Security

  • Article

IPSec provides encryption of outgoing and incoming packets, but at a cost of additional central processing unit (CPU) utilization when encryption is performed by the operating system. For many deployments, the clients and servers might have considerable CPU resources available or might have network interface cards that handle IPSec encryption, so there is no noticeable impact on performance. For servers supporting many simultaneous network connections or servers that transmit large volumes of data to other servers, the additional cost of encryption is significant. For this reason, you need to deploy IPSec wisely. Consider evaluating the effects of simulated network traffic before deploying IPSec. Testing is also important if you are using third-party hardware or software product to provide Internet Protocol security.

Windows 2000 provides device interfaces to allow hardware acceleration of IPSec per-packet encryption by intelligent network cards. Network card vendors might provide several versions of client and server cards, and might not support all combinations of IPSec security methods. Consult the product documentation for each card to be sure that it supports the security methods and the number of connections you expect in your deployment.

You can define local IPSec policy on computers that do not have domain IPSec policy assigned to them, or, if your computer is a member of a domain, domain administrators can define Internet Protocol security (IPSec) policies for each domain or organizational unit. You can configure IPSec policies to:

  • Specify the levels of authentication and confidentiality required between IPSec clients.

  • Specify the lowest security level at which communications are allowed to occur between IPSec-aware clients.

  • Allow or prevent communications with non-IPSec-aware clients.

  • Require all communications to be encrypted for confidentiality or you can allow communications in plaintext.

Consider using IPSec to provide security for the following applications:

  • Peer-to-peer communications over your organizations intranet, such as legal department or executive committee communications.

  • Client-server communications to protect sensitive (confidential) information stored on servers. For file share points that require user access controls, consider using IPSec to ensure that other network users cannot see the data as it is being communicated.

  • Remote access (dial-up or virtual private network) communications. (For virtual private networks using IPSec with L2TP, remember to set up Security Policy to permit auto-enrollment for IPSec computer certificates. For detailed information about computer certificates for L2TP over IPSec VPN connections, see Windows 2000 Help.)

  • Secure router-to-router WAN communications.