Im trying to understand and learn IPSEC. I have some knowledge but would
prefer a step by step guide so i can see what it really is and what
advantages it can bring to us. The systems im targeting are Windows Vista and
Windows Server 2008.
Can anyone recommend any books or articles on the web to help me get started?
RE: Learn IPSEC
Hi Tarantino, the most useful/popular IPsec scenario may be in providing
network access control to servers; the server uses IPsec to enforce that only
trusted domain members have access - or only those clients which have an
IPsec policy and the right kind of certificate have access.
IPsec allows you to take this one step further such that you can authorize
specific domain member machines (e.g. machine accounts in a domain security
group) for inbound access.
Windows Vista and Server 2008 make this scenario easier with the Windows
Firewall with Advanced Security (WFAS) snapin. You configure IPsec policy as
"connection security rules" and then authorize based on the IPsec identity
using settings for users and computers in the inbound rules. There is a new
WFAS deployment guide published here:
Using IPsec to protect servers is a concept that Microsoft calls "Server
Isolation". There is a short architecture guide about this, and well as a
full deployment solution guide on:
While this is oriented to internal servers, using certificates you can apply
the same scenario to servers hosted on the Internet.
For example, you might lock down access using IPsec to servers that are
1. at most risk of being attacked
2. contain the most sensitive information - you have the option of just
authenticating traffic or also encrypting all client traffic.
3. are business critical - where you can reduce downtime by ensuring only
authorized clients have access to this server.
Once you have servers locked down, then you can consider protecting all
domain member clients by requiring IPsec authentication for inbound access to
a client. This Microsoft calls "domain isolation".
You may also use IPsec to authenticate, authorize, encrypt and audit
administrator traffic to any domain member, or only for access using
protocols that would expose passwords, like telnet and FTP and HTTP basic
You might also use IPsec to authenticate, encrypt and aggregate (into a
single protocol for easy firewall traversal) all traffic between domain
controllers, or between replicating bridgehead DCs at each site.
You may also use IPsec to provide security over wireless access points if
you did not want to use 802.1x, or if you wanted defense in depth to you
wireless security solution.
You can achieve many things with a policy-based approach to commmunications
security. I'd start with identifying where your risk of network-based attacks
are, or with specific assets, either information or computers, that you want
to better secure against network attack. In some cases IPsec enables
scenarios that you were not able to do before, such as provide normal file
sharing with your business partners from servers that are "on" the native
Of course there are other ways of achieving certain scenarios. For file
sharing you might consider using HTTPS webdav, depending on what type of user
experience you want and what support is available in the client platform.
Windows Vista now supports SSL-based VPN in SP1 that is compatible with
Server 2008 (called SSTP). ISA publishing of internal servers, the new FTPS
support in IIS7, Remote Desktop and Terminal Server gateway are options as
Best of luck,
> Im trying to understand and learn IPSEC. I have some knowledge but would
> prefer a step by step guide so i can see what it really is and what
> advantages it can bring to us. The systems im targeting are Windows Vista and
> Windows Server 2008.
> Can anyone recommend any books or articles on the web to help me get started?