Network Protocol Security
On completion of this topic you should be able to specify required ports and protocols for services and plan an IPSec policy for secure network communications. You should also be able to configure protocol security in a heterogeneous client computer environment and configure protocol security by using IPSec policies.
Before you can configure network protocol security you must find which protocols are being used on your network. It is highly unlikely that all the clients on your network will have the same security requirements. You will need to consider a number of factors, including the application and business use of each client machine.
If you need to configure protocol security in a Windows 2000 or later environment, you will want to use Group Policy, as this will give you the granular control that you need when multiple computers in different departments have different protocol security needs.
If you are working in a heterogeneous network environment it is critical to know which protocols client computers will use. You may have Novell, UNIX/Linux or Apple machines in your network.
If you have older Novell clients or servers on your network, then you may need to use IPX/SPX or NWLink. NWLink has no built in security features and should only be used if absolutely necessary. More recent Novell NetWare servers use TCP/IP and provide support for IPSec.
If you have UNIX/Linux machines on your network you should be aware that several services are not secure:
- FTP (File Transfer Protocol) protocol data is sent across the network in clear text, as is FTP authentication traffic. You can secure FTP traffic by using IPSec since FTP uses TCP/IP.
- SNMP (Simple Network Management Protocol) is used for troubleshooting on many types of networks. If you use SNMP you should always change the default community password from public to something more secure.
- Telnet is another service that communicates in clear text. It can be used to configure UNIX/Linux machines and other networking devices, but it runs on IP so IPSec can also be used to secure it.