Using IPSec

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Effective integration with IPSec is becoming increasingly important to the secure deployment of IP in an enterprise internetwork. IPSec is a framework of open standards for ensuring private, secure communications over IP networks through the use of cryptographic security services. The implementation of IPSec that runs on Windows Server 2003, Windows XP, and Windows 2000 is based on standards developed by the IETF IPSec working group.

IPSec provides a comprehensive technology for securing networks. However, the larger your organization, the more planning and engineering are required to implement IPSec. Assess the relative importance of your information resources — domain controllers, mail servers, and financial servers may rank high among the resources you want to protect. Include confidentiality considerations in your assessment. For example, many organizations might target Human Resources information for IPSec protection. After identifying the critical information resources to secure, configure IPSec policies as appropriate on those computers.

Windows Server 2003 uses the IPSec protocol suite to protect data traffic as it crosses a network. Although file encryption and required passwords protect information stored on network resources, they do not protect information as it moves across a network.

By implementing IPSec, you can secure the following types of data:

  • Data that moves across the part of your intranet that external users do not access.

  • Data that moves across the part of your intranet that can be accessed by external users who have appropriate permissions.

  • Data that moves across the Internet.

  • Data that moves across an extranet.

IPSec security protects the content of IP packets from both active and passive attacks. In an active attack, a hacker modifies existing data or adds false data. In a passive attack, an intruder reads data.

IPSec secures communication through the following methods:

  • Peer authentication. IPSec verifies the identity of each computer. Each peer sends security credentials that are verified by the peer at the other end of the connection. Windows Server 2003 IPSec provides multiple methods of peer authentication.

  • Data origin authentication. By incorporating a cryptographic checksum calculated with a shared secret key with each packet of protected data, IPSec can verify that the packet must have been sent by a peer that has knowledge of the secret key.

  • Confidentiality (data encryption). IPSec offers confidentiality by encrypting data before transmission, ensuring that the data cannot be read during transmission — even if an attacker monitors or intercepts the packet. IPSec encryption is applied at the IP network layer, which makes it transparent to applications that use TCP or User Datagram Protocol (UDP) for network communication.

  • Integrity. IPSec protects data from unauthorized modification in transit, ensuring that the information received is exactly the same as the information sent.

  • Anti-replay. IPSec ensures that any attacker who might intercept data cannot reuse or replay that data to establish a session or to illegally gain information or access to resources.

Deploying IPSec requires careful planning. For more information about deploying IPSec, see "Deploying IPSec" in this book. For more technical information about IPSec, see the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).