Microsoft Windows 10 IPsec VPN Report

VPN (Virtual Private Network) is a network that essentially maintains privacy while using the Internet via security procedures and tunneling protocols such as the L2TP (Layer Two Tunneling Protocol) or IPsec. So, any private data that is sent is encrypted and decrypted only at the receiving end. Moreover, the data is sent through a “tunnel” that cannot be “entered” by any other data. The same capability is offered by Windows 10 is known as Windows 10 IPsec VPN Client. Windows implements IPsec to provide protected, authenticated, confidential, and tamper-proof networking between two peer computers.

Before we proceed, it is important to shed some light on the term Virtual Private Network. Well, a VPN is a way to use the Internet by giving users or a remote group, access to the organization’s network in a secured environment. Before the advent of VPN, companies rented expensive systems of leased lines to build VPN which only they could use. However, with the coming of VPN, the same capabilities are provided to the users and at a much lower cost.

Microsoft Windows 10 IPsec VPN Client

You can set up a VPN on your Windows 10 computer. The OS is well suited for business desktops and is designed to serve as a client within Windows domains.

Security Target for Microsoft Windows 10 IPsec VPN Client

A few days ago, Microsoft released a security evaluation report for Microsoft Windows 10 IPsec VPN Client. Here’s its summary.

Security Audit

Audit information generated by the system covers events related to the date, time and the user identity that causes the event to be generated. Windows 10 can collect and audit this data, review audit logs, protect it from overflow, and restrict access to audit logs if required. Likewise, authorized administrators can review audit logs and search or sort audit record.

Security Management

Policy management is controlled via a combination of access control, membership in administrator groups, and privileges. Windows 10 supports several functions to manage security policies.

Trusted Path

Windows 10 is configured to use a suite of protocols for offering a Virtual Private Network Connection (VPN) between itself and a VPN gateway in addition to providing protected communications via HTTPS.

Cryptographic Support

Windows provides FIPS-validated cryptographic functions that have support for:

  1. Cryptographic signatures
  2. Cryptographic key agreement
  3. Cryptographic hashing
  4. Encryption/decryption

In addition to the use of cryptography for its own security functions, Windows gives access to the cryptographic support functions for user-mode and kernel mode programs. Also, it provides extensive auditing support of cryptographic operations.

Authentication and Identification

The latest version of Windows – Windows 10 comes with the ability to use, store, and protect X.509 certificates that are used for TLS and authenticates the user to their mobile device.

TOE Access

Windows constantly monitors the mouse, keyboard, and touch display for activity and locks the computer after a set period of inactivity. Thus, it allows a user to lock their session either immediately or after a defined interval. Apart from this, the OS allows an authorized administrator to configure the system to show a login banner before the login dialog is displayed.

Validation Report for Microsoft Windows 10 IPsec VPN Client

It is a validation report documentation for the completed Common Criteria evaluation of Microsoft Windows 10 IPsec VPN Client. Following are its highlights:

RAS IPsec VPN Client Configuration

This section provides information on how to configure the RAS IPsec VPN Client for IKEv1 and IKEv2 in tunnel mode.

Managing Audit Policy

A section under it describes the categories of audits in the Windows Security log – Advanced Audit Policy Configuration. The section, in detail, outlines steps to select audit policies by category, user and audit success or failure in the Windows Logs -> Security log.

Configuring Pre-Shared Key for IKEv1

This section contains the guidance to meet the Common Criteria SFRs related to

  1. Internet Protocol Security (IPsec) Communications (FCS_IPSEC_EXT.1.12) – Pre-shared keys
  2. 1 – Configure IKE authentication techniques

Configuring Cryptographic Algorithms for IKEv1 and IKEv2

There’s a link attached to every topic listed above which allows you to configure these settings without hassles.

Administrative Guide for Microsoft Windows 10 IPsec VPN Client

Finally, there’s administrative guidance documentation for the completed Common Criteria evaluation of Microsoft Windows 10 IPsec VPN Client. Similar to the above, The operational guide provides many links to TechNet and other Microsoft resources. It is mainly related Managing the Windows Firewall (Windows Filtering Platform) and the guidance to meet the following Common Criteria SFRs – Internet Protocol Security (IPsec) Communications (FCS_IPSEC_EXT.1.1).

The document highlights, the Windows Filtering Platform is configured to start automatically and must never be turned off in order to support any of the described IPsec scenarios. The Windows Filtering Platform is the

IPsec Security Policy Database (SPD) for Windows 10. The IPsec rules in the Windows Filtering Platform are entries in the SPD. Ideally, the Windows Filtering Platform can be configured to use Inbound and Outbound rules that protect, bypass, discard or allow the traffic specified by the Inbound and Outbound rules. A link is given to assist a user in configuring the Windows Firewall and IPsec Policy. It mainly explains the priority for applying firewall rules.

Please note that all files are in PDF format and can be opened using a PDF file reader application supported on Windows 10 operating system.

Materials from: