In this module, you learned some important features to consider when designing your Windows 2000 TCP/IP security configuration.
You saw how you can use port filtering to control access to a particular computer, and you learned that port filtering does not apply to situations where the computer is acting as a router.
You also learned a great deal about IPSec and how it works. You saw that IPSec is a policy-driven protocol, and that you can use one of the predefined security policies or create your own.
You also learned that IPSec provides end-to-end security when used in transport mode, and can provide security between gateways (such as VPN servers) when used in tunnel mode.
You were also introduced to hash algorithms that are used to protect message integrity and encryption algorithms that are used to protect the confidentiality of messages as they move across the wire.
Finally, you learned how to position routers to improve fault-tolerance and availability.
Now that you have completed this module, you should be able to:
- Reduce unauthorized access to network resources using filters
- Define the data protection features provided by IPSec
- Define the data protection levels provided by IPSec
- Define how to negotiate security keys
- Define the strategies used to enhance the availability of TCP/IP routing structures
Here are some terms that might be new to you:
- Authentication Header (AH): The Authentication Header is one of the security protocols used with IPSec. AH provides authentication and integrity , for the entire packet
(both the IP header and the data carried in the packet). AH signs the entire packet. It does not encrypt the data. The data is readable, but protected from modification. Packet integrity is assured by digital signatures applied to each packet.
- Diffie-Hellman group: Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange. The longer the prime number used, the more difficult it is to break the encryption code.
- Encapsulating Security Payload (ESP): ESP provides confidentiality, in addition to authentication and integrity. ESP is one of the security protocols used in IPSec.
- Tunnel mode: IPSec communications in Tunnel Mode support end-to-end protection of data only between the tunnel endpoints. This endpoints are typically VPN Servers.
- Transport mode: IPSec communications in Transport mode support end-to-end protection of data.
- Internet Security Association and Key Management Protocol (ISAKMP): Internet Security Association and Key Management Protocol (ISAKMP) defines a common framework to support the establishment of security associations which are used by IPSec.
When combined with the Oakley protocol, it is referred to as the Internet Key Exchange (IKE).
- Oakley key generation protocol: A Key Generation Protocol used to create secure keys for the establishment of a Security Association.
- Interior Gateway Routing Protocol (IGRP): IGRP is a distance vector routing protocol developed by Cisco Systems, Inc.
In the next module, you will learn about optimizing your TCP/IP design.