UEU-co logo

ch21lev1sec7.html


Previous Page Next Page

Understanding IPSec

The IP Security Protocol (IPSec) is a suite of cryptography-based protection services and security protocols that can be used to secure internal networks and can also be used to secure remote access connections such as a VPN. IPSec secures the data even if the routers and other devices involved in moving the data from sender to receiver do not support IPSec. IPSec can be used to secure the movement of data on LANs, WANs, and remote access connections.

IPSec uses strong cryptography and provides protection for network data because it protects the data while en route and can even be used to protect private network data that is transmitted across public network environments such as the Internet. The biggest plus related to IPSec is that it can be used to protect data inside the network and eliminate snooping and hacking by employees, contractors, or attackers that have actually gained access to the network.

IP packets are encrypted on a packet-by-packet basis. IPSec can also make use of authentication keys such as certificates (discussed in Hour 22) as a way of establishing a trust relationship between the sending and receiving computers.

Windows Server 2008 has combined IPSec settings with the Windows Firewall. So, this means that you can configure IPSec settings for the firewall in the Windows Firewall with Advanced Security properties dialog box.

To open the Windows Firewall with Advanced Security Properties dialog box for the local computer, right-click the Windows Firewall with Advanced Security node in the snap-in node tree and select Properties. The Properties dialog box opens. IPSec settings for the firewall can be accessed via the IPSec Settings tab (see Figure 21.10).

Figure 21.10. The IPSec tab of the Windows Firewall properties dialog box.

The IPSec Settings tab provides a Customize button that enables you to access the IPSec defaults for the firewall. The IPsec settings that you select apply to all the connection security rules that you create.

To access the Customize IPsec Settings dialog box, click the Customize button (see Figure 21.11). The IPSec settings fall into three categories: key exchange, data protection, and authentication method. You can customize the settings for any of these IPSec categories.

Figure 21.11. The Customize IPSec Settings dialog box.

The key exchange default settings relate to the integrity and encryption methods that are selected. To view the key exchange settings available, click the Advanced option button under Key Exchange. Then click the Customize button. The Customize Advanced Key Exchange Settings dialog box opens (see Figure 21.12). By default the key exchange settings use the Diffie-Hellman Group 2 key exchange algorithm (which uses a public and a private key to encrypt the data).

Figure 21.12. The IPSec key exchange settings.

[View full size image]

By the Way

Diffie and Hellman invented the public key encryption methodology in 1976 and so this encryption method is referred to by their names.

If you want, you can strengthen the IPSec security by selecting a key exchange algorithm that is stronger than the default (Diffie-Hellman Group 2) such as the Elliptic Curve Diffie-Hellman P-384 algorithm. However, using this algorithm restricts your client base to Windows Vista and your server base to Windows Server 2008. You can also edit the key lifetime settings if you wish. The shorter the lifetime for the key the more secure the connection (in theory).

You can also edit the data protection settings. In the Customize IPsec Settings dialog box, click the Advanced option button in the the Data Protection (Quick Mode) area of the dialog box and then click the Customize button. This opens the Customize Data Protection Settings dialog box.

By default, two protocols are used to supply the data integrity and encryption algorithms for IPSec: ESP and AH. The Encapsulating Security Payload (ESP) protocol provides data origin authentication, connectionless integrity, and an anti-replay service for the IP payload (meaning the data). The Authentication Header (AH) protocol provides security for the IP header. You can edit the settings in the Customize Data Protection Settings dialog box, but the defaults should work well in most circumstances.

The Customize IPSec Settings dialog also enables you to select the authentication method to be used to make secure connections between computers (look back at Figure 21.11). The choices are

When you have finished working with the Customize IPSec Settings dialog box, click OK (or Cancel). You can then close the Windows Firewall with Advanced Security dialog box to return to the firewall snap-in.

The full possibilities of IPSec are certainly beyond the scope of this book. However, you can manage IPSec using IPSec policies. These policies are a set of filters and filter actions that are used to determine how IP packets are treated by a particular computer or group of computers. IPSec policies are integrated with the Windows Server 2008 Group Policy, and IPSec policies can be assigned to individual computers, Organizational Units, and domains. This makes it easy for you to design (and lowers the management overhead of) a domain- or enterprise-level plan for IPSec deployment. For more about the basics of working with Group Policy, see Hour 11.

Previous Page Next Page

Leave a Reply


Time limit is exhausted. Please reload the CAPTCHA.

Categories

apply_now Pepperstone Group Limited