpretation or modification of computer data. 美国数据加密标准(DES) 算法DES 和3DES 可提供安全协商和应用程序数据交换两方面的保密性。 U.S. Data Encryption Standard (DES) DES and 3DES algorithms provide security consultation and exchange of both application data confidentiality. 密码数据块链(CBC) 用于隐藏数据包中数据块的模式,加密后不增加数据的大小。 Password data block chaining (CBC) is used to hide the packet data block mode, the encrypted data without increasing the size. 重复的加密模式可能为攻击者提供解开密钥的线索,从而使安全性受到威胁。 Repeated encryption mode may provide an attacker clues to unlock the keys, so that security is threatened. 初始化向量(一个初始的随机数)可用作加密或解密数据块的第一个随机块。 Initialization vector (an initial random number) can be used to encrypt or decrypt data blocks of the first random block. 不同的随机块可与密钥结合使用,以便加密每个块。 Different random block can be used in conjunction with keys to encrypt each block. 这将保证相同的不安全数据集被转换为不同的加密数据集。 This will ensure that the same set of secure data encryption to be converted to different data sets.
认可 Recognition
保证邮件的发件人只能是发送该邮件的人;发送者不能抵赖曾经发送过该邮件。 Ensure the sender of the message can only be the person to send the message; the sender can not deny having sent off the message.
反重发 Anti-re-issued
又称作禁止重发,它保证每个IP 包的唯一性。 Also known as prohibiting retransmission, which ensures the uniqueness of each IP packet. 由攻击者捕获的邮件不能被重用或重发以非法建立会话或获取信息。 Captured by the attacker's e-mail can not be reused or re-issued to establish a session or to obtain information illegally.
Tidak ada komentar:
Posting Komentar