Establishing an IPSec Security Plan

Implementing IPSec, whether for a large domain or a small workgroup, means finding a balance between making information easily available to the largest number of users, and protecting sensitive information from unauthorized access.

Finding the proper balance requires:

• Assessing the risk and determining the appropriate level of security for your organization.
• Identifying valuable information.
• Defining security policies that use your risk management criteria and protect the identified information.
• Determining how the policies can best be implemented within the existing organization.
• Ensuring that management and technology requirements are in place.
• Providing all users with both secure and efficient access to the appropriate resources, according to their needs.

Security considerations are also influenced by the operational context of the computer to which they apply. For example, the security required may differ depending on whether the computer is a domain controller, Web server, remote access server, file server, database server, intranet or remote client.

The Windows 2000 security framework is designed to fulfill the most stringent security requirements. However, software alone is less effective without careful planning and assessment, effective security guidelines, enforcement, auditing, and sensible security policy design and assignment.

There is no exact definition of the measures that define standard security. These can vary widely, depending on an organization's policies and infrastructures. The following security levels can be considered as a general basis for planning your IPSec deployment.

Minimal Security

Computers do not exchange sensitive data. IPSec is not active by default. No administrative action to disable IPSec is required.

Standard Security

Computers, especially file servers, are used to store valuable data. Security must be balanced so it does not become a barrier to legitimate users trying to perform their tasks. Windows 2000 provides predefined IPSec policies that secure data, but do not necessarily require the highest level of security: Client (Respond Only) and Server (Request Security). These, or similar custom policies, optimize efficiency without compromising security.

High Security

Computers that contain highly sensitive data are at risk for data theft, or accidental or malicious disruption of the system; especially in remote dial-up scenarios, or any public network communications. The predefined policy, Secure Server (Require Security), requires IPSec protection for all traffic sent or received. Secure Server (Require Security) includes strong confidentiality and integrity algorithms, Perfect Forward Secrecy, key lifetimes and limits, and strong Diffie-Hellman Groups. Unsecured communication, due to non-IPSec-aware computers or failed security negotiation, is blocked.

© 1985-2000 Microsoft Corporation. All rights reserved.