DistributedNetworks DistributedNetworks

TCP/IP Solution  «Prev  Next»
Lesson 3 Protect data with IPSec
ObjectiveDefine the data protection features provided by IPSec.

Protect data with IPSec

Data traffic on public and private IP networks may be confidential and require increased security. The security required can include both authentication of peers, and the encryption and authentication of data.

Two IPSec Functions

IPSec provides two functions to improve security:
  1. Data integrity: Use an Authentication Header (AH) to provide source authentication and integrity without providing data encryption. You use IPSec with AH in the network design where only data integrity is required, or where the application layer already encrypts data. The Authentication Header allows you to confirm that the person who sent the data is who they claim to be, and also assures that the data has not been altered during transit over the network. Remember, (AH) Authentication Header does not encrypt the data itself.
    Using an application layer protocol such as the Secure Sockets Layer (SSL) or ESP to encrypt the actual data.
  2. Data encryption: Encapsulating Security Payload (ESP) provides authentication and integrity, along with encryption. Use IPSec with ESP where both integrity and encryption are required.

  1. Authentication Header (AH): The Authentication Header is one of the security protocols used with IPSec. AH provides authentication and integrity, for the entire packet (both the IP header and the data carried in the packet). AH signs the entire packet. It does not encrypt the data. The data is readable, but protected from modification. Packet integrity is assured by digital signatures applied to each packet.
  2. Encapsulating Security Payload (ESP): ESP provides confidentiality, in addition to authentication and integrity. ESP is one of the security protocols used in IPSec.

The Authentication and Encrypting Security Payload headers support two different modes: tunnel mode and transport mode. In tunnel mode, the endpoints of the tunnel are specified. These endpoints are typically two VPN. All data is encrypted as it is passed from the source to the destination server on each end of the tunnel. Transport mode provides for end-to-end encryption.
In this case, a computer on network A encrypts data before it hits the wire, and the data remains encrypted until it reaches its destination on network B.
Note the difference between tunnel and transport modes. In tunnel mode, the data is protected only between the tunnel endpoints. In transport mode, the data is protected from the source to the destination, which is referred to as "end-to-end" protection.
The following Slide Show provides an overview of the data protection features provided by IPSec.


Pre-defined IPSec policies

Computers that are members of Windows 2000 domain include predefined IPSec policies that define integrity and encryption options. These are described in the table below.

Policy Definition
Client (Respond Only) Use this policy for computers that do not require IPSec except when requested by another computer. When defined, this policy enables the computer to respond appropriately to requests for secured communications. Only the requested protocol and port traffic for the communication are secured. For example, a Windows 2000 Professional computer might wish to connect to a secure Windows 2000 server. The Windows 2000 Professional machine does not require secure communication via IPSec, but the server does require IPSec. The Windows 2000 Professional client will respond by creating only IPSec-secure connections to the secure server.
Server (Request Security) Use this policy for computers that secure communications most of the time. In this policy, the computer accepts unsecured traffic, but always attempts to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled. The Request Security policy is helpful to use during an interim period when you wish to create a secure server, but not all machines on your network have been upgraded to Windows 2000. This allows the server to communicate with downlevel client operating systems in a non-secure context during the upgrade rollout. Once all the machines on the network have been upgraded, you can change the server to use the secure server IPSec policy.
Secure Server (Require Security) Use this policy for computers that always require secure communications. This policy rejects unsecured incoming communications. The outgoing traffic is always secured. Unsecured communication is not allowed.

Only one of the policies may be active on a given computer, so your security plan must specify the required policy or define a custom policy. You must customize the predefined policies to meet the given security requirements.

Routing IPSec traffic

IPSec traffic uses particular ports and protocol numbers that can be routed transparently. For a security gateway, firewall, Proxy Server, router, or any server that is an access point from the private network to a public network where traffic filtering may be applied, you must define filters to ensure that packets secured with IPSec are not rejected. For example, Microsoft Proxy Server 2.0 includes a number of built-in filters, including a filter for PPTP. If you want to use L2TP/IPSec instead of PPTP, you will have to configure your own custom filter.
Define the following inbound and outbound filters for a public network interface if your design includes IPSec traffic through that interface:
  1. IPSec Authentication Header traffic. Permit IP Protocol ID 51
  2. IPSec Encapsulating Security Protocol traffic. Permit IP Protocol ID50 and UDP Port 500 for ISAKMP/Oakley negotiation traffic
The next lesson describes the protection levels provided by IPSec.