Why You Should Consider Using IPsec Now
Published: February 16, 2011
Author: Rodrigo Immaginario, Microsoft MVP - Enterprise Security: Engineering
You may have heard the use of Internet Protocol security (IPsec) with virtual private network (VPN) connections, but have you heard of using IPsec transport mode?
Security projects based solely on perimeter protection are no longer sufficient. Given the diversity of scenarios, clients, and devices, we need to expand our project security to address several factors, including:
One of the first experiences I had with IPsec was through a 2005 project at the where I work. We needed a solution to improve our security on the local area network (LAN). Toward this, the project needed to address the following requirements:
We decided to implement a Server and Domain Insulation solution based on IPsec in order to achieve the following objectives:
It is true that with Windows Server 2003, it can be complex to develop a project based on IPsec policies. This is primarily due to the configuration of policies without a user-friendly interface. However this problem has been eliminated with changes on since Windows Server 2008. Several issues that could cause problems, or generate more implementation effort, have been resolved in the newest iteration of the operating system.
In comparison with Windows Server 2003, the number of policies required to use IPsec in Windows Server 2008 have been greatly reduced. In addition, the following factors improve functionality of IPsec with Windows Server 2008:
The example that follows illustrates the differences between IPsec scripts for Windows Server 2003 and Windows Server 2008:
IPsec script – Windows Server 2003:
pushd ipsec static
IPsec script – Windows Server 2008
netsh advfirewall consec add rule name="Secure Network" endpoint1=any endpoint2=any action=requireinrequestout auth1=computercert auth1ca="C=BR, O=XXX, CN=XXXXX "
And the future of IPsec?
You’ve likely already heard of Internet Protocol version 6 (IPv6), and probably know that on February 3, 2011, the last IPv4 address blocks have been allocated by APNIC to the regional number authorities, meaning that the internet is now officially out of available IPv4 addresses.
One of the new connectivity features in Windows 7 and Windows Server 2008 R2 is DirectAccess, which enables remote users to securely access corporate resources and sites without connecting through a VPN.
With DirectAccess, we can say that we are taking the first step toward the use of IPv6. In fact, DirectAccess is nothing more than a set of policies using an IPv6 infrastructure secured with IPsec. Of course, this is a generalization, and there are other technologies [Name Resolution Policy Table (NRPT), Teredo, 6to4, ISATAP, etc.] that are necessary for DirectAccess to work. Nonetheless, DirectAccess is one of the first features to demonstrate the power of IPv6 and how various parameters change with with this protocol.
Using DirectAccess requires the following:
**If you use theForefront Unified Access Gateway (UAG) you can extend the solution and enable access to non DA/IPv6 servers, like Windows 2003.
DirectAccess has benefits for end users and network administrators:
For end users:
For system administrators:
Are you ready?
About the Author
Rodrigo Immaginario has worked in the computer science field since 1994, specializing in security solutions for Microsoft environments including those involving IPsec, Hyper-V, and DirectAccess. His certifications include Certified Information Systems Security Professional (CISSP) and Microsoft Certified Systems Engineer (MCSE) in Security. He has been a Microsoft Most Valuable Professional MVP since 2004.
He is currently Chief Information Officer at the Universitario Vila Velha in Brazil and he developed a post-graduate course in Microsoft .NET.