Configuring Protocol Security Using IPSec Policies
IPSec protects your private network from Internet attacks through end-to-end security. For Windows 2000 Professional and Windows XP clients and Windows Server 2003 servers, IPSec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices, extranets and roving clients.
IPSec is implemented primarily to enforce security policies for IP network traffic. A security policy is a set of rules that define network traffic at the IP layer. A packet filter action defines the security requirements for the network traffic. A filter action can be configured to permit, block or negotiate security (negotiate IPSec).
IPSec filters are inserted into the IP layer of the computer's TCP/IP networking protocol stack so that they can examine and filter all inbound or outbound IP packets. IPSec is transparent to end-user applications and operating system services except for a brief delay required to negotiate a security relationship between the two computers.
IPSec policies must be carefully designed, configured, coordinated and managed to ensure that IPSec communication is successful and that IPSec meets the security requirements of your organisation.
IPSec policies are accessed and configured by using the Group Policy Object Editor and navigating to Computer Settings\Windows Settings\Security Settings\IPSEc Policies on Active Directory. Figure 5.1.1 displays the three types of IPSec policies in the right pane:
- Server - Request Security: clients will request security using Kerberos trust. Allows unsecured communication for clients that are not configured or do not support Kerberos
- Client - Respond Only: clients will normally communicate unsecured, but they will use secured IPSec with servers that request security.
- Secure - Requires Security: the most secure method that always requires security using a Kerberos trust. Does not allow unsecured communication, so cannot be used on networks containing down-level clients like Windows NT workstation or Windows 9.x