The following is the first of a two-part series. Click for part two.
Thanks to terrorists, hackers and lawyers, security mechanisms that were more or less optional a couple of years ago are now the norm. Network traffic encryption is one such mechanism. You've always had to encrypt sensitive traffic flowing across the Internet, but now you may have to encrypt the traffic flowing across a private network. You never know when someone is trying to sniff packets, steal passwords, read other people's e-mail or perform some other horrible exploit. Fortunately, Microsoft offers a solution built into Windows Server 2000 and Windows Server 2003: the IPSec protocol.
What is IPSec?
IPSec is an encryption protocol designed to work at the IP level. As you might know, Kerberos is the primary Windows authentication protocol. Kerberos and IPSec differ in that Kerberos provides user-to-service authentication. IPSec on the other hand is used to encrypt and authenticate communications between computers on the network. It is a low-level protocol that has absolutely nothing to do with securing access to data or services on a server.
IPSec's main goals are to encrypt communications across an IP-based network (such as the Internet and most private networks) and to guarantee that a transmission has not been tampered with en route.
Here are several more specific reasons to consider deploying IPSec policies.
1. Prevent snooping and man-in-the-middle attacks
Imagine you need to send an e-mail to your boss asking for a day off. If that message was not encrypted, anyone on the same IP segment as you or your boss could use a protocol analyzer to read the message as it is sent. If that nosey person happens to be positioned where the packet flows past him to reach your boss, he could conceivably launch a man-in-the-middle attack, which involves capturing a packet, altering it and then sending it to its intended destination. If this type of attack occurs, the innocent e-mail asking for a day off could be altered to read, "I quit!"
IPSec enables you to encrypt the packets, preventing others from reading them. The packets are also numbered and have a mechanism that prevents them from being altered or replayed. If one is altered or replayed, IPSec renders the packet invalid.
2. Harden wireless network security
Although IPSec works well on any Windows network, it is especially useful if you have a wireless network. Sure you can encrypt a wireless network by using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA), but adding IPSec encryption to the packets makes it even more difficult for a hacker to spy on data being sent over the air.
3. Deploy without additional software
One simple benefit of IPSec is that it's built into Windows. That means you don't have to buy any additional software and you don't have to worry about compatibility issues when implementing IPSec policies. You also don't have to do anything to deploy IPSec onto the server or client PCs -- you just create an appropriate group policy.
4. Set policies for any Microsoft version
Microsoft originally released IPSec with Windows 2000. This means that Windows 2000 (Server and Professional), Windows XP and Windows Server 2003 all support IPSec, but Windows 9.x does not. Fortunately, enabling IPSec does not require you to alienate Windows 9.x machines or machines running other operating systems that may not support IPSec. When you create the IPSec group policy entry, you can choose to have machines request security or require security.
If an IPSec policy is set to request security, a client that tries to communicate with the server will receive a request from that server to use IPSec communications. If the client supports IPSec, encrypted communications begin. If the client does not support IPSec, communications remain unencrypted. But if the IPSec policy requires security, all conversations must be encrypted by IPSec.
Generally speaking, setting up a security policy that requests IPSec security is perfect for most companies because it accomodates both IPSec-aware and non-IPSec-aware clients. As legacy operating systems are phased out, the newer operating systems will already be prepared to have secure communications with other machines.
5. Encrypt communications transparently
Aside from the fact that IPSec communications run a little more slowly than unencrypted communications, clients will never know that communications are being encrypted. The encryption is completely transparent to the end user, and there are no new products or procedures to be learned. From the end-user perspective, nothing has changed.
As you can see, IPSec encryption can be very beneficial to the overall security of your network. In my next column, I will discuss some best practices for IPSec deployment.
Click for part two to get best practices for implementing IPSec policies.
Brien M. Posey is a regular contributor on SearchWindowsSecurity.com.
For More Information:
Get help locking down remote administration.
Read up on encryption techniques for Windows 2000 servers.
Get help controlling untrusted-laptop access to your network.