What is IPSec and
what can it do for me?

by Mark Jesiel, MCT

Windows IP Security provides network administrators with a key component in protecting their networks. IPSec can help IT professionals keep their data safe from interception, modification, viewing, or copying while enroute from node to node. Think of it as your virtual Judge, Jury and Executioner.

IPSec is an open industry standard, which ensures it is interoperable with other operating systems. It is also completely transparent to the user as well as applications. Because IPSec works below the transport layer, you can implement it regardless of the applications running on your workstations, and the user needs no interaction to make it work.

IPSec is commonly used with Layer 2 Tunneling Protocol (L2TP) in tunneling mode to establish and secure VPN connections. It can also be used to secure data transmission server to server, workstation to workstation, or server to workstation using transport mode.

This transport mode implementation can be the most exciting. For example, let's say I want to secure transmission between my HR department workstations, and the HR database server to prevent data from being intercepted or altered. Using IPSec I can secure and encrypt this data, protecting it from compromise. To do this, I can use the built in default policies or create a custom policy. The default policies include:

• Client (Respond Only), where the workstation will always use unsecured transmission, unless the server prompts it to use secure communications, then the workstation will comply.
• A Standard Server (Request Security) policy, in which the server will always request secure transmissions, but will accept unsecured if the client does not support IPSec.
• Secure Server (Require Security) policy, in which the server will require security and drop all communications with clients that do not support security.

If the built in policies don't meet your needs, you can always create a custom policy. The first step in creating a custom policy is to create filters and filter actions. We create a filter to specify what IP traffic we want to control. The parameters we use to filter traffic are the source and destination IP address or subnet and the protocol and port the traffic comes from and is destined for. For example, we can create a filter that will only apply to ICMP traffic with our server's IP address as the destination.

Then we create filter actions. This is where we determine whether we will permit the traffic to pass, block the traffic, or negotiate some level of security. We can specify whether to negotiate just authentication of the data, or authentication and encryption of it as well. The level of encryption is also specified in the filter action. Once we have created the necessary filters and filter actions, we are free to create our new IPSec policy.

Our policy is made up of one or more IP security rules. The rules must cover all the traffic we may encounter, and can include a default rule to apply to traffic we don't need to specify. We determine whether the rule applies to a tunnel or not, whether it applies to our LAN, Remote Access, or all network traffic. We also specify what authentication we require for the connection, from Kerberos, certificates, or pre-shared key. Finally, we specify what filter we want the rule to use, and what filter actions will be applied to traffic meeting the rule.

The last step to implementing an IP Security Policy is to assign it using group policy or our local security policy. Of course, you must then test the implementation to ensure necessary traffic can get through, and stopping traffic we don't want.

Windows 2000 and IPSec can keep your network safe from prying eyes and packet sniffers. IPSec is just one of the many tools available for your network security, and Course 2150, Designing a Secure Windows 2000 Network, will help you implement IPSec as well as many other technologies to secure your network, and your future.