Internet Protocol Security
Windows 2000 incorporates Internet Protocol security (IPSec) for data protection of network traffic. IPSec is a suite of protocols that allow secure, encrypted communication between two computers over an insecure network. The encryption is applied at the IP network layer, which means that it is transparent to most applications that use specific protocols for network communication. IPSec provides end-to-end security, meaning that the IP packets are encrypted by the sending computer, are unreadable en route, and can be decrypted only by the recipient computer. Due to a special algorithm for generating the same shared encryption key at both ends of the connection, the key does not need to be passed over the network. IPSec Policies can be applied at a local level or at the domain level, as is the case with other parts of security policy. Experience configuring network security will help in determining what is entailed in an effective IPSec Policies.For more information about Internet Protocol security, see "TCP/IP in Windows 2000 Professional" later in this book.
How IPSec Works
IPSec has many intricate components and options that are worthy of detailed study but at a high level the process operates in this manner:
An application on Computer A generates outbound packets to send to Computer B across the network. Inside TCP/IP, the IPSec driver compares the outbound packets against IPSec filters, checking to see if the packets need to be secured. The filters are associated with a filter action in IPSec security rules. Many IPSec security rules can be inside one IPSec policy that is assigned to a computer. If a matched filter has to negotiate security action, Computer A begins security negotiations with Computer B, using a protocol called the Internet Key Exchange (IKE). The two computers exchange identity credentials according to the authentication method specified in the security rule. Authentication methods can be Kerberos authentication, public key certificates, or a preshared key value (much like a password). The IKE negotiation establishes two types of agreements, called security associations, between the two computers. One type (called the phase I IKE SA) specifies how the two computers trust each other and protects their negotiation. The other type is an agreement on how to protect a particular type of application communication. This consists of two SAs (called phase II IPSec SAs) that specify security methods and keys for each direction of communication. IKE automatically creates and refreshes a shared, secret key for each SA. The secret key is created independently at both ends without being transmitted across the network.The IPSec driver on Computer A signs the outgoing packets for integrity, and optionally encrypts them for confidentially using the methods agreed upon during the negotiation. It transmits the secured packets to Computer B.
NOTE
Firewalls, routers, and servers along the network path from Computer A to Computer B do not require IPSec. They simply pass along the packets in the usual manner.
The IPSec driver on Computer B checks the packets for integrity and decrypts their content if necessary. It then transfers the packets to the receiving application.
IPSec provides security against data manipulation, data interception, and replay attacks. IPSec is important to strategies of data confidentiality, data integrity, and nonrepudiation.
Prerequisites for Implementing IPSec
The computers in your network need to have an IPSec security policy defined that is appropriate for your network security strategy and for the type of network communication that they perform. Computers in the same domain might be organized into groups with IPSec Policies applied to the groups. Computers in different domains might have complementary IPSec security policies to support secure network communications. For more information about using the Internet Protocol Security Policy Management snap-in and selecting an IP Policy for a workstation, see Windows 2000 Professional Help.
How to Implement IPSec
You can view the default Internet Protocol security policies in the Group Policy snap-in to MMC. The policies are listed under IP Security Policies on Active Directory, or under IP Security Policies (Local Computer):
| 
 | 
You can also view IPSec policies by using the Internet Protocol Security Policy Management snap-in to MMC. Each Internet Protocol security policy contains security rules that determine when and how traffic is protected. Right-click a policy and select Properties. The Rules tab lists the policy rules. Rules can be further decomposed into filter lists, filter actions, and additional properties.When planning for IPSec, make the following determinations:
Identify clients and servers to use IPSec communications.Identify whether client authentication is based on Kerberos trust, digital certificates, or a pre-shared key.Describe how each computer will initially receive the proper IPSec policy and will continue to receive policy updates.Describe the security rules inside each IPSec policy. Consider how Certificate Services are needed to support client authentication by digital certificates.Describe enrollment process and strategies to enroll computers for IPSec certificates.
For more information about Internet Protocol security, see the Windows 2000 Server Help. See also "Internet Protocol Security" in the Microsoft® Windows® 2000 Server Resource Kit TCP/IP Core Networking Guide.
Considerations for IPSec
IPSec provides encryption of outgoing and incoming packets, but at a cost of additional central processing unit (CPU) utilization when encryption is performed by the operating system. For many deployments, the clients and servers might have considerable CPU resources available or might have network interface cards that handle IPSec encryption, so there is no noticeable impact on performance. For servers supporting many simultaneous network connections or servers that transmit large volumes of data to other servers, the additional cost of encryption is significant. For this reason, you need to deploy IPSec wisely. Consider evaluating the effects of simulated network traffic before deploying IPSec. Testing is also important if you are using third-party hardware or software product to provide Internet Protocol security.Windows 2000 provides device interfaces to allow hardware acceleration of IPSec per-packet encryption by intelligent network cards. Network card vendors might provide several versions of client and server cards, and might not support all combinations of IPSec security methods. Consult the product documentation for each card to be sure that it supports the security methods and the number of connections you expect in your deployment.You can define local IPSec policy on computers that do not have domain IPSec policy assigned to them, or, if your computer is a member of a domain, domain administrators can define Internet Protocol security (IPSec) policies for each domain or organizational unit. You can configure IPSec policies to:
Specify the levels of authentication and confidentiality required between IPSec clients. Specify the lowest security level at which communications are allowed to occur between IPSec-aware clients.Allow or prevent communications with non-IPSec-aware clients. Require all communications to be encrypted for confidentiality or you can allow communications in plaintext.
Consider using IPSec to provide security for the following applications:
Peer-to-peer communications over your organization's intranet, such as legal department or executive committee communications.Client-server communications to protect sensitive (confidential) information stored on servers. For file share points that require user access controls, consider using IPSec to ensure that other network users cannot see the data as it is being communicated.Remote access (dial-up or virtual private network) communications. (For virtual private networks using IPSec with L2TP, remember to set up Security Policy to permit auto-enrollment for IPSec computer certificates. For detailed information about computer certificates for L2TP over IPSec VPN connections, see Windows 2000 Help.)Secure router-to-router WAN communications.
 لطفا منتظر باشید ...
        لطفا منتظر باشید ...
     
                     
                
                