Best Practices

The Windows 2000 IP Security Policy Management snap-in greatly simplifies deployment. To take advantage of this and to avoid problematic implementations, you should:

• Evaluate the type of information being sent over your network: is it sensitive financial data, proprietary information, or electronic mail? Some departments might require a higher level of security than the majority of the enterprise because of the nature of their function.
• Determine where your information is stored, how it routes through the network, and from what computers access can be gained. This provides information about the speed, capacity, and utilization of the network prior to IPSec implementation, which is helpful for performance optimization.
• Evaluate your vulnerability to the network attacks discussed at the beginning of this chapter.
• Design and document an enterprise-wide network security plan. Take into account the following:
  • The general security framework of Windows 2000, including the Active Directory model and how security is applied to Group Policy objects.
  • Your likely communication scenarios: intranet, remote access, extranets for business partners, communication between sites (router to router).
  • The level of security necessary for each scenario. For example, you might decide only Internet communications require confidentiality.
• Design, create, and test the IPSec policies for each scenario in your plan. This allows you to clarify and refine what policies and policy structures are necessary.

© 1985-2000 Microsoft Corporation. All rights reserved.