1 00:00:01,730 --> 00:00:05,110 Now we will see a demonstration of how phase one may proceed. 2 00:00:06,230 --> 00:00:10,850 First we need to decide on a way in which the identity of the remote host is confirmed. 3 00:00:13,430 --> 00:00:18,830 The IPCA allows us to confirm the identity of a remote computer by checking its account with the Active 4 00:00:18,830 --> 00:00:23,900 Directory domain using the Kerberos protocol. 5 00:00:23,910 --> 00:00:28,190 We can also verify the certificate issued for a given computer. 6 00:00:28,230 --> 00:00:35,560 The solution is used most often the third option should be used only for testing and demonstrations. 7 00:00:37,560 --> 00:00:44,430 It's the shared secret verification the shared secret is a string of characters recognized by every 8 00:00:44,430 --> 00:00:47,760 computer that is to take part in IP communication 9 00:00:50,940 --> 00:00:55,320 establishing a secure channel consist of the exchange of challenge response messages 10 00:00:58,370 --> 00:01:05,980 challenge response protocols are widely used for remote authentication of both computers and users. 11 00:01:05,980 --> 00:01:15,900 This is also how the L-M and TLM protocols the two protocols which we'll discuss later on work the underlying 12 00:01:15,900 --> 00:01:23,690 principle is the same difference is concerned only technical details one party must generate a pseudo 13 00:01:23,690 --> 00:01:30,340 random challenge message and send it to the computer it wants to exchange data with the receiver should 14 00:01:30,340 --> 00:01:37,540 be able to use the challenge to calculate a response and send it back the response when decrypted should 15 00:01:37,540 --> 00:01:43,870 verify or authenticate the identity of the remote host. 16 00:01:43,990 --> 00:01:46,650 For this the shared secret is used. 17 00:01:46,870 --> 00:01:52,790 It can be the short secret certificate and a public key or a password that would start up a computer 18 00:01:52,790 --> 00:01:54,070 in the Active Directory 19 00:01:56,670 --> 00:02:02,510 an important feature of the IP is that it allows mutual authentication. 20 00:02:02,540 --> 00:02:09,290 It requires both parties to authenticate or prove their identities both parties must be sure who they 21 00:02:09,290 --> 00:02:10,430 exchange data with 22 00:02:13,510 --> 00:02:17,280 phase two is relatively simple. 23 00:02:17,340 --> 00:02:22,980 It consists of confirming or changing and then goshi had a Security Association and generating new session 24 00:02:22,980 --> 00:02:25,030 keys. 25 00:02:25,060 --> 00:02:32,450 Let's see how in the simplest case the configuration of IP could look will learn how to do it in Windows 26 00:02:32,450 --> 00:02:35,090 7 in Windows 7. 27 00:02:35,090 --> 00:02:39,620 You should use that and then see a console to perform all administrative operations. 28 00:02:42,340 --> 00:02:50,020 Then this operating system the IP was integrated with the network connection firewall. 29 00:02:50,070 --> 00:02:54,810 Therefore you need to find the local computer tools that allow you to configure the security policies 30 00:02:54,810 --> 00:02:58,870 of the network firewall. 31 00:02:58,900 --> 00:03:06,450 In practice this type of operation will affect all the computers in the group what's defined the settings 32 00:03:06,450 --> 00:03:12,510 will apply to all the computers that are members of the group. 33 00:03:12,560 --> 00:03:21,010 In this version of Windows the IP policies are set as part of the firewall configuration in earlier 34 00:03:21,010 --> 00:03:22,450 Windows systems. 35 00:03:22,450 --> 00:03:28,180 The IP policies could be configured independently of the firewall policies but resulted in many people 36 00:03:28,180 --> 00:03:31,490 accidentally blocking communications between computers. 37 00:03:34,270 --> 00:03:38,840 Users often created conflicting rules. 38 00:03:38,870 --> 00:03:45,240 The first question of the wizard concerns the type of rule you're creating as you can see the IP set 39 00:03:45,250 --> 00:03:51,830 can be successfully used to block certain hosts with the IP sic. 40 00:03:51,920 --> 00:03:55,800 You can completely block data from sudden that X or some that y. 41 00:03:57,500 --> 00:04:01,980 In our demonstration we will try to create a rule allowing secure exchange of data 42 00:04:04,780 --> 00:04:11,060 now you need to specify which computers this rule will apply to in the simplest case. 43 00:04:11,260 --> 00:04:16,220 Both fields can be left blank which means that the rule will be universal. 44 00:04:16,340 --> 00:04:21,660 The customize option allows us to choose a type of interface. 45 00:04:21,690 --> 00:04:26,200 The next question is critical when it comes to the security of our rule. 46 00:04:26,240 --> 00:04:35,330 The default option request means that an attempt to negotiate the IP security associations will be made. 47 00:04:35,380 --> 00:04:40,900 However if the other party does not agree to the negotiated Security Association the data will be sent 48 00:04:40,900 --> 00:04:44,790 as a clear text in all wizards. 49 00:04:44,800 --> 00:04:50,620 The request option makes it possible we're not required to negotiate security associations 50 00:04:53,040 --> 00:04:58,260 The require option on the other hand means that if the other party does not agree to negotiate as security 51 00:04:58,260 --> 00:05:01,780 mechanisms the communication will not take place. 52 00:05:04,920 --> 00:05:09,680 The next step is to select the remote host authentication method. 53 00:05:09,690 --> 00:05:15,800 This can be a certificate issued for the computer or after selecting the advanced option. 54 00:05:15,820 --> 00:05:24,110 A computer account in the domain each computer and each user as well has an account in the Active Directory 55 00:05:24,110 --> 00:05:29,910 domain this account is password protected and the passwords are regularly changed 56 00:05:32,620 --> 00:05:37,390 and method is authentication with a pre-shared key. 57 00:05:37,460 --> 00:05:43,860 It's not recommended to use this option everything you type in this box will be visible to anyone who 58 00:05:43,860 --> 00:05:48,030 will create a similar solution in the future. 59 00:05:48,060 --> 00:05:50,930 You can define more than one authentication method. 60 00:05:52,920 --> 00:05:57,150 This is connected to the security associations negotiation we mentioned earlier. 61 00:05:58,400 --> 00:06:02,790 If an attempt to negotiate one of the mechanisms fails the next one will be tried out 62 00:06:06,250 --> 00:06:11,680 the next step is to determine whether the rule being created is to apply to private public or corporate 63 00:06:11,680 --> 00:06:12,650 networks. 64 00:06:14,390 --> 00:06:16,400 At the end you type the name of the rule 65 00:06:21,810 --> 00:06:25,730 we've created a rule which is by default enabled. 66 00:06:25,800 --> 00:06:28,920 It protects both inbound and outbound connections. 67 00:06:30,910 --> 00:06:32,720 This is a very general rule. 68 00:06:34,200 --> 00:06:36,940 In practice such rules are hardly ever created. 69 00:06:38,460 --> 00:06:42,060 It applies to all kinds of protocols. 70 00:06:42,120 --> 00:06:47,260 The rule enforces the authentication of the remote host by checking whether it recognizes the information 71 00:06:47,260 --> 00:06:50,240 we've provided in the wizard. 72 00:06:50,260 --> 00:06:57,840 It affects networks of all types theoretically the principles behind the IP stack may seem uncomplicated 73 00:06:59,550 --> 00:07:04,770 the implementation of this protocol is very simplified in the domain environment where we can use kerberos 74 00:07:06,970 --> 00:07:12,000 the wizard We have just gone through also greatly simplifies the implementation of the rules. 75 00:07:13,350 --> 00:07:19,380 However the fact remains that the implementation of a set of rules that effectively protects the communication 76 00:07:19,590 --> 00:07:23,550 with various servers requires thorough planning of the whole mechanism.