Planning Distributed Security |
Windows 2000 incorporates Internet Protocol security (IPSec) for data protection of network traffic. IPSec is a suite of protocols that allow secure, encrypted communication between two computers over an insecure network. The encryption is applied at the IP network layer, which means that it is transparent to most applications that use specific protocols for network communication. IPSec provides end-to-end security, meaning that the IP packets are encrypted by the sending computer, are unreadable en route, and can be decrypted only by the recipient computer. Due to a special algorithm for generating the same shared encryption key at both ends of the connection, the key does not need to be passed over the network.
IPSec has many intricate components and options that are worthy of detailed study; but at a high level the process operates in this manner:
Note
Firewalls, routers, and servers along the network path from Computer A to Computer B do not require IPSec. They simply pass along the packets in the usual manner.
IPSec provides security against data manipulation, data interception, and replay attacks.
IPSec is important to strategies of data confidentiality, data integrity, and nonrepudiation.
The computers in your network need to have an IPSec security policy defined that is appropriate for your network security strategy and for the type of network communication that they perform. Computers in the same domain might be organized into groups with IP security policy applied to the groups. Computers in different domains might have complementary IPSec security policies to support secure network communications.
You can view the default IP security policies in the Group Policy snap-in to MMC. The policies are listed under IP Security Policies on Active Directory, or under IP Security Policies (Local Computer):
Group Policy object
— Computer Configuration
— Windows Settings
— Security Settings
— IP Security Policies on Active Directory
You can also view IPSec policies by using the IP Security Policy Management snap-in to MMC. Each IP Security policy contains security rules that determine when and how traffic is protected. Right-click a policy and select Properties. The Rules tab lists the policy rules. Rules can be further decomposed into filter lists, filter actions, and additional properties.
For more information about Internet Protocol security, see the Windows 2000 Server Help. See also "Internet Protocol Security" in the Microsoft® Windows® 2000 Server Resource Kit TCP/IP Core Networking Guide.
IPSec provides encryption of outgoing and incoming packets, but at a cost of additional CPU utilization when encryption is performed by the operating system. For many deployments, the clients and servers might have considerable CPU resources available, so that IPSec encryption will not have a noticeable impact on performance. For servers supporting many simultaneous network connections or servers that transmit large volumes of data to other servers, the additional cost of encryption is significant. For this reason, you need to test IPSec using simulated network traffic before you deploy it. Testing is also important if you are using a third-party hardware or software product to provide IP security.
Windows 2000 provides device interfaces to allow hardware acceleration of IPSec per-packet encryption by intelligent network cards. Network card vendors might provide several versions of client and server cards, and might not support all combinations of IPSec security methods. Consult the product documentation for each card to be sure that it supports the security methods and the number of connections you expect in your deployment.
You can define Internet Protocol security (IPSec) policies for each domain or organizational unit. You can also define local IPSec policy on computers that do not have domain IPSec policy assigned to them. You can configure IPSec policies to:
Consider using IPSec to provide security for the following applications:
Consider the following strategies for IPSec in your network security deployment plan: