Overview of IPSec Deployment
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Private networks face various external and internal threats. You can use specific tools to counter specific threats. For example, antivirus systems can protect desktops and servers to a limited extent against known attacks.
IPSec can be used to secure all communications between parties — for example, by using authentication and encryption — without requiring any further modifications to applications or protocols. If you need to ensure that messages are not modified in transit or that they are unreadable to network intruders, IPSec provides a solution you can use to achieve these ends. Although IPSec can be applied to a variety of situations, this chapter describes solutions that are useful for most, but not all environments.
Although businesses typically separate their internal network from the Internet by using firewalls that block traffic sent to specified ports and protocols, internal corporate networks have become so complex that it is difficult to protect all mission-critical data at all times from attackers. Yet business applications fully depend on network access, so using a firewall to block incoming traffic by port is not always practical; it is difficult to know which ports require protection and which ports carry essential communication. IPSec provides a much stronger access model based on enforcing trusted communication.
Designed by the Internet Engineering Task Force (IETF), Internet Protocol security (IPSec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services.
IPSec is not a full-featured host firewall. However, it does provide the ability to centrally manage policies that can permit, block, or negotiate security for unicast IP traffic, based on specific addresses, protocols, and ports. Microsoft Internet Connection Firewall (ICF) is designed as a locally managed basic host firewall. The primary difference between IPSec and ICF is that IPSec provides complex static filtering based on IP addresses, while ICF provides stateful filtering for all addresses on a network interface. It is recommended that you use ICF when you want to implement a firewall for a network interface that can be accessed through the Internet. It is recommended that you use IPSec when you want to secure traffic on the wire, or when you need to allow access only to a group of trusted computers.
IPSec is included in Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; Windows® Server 2003, Datacenter Edition; Windows® Server 2003, Web Edition operating systems; and the 64-bit editions of Windows Server 2003. Portions of IPSec and related services in these platforms were jointly developed by Microsoft and Cisco Systems, Inc. This chapter primarily focuses on design decisions and planning required to use IPSec for end-to-end secure networking scenarios for Windows Server 2003 and Microsoft® Windows® XP operating systems.
To best deploy IPSec in a typical network environment, you also need Active Directory® directory service domains and Group Policy in place.
Focus on the following areas when planning an IPSec deployment:
Deciding where and how you must secure computers on your network by grouping computers in Active Directory organizational units (OUs).
Deciding how tight to make the security by what policy you assign.