Information Technology Reference
In-Depth Information
The following command creates an IPSec policy called Custom Security Policy that creates
a new master key every 240 minutes:
> netsh ipsec static add policy name = "Custom Security Policy" mmlifetime = 240
The following command modifies an IPSec policy called Custom Security Policy to use a
custom security method that uses 3DES for encryption, MD5 for integrity, and the High (2048)
Diffie-Hellman group:
> netsh ipsec static set policy name = "Custom Security Policy"
mmsecmethods = 3DES-MD5-3
How It Works
IPSec uses the Internet Key Exchange (IKE) protocol to define how computers will use IPSec to
communicate with one another. This relationship is known as an IPSec
security association
, or
SA. Creating an SA is a two-step process:
In the first phase of the SA creation process, IKE creates a secure channel between the
computers called an
IKE SA
, as well as generating a Diffie-Hellman key agreement.
Phase 1 is also the point where the computers will authenticate with one another, using
the authentication methods supported by Windows Server 2003: Kerberos, a digital
certificate, or a preshared key.
■
Note
The Diffie-Hellman key agreement protocol was developed in 1976 as a way to allow users or
computers to exchange a secret key over an insecure medium such as the Internet.
In phase 2, IKE will negotiate the SA itself, as well as generate any required security keys
for IPSec and a second Diffie-Hellman key agreement.
Configuring Key Exchange Settings
In Windows Server 2003, you can specify key exchange settings for each IPSec policy, config-
uring a number of settings. Master key perfect forward secrecy will force IPSec to generate a
new master key whenever it creates a new session. Beyond this, you can configure how often
IPSec will generate a new master key based on the amount of time (in minutes) that has elapsed
since the last key was created, as well as the number of sessions that the master key has generated.
Finally, you can specify the security methods that IKE will use. Similar to configuring an
IPSec security method, you need to configure the encryption algorithm (DES or 3DES) and
integrity algorithm (MD5 or SHA1) that IKE will use. In addition, you'll also need to configure
the
Diffie-Hellman
group
to be used. A Diffie-Hellman group establishes the length of the base
numbers that are used during the key exchange process. Because the cryptographic strength
of any key partially depends on this length, you'll use Diffie-Hellman groups to fine-tune the
strength of keys you create.
