Learn IPSEC - Network

This is a discussion on Learn IPSEC - Network ; Im trying to understand and learn IPSEC. I have some knowledge but would prefer a step by step guide so i can see what it really is and what advantages it can bring to us. The systems im targeting are ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Learn IPSEC

  1. Learn IPSEC

    Im trying to understand and learn IPSEC. I have some knowledge but would
    prefer a step by step guide so i can see what it really is and what
    advantages it can bring to us. The systems im targeting are Windows Vista and
    Windows Server 2008.

    Can anyone recommend any books or articles on the web to help me get started?

    Thanks

  2. RE: Learn IPSEC

    Hi Tarantino, the most useful/popular IPsec scenario may be in providing
    network access control to servers; the server uses IPsec to enforce that only
    trusted domain members have access - or only those clients which have an
    IPsec policy and the right kind of certificate have access.

    IPsec allows you to take this one step further such that you can authorize
    specific domain member machines (e.g. machine accounts in a domain security
    group) for inbound access.

    Windows Vista and Server 2008 make this scenario easier with the Windows
    Firewall with Advanced Security (WFAS) snapin. You configure IPsec policy as
    "connection security rules" and then authorize based on the IPsec identity
    using settings for users and computers in the inbound rules. There is a new
    WFAS deployment guide published here:
    http://go.microsoft.com/fwlink/?linkid=98307

    Using IPsec to protect servers is a concept that Microsoft calls "Server
    Isolation". There is a short architecture guide about this, and well as a
    full deployment solution guide on:
    http://www.microsoft.com/sdisolation

    While this is oriented to internal servers, using certificates you can apply
    the same scenario to servers hosted on the Internet.

    For example, you might lock down access using IPsec to servers that are
    1. at most risk of being attacked
    2. contain the most sensitive information - you have the option of just
    authenticating traffic or also encrypting all client traffic.
    3. are business critical - where you can reduce downtime by ensuring only
    authorized clients have access to this server.

    Once you have servers locked down, then you can consider protecting all
    domain member clients by requiring IPsec authentication for inbound access to
    a client. This Microsoft calls "domain isolation".

    You may also use IPsec to authenticate, authorize, encrypt and audit
    administrator traffic to any domain member, or only for access using
    protocols that would expose passwords, like telnet and FTP and HTTP basic
    auth.
    You might also use IPsec to authenticate, encrypt and aggregate (into a
    single protocol for easy firewall traversal) all traffic between domain
    controllers, or between replicating bridgehead DCs at each site.

    You may also use IPsec to provide security over wireless access points if
    you did not want to use 802.1x, or if you wanted defense in depth to you
    wireless security solution.

    You can achieve many things with a policy-based approach to commmunications
    security. I'd start with identifying where your risk of network-based attacks
    are, or with specific assets, either information or computers, that you want
    to better secure against network attack. In some cases IPsec enables
    scenarios that you were not able to do before, such as provide normal file
    sharing with your business partners from servers that are "on" the native
    Internet.

    Of course there are other ways of achieving certain scenarios. For file
    sharing you might consider using HTTPS webdav, depending on what type of user
    experience you want and what support is available in the client platform.
    Windows Vista now supports SSL-based VPN in SP1 that is compatible with
    Server 2008 (called SSTP). ISA publishing of internal servers, the new FTPS
    support in IIS7, Remote Desktop and Terminal Server gateway are options as
    well.

    Best of luck,
    Bill


    "Tarantino" wrote:

    > Im trying to understand and learn IPSEC. I have some knowledge but would
    > prefer a step by step guide so i can see what it really is and what
    > advantages it can bring to us. The systems im targeting are Windows Vista and
    > Windows Server 2008.
    >
    > Can anyone recommend any books or articles on the web to help me get started?
    >
    > Thanks


+ Reply to Thread