Resources for IT Professionals

Networking Security - IPSec Principles

Published: June 10, 2003

Please note: Portions of this transcript have been edited for clarity

Hosts:

  • Rob Trace, Program Manager
  • Jeremy Smith, Software Test Engineer
  • Pat Fetty, Test Lead
  • David Beder, Software Test Engineer
  • Brian Boston, Community Program Manager


Moderator: Brian (Microsoft)
Welcome to today’s Windows TechNet chat. Our topic today is Networking Security - IPSec principles. We are pleased to welcome our experts for today I will have them introduce themselves now.

Host: Rob (Microsoft)
My name is Rob Trace and I am a Program Manager currently working on the IPSEC product team.

Host: Jeremy (Microsoft)
Jeremy Smith [MS], Software Test Engineer responsible for testing IPSEC IKE and IPSEC NATT functionality.

Host: Pat (Microsoft)
My name is Pat Fetty and I am the test lead for IPSEC

Host: David (Microsoft)
Good Morning, I'm David Beder, a Test engineer for IPSec with primary responsibility of UI development.

Moderator: Brian (Microsoft)
Pat, can you tell us a bit about the team...

Host: Pat (Microsoft)
In general, my team is responsible for IPSEC technologies and scenarios in all windows SKU's. These inlcude LAN and VPN

Moderator: Brian (Microsoft)
Let’s actually begin the chat. You may begin posting your questions in the lower room. Please start your questions with a Q: as this will assist us in quickly identifying your question in the window.

Host: Pat (Microsoft)
Q: Can MS IPSEC server connect to cisco router 26xx. I am trying to create a tunnel between cisco router @ head quater and connect to site offices.

A: If you are using certificates as your credentials, then you should be fine. XAuth is not supported however

Host: Jeremy (Microsoft)
Q: In W2k the port for IPSEC would respond to a probed - is that fixed in Wk2003 ?

A: In 2003 the IPSEC Service is enabled and running by default. If a machine receives valid IKE proposal and has a policy configured it will respond with an IKE message.

Host: Pat (Microsoft)
Q: When I create IPSEC do I need a 3 DES in Main Mode?

A: For Main Mode, Encryption is required and you must use DES or 3 DES. We recommend 3DES.

Host: Rob (Microsoft)
Q: What’s the approximate overhead for ipsec? I have seen/heard some people recommend using it for internal security between execs workstations. I am thinking about CPU overhead and network overhead.

A: Yes, many companies use IPSEC for network security. THis allows a network to restrict access at the network level to managed resources. It also allows you to encrypt data on the wire to protect against packet sniffing, replay attacks and data integrity problems. For network overhead ESP takes about 50 bytes. There is some overhead in the IKE negotiation (5 round trips for full new SA setup and 2 round trips for a re-key). Unless your network is operating at maximum efficiency or you are sending a very high percentage of full sized packets, it is not a huge percentage of overhead. CPU usage on the clients is not a huge problem unless the client is doing a massive download. CPU on servers can be a problem but it can be mitigated by using IPSEC offload card from vendors like 3COM and Intel.

Host: David (Microsoft)
Q: Newbie question...is IPSEC used instead of a VPN or in addition to?

A: IPSec is used in Addition. You'll typically always see the use of L2TP/IPSec. This is to show that both L2TP AND IPSec technologies are being used in the solution.

Host: Pat (Microsoft)
Q: What is diff between IPsec vs. VPN in MS world ?

A: IPSEC is used to secure a VPN connection (L2TP connections).

Host: Pat (Microsoft)
Q: Do we need to buy 3DES or Free from Microsoft ? 3DES from cisco only under $ 200

A: 3DES support is in Windows 2000 SP2, Windows XP and Windows Server 2003. It is free!

Host: David (Microsoft)
Q: Does MS have any software to monitor IPSEC or VPN ?

A: In win2k, there is Ipsecmon.exe. This early tool will really only show you current Security Associations on the computer. In XP and Win2003, there is the IPSec Monitor Snap-in which shows you a lot more info. Both tools will show Security Associations created over VPN connections as well. The RRAS snap-in on servers will show a much more VPN specific info.

Host: David (Microsoft)
Q: A little confused by the UI. Why are the Authentication Methods listed in the Rule section (I've always referenced Rules as the Quick Mode settings) when the Auth Method is negotiated in Main Mode. In other words, I would expect the Auth Method to be specified on the Policy Properties\General tab.

A: No, you aren't misunderstanding anything. Auth methods are indeed a main-mode concept. It was a hard decision to design the rule properties the way we did. The current UI does not break policy info on MM vs QM boundaries. It instead tries to break it up on similar vs dissimilar data. It was decided that users are much more likely to need different authentication methods for different filter lists, while keeping most of the other MM properties the same for all negotiations.

Host: Rob (Microsoft)
Q: Can you use IPSEC to secure communications over a lan if you don't have a VPN in place?

A: Yes. In fact that is the primary design of IPsec. To deploy IPSec on the LAN you deploy a transport mode policy. This is documented in the help files online at:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsectopnode.mspx)

Also the resource kit deployment chapter for IPSec is also online at http://download.microsoft.com/download/5/6/9/5695b3a2-bfbb-4638-8058-de94c3c5b7ff/09_CHAPTER_6_Deploying_IPSec.doc

Host: David (Microsoft)
Q: Difference between PGP & IPSEC?

A: PGP is primarily used to provide privacy for e-mail and data files, while IPSec is used to provide network security through filtering, signing, and encrypting.

Host: Rob (Microsoft)
Q: Are there any plans for AES support in Win2003 or beyond? PIX now offers this in their latest release and I was curious if this is a direction Microsoft is going to pursue? (primarily in Tunnel Mode config)

A: We are still evaluating AES for future versions of Windows. There are no plans currently for AES on Windows Server 2003 or Windows XP. If we offer it it will be for both tunnel and transport mode.

Host: Pat (Microsoft)
Q: Any word on the WinXP NAT-T update being re-released? <I know the Win2k update is still available - works great by the way - sorry if this was already asked>

A: Yes, it will be re-released soon; however, it will be a separate download and not shipped via Windows Update. This will also be rolled into XPSP2

Host: Pat (Microsoft)
Q: [followup] OK - no firm date as of yet then? No biggie - I never ran into the firewall/av problem with the original release anyway.

A: No, no firm date yet for the re-release. Also, VERY few people actually hit the firewall problem, so you are in good company.

Host: Rob (Microsoft)
Q: We are still evaluating AES for future versions of Windows. There are no plans currently for AES on Windows Server 2003 or Windows XP. If we offer it it will be for both tunnel and transport mode.

A: There is a significant implementation problem with AES in that the key requirement for DH is very large and few implementations can support generation of a key that size. To implement AES with sufficient keys in real work mode will probably require a new key generation algorithm other than DH.

Host: Rob (Microsoft)
OK, here is an update link for the IPsec deployment chapter of the reskit: http://download.microsoft.com/download/5/6/9/5695b3a2-bfbb-4638-8058-de94c3c5b7ff/09_CHAPTER_6_Deploying_IPSec.doc

Moderator: Brian (Microsoft)
I like to thank Rob, Jeremy, Pat, and David from the Windows IPSec product team for joining us today for this Networking Security TechNet Chat...and the rest of you for your questions and comments.

Moderator: Brian (Microsoft)
Thanks for your interest and feedback! We are going to leave now.

For further information on this topic please visit the following:

http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx

http://www.microsoft.com/technet/itsolutions/network/default.mspx

http://www.microsoft.com/windows2000/techinfo/administration/radius.asp

http://www.microsoft.com/resources/documentation/windows/xp/all/reskit/en-us/prcc_tcp_erqb.asp

Page view tracker