Five reasons to deploy IPSec policies on your network

The following is the first of a two-part series. Click for part two.

Thanks to terrorists, hackers and lawyers, security mechanisms that were more or less optional a couple of years ago are now the norm. Network traffic encryption is one such mechanism. You've always had to encrypt sensitive traffic flowing across the Internet, but now you may have to encrypt the traffic flowing across a private network. You never know when someone is trying to sniff packets, steal passwords, read other people's e-mail or perform some other horrible exploit. Fortunately, Microsoft offers a solution built into Windows Server 2000 and Windows Server 2003: the IPSec protocol.

What is IPSec?
IPSec is an encryption protocol designed to work at the IP level. As you might know, Kerberos is the primary Windows authentication protocol. Kerberos and IPSec differ in that Kerberos provides user-to-service authentication. IPSec on the other hand is used to encrypt and authenticate communications between computers on the network. It is a low-level protocol that has absolutely nothing to do with securing access to data or services on a server.

IPSec's main goals are to encrypt communications across an IP-based network (such as the Internet and most private networks) and to guarantee that a transmission has not been tampered with en route.

Here are several more specific reasons to consider deploying IPSec policies.

1. Prevent snooping and man-in-the-middle attacks
Imagine you need to send an e-mail to your boss asking for a day off. If that message was not encrypted, anyone on the same IP segment as you or your boss could use a protocol analyzer to read the message as it is sent. If that nosey person happens to be positioned where the packet flows past him to reach your boss, he could conceivably launch a man-in-the-middle attack, which involves capturing a packet, altering it and then sending it to its intended destination. If this type of attack occurs, the innocent e-mail asking for a day off could be altered to read, "I quit!"

IPSec enables you to encrypt the packets, preventing others from reading them. The packets are also numbered and have a mechanism that prevents them from being altered or replayed. If one is altered or replayed, IPSec renders the packet invalid.

2. Harden wireless network security
Although IPSec works well on any Windows network, it is especially useful if you have a wireless network. Sure you can encrypt a wireless network by using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA), but adding IPSec encryption to the packets makes it even more difficult for a hacker to spy on data being sent over the air.

3. Deploy without additional software
One simple benefit of IPSec is that it's built into Windows. That means you don't have to buy any additional software and you don't have to worry about compatibility issues when implementing IPSec policies. You also don't have to do anything to deploy IPSec onto the server or client PCs -- you just create an appropriate group policy.

4. Set policies for any Microsoft version
Microsoft originally released IPSec with Windows 2000. This means that Windows 2000 (Server and Professional), Windows XP and Windows Server 2003 all support IPSec, but Windows 9.x does not. Fortunately, enabling IPSec does not require you to alienate Windows 9.x machines or machines running other operating systems that may not support IPSec. When you create the IPSec group policy entry, you can choose to have machines request security or require security.

If an IPSec policy is set to request security, a client that tries to communicate with the server will receive a request from that server to use IPSec communications. If the client supports IPSec, encrypted communications begin. If the client does not support IPSec, communications remain unencrypted. But if the IPSec policy requires security, all conversations must be encrypted by IPSec.

Generally speaking, setting up a security policy that requests IPSec security is perfect for most companies because it accomodates both IPSec-aware and non-IPSec-aware clients. As legacy operating systems are phased out, the newer operating systems will already be prepared to have secure communications with other machines.

5. Encrypt communications transparently
Aside from the fact that IPSec communications run a little more slowly than unencrypted communications, clients will never know that communications are being encrypted. The encryption is completely transparent to the end user, and there are no new products or procedures to be learned. From the end-user perspective, nothing has changed.

As you can see, IPSec encryption can be very beneficial to the overall security of your network. In my next column, I will discuss some best practices for IPSec deployment.

Click for part two to get best practices for implementing IPSec policies.

Get help locking down remote administration.

Read up on encryption techniques for Windows 2000 servers.

Get help controlling untrusted-laptop access to your network.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Encryption Data encryption with EFS and BitLocker, step by step What's new and improved in IPsec in Windows Server 2008 Prevent data loss with Encrypting File System (EFS) New Windows security tool protects users from keyloggers: XecureCK Windows security management: Ask the security expert roundup USB encryption security for Windows: IronKey review How can I manage file encryption on a Windows network? Microsoft network security testing for ARP spoofing Troubleshooting generic error messages related to EFS Windows pagefile security risks and how to avoid them Encryption Research Encryption Windows server security management: Security expert roundup Delete write-protected folders TrueCrypt: Free encryption utility Opening secure files with FileReader Login Recovery Ultimate Boot CD Building your own certificate authority Disallowing IE or Outlook from uploading data How much encryption is enough? 15 steps to hardening Windows Server 2003 Encryption Research Protocols and Services Group Policy Object security in Windows Limit Windows Remote Desktop users' server rights Can I prevent network users from installing 3rd party software? Domain controller penetration testing Microsoft Rights Management Services: An introduction Locking down SMTP in Win2K and Server 2003 Windows security update may cause shell extensions to fail Multiple Connections - Management Active Directory Federation Services Finding extra security in R2 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.