Saturday, May 20, 2006


What exactly is IPSec?

IPSec is a set of protocols to facilitate secure transfer of data.

How does IPSec works?

IPSec secures data by encrypting the contents using the public key mechanism at the IP layer. IPSec works in two modes, transport and tunnel. In transport mode, only the content of the packet is encrypted, but the header is not. In tunnel mode, both content and header are encrypted. The receiving device should be IPSec complaint and must share the same public key as the sender in order to decrypt the data. Same public key is required only if the sender and receiving devices are in different non-trusting domains where Kerberos cannot be used. In case of a same or trusting domains, public key is not required as encryption algorithm is provided by Kerberos.

IPSec scenarios

IPSec is generally used in transport mode within the internal network of the company such as from traffic between server-client, server-server and client-client. This mitigates the risk of an external visitor to the company who may use his laptop connected to the company network and use a sniffer tool to capture the packets flowing through the network. If you are using IPSec, although the visitor will successfully capture the packets, he would not be able to open it. Hence the data remains secure.
IPSec in tunnel mode is generally used in conjunction with the Layer 2 Tunneling Protocol (L2TP) to provide data encryption between two locations connected by a WAN. This scenario is valid in case of both a dedicated WAN and a shared VPN. Many would argue, on the requirement of encryption in case of a dedicated WAN. The only reason behind this protection is, although, the WAN is dedicated, the data still flows through the ISPs infrastructure cloud, where it might be compromised.
You can choose to secure communications only which involve a server and let the client-client communication happen over the unsecured network. This can be accomplished by only enabling IPSec on the servers and configuring the clients for ‘respond only’ mode. This means that the server will accept the clear text message from the client and then will create and negotiate an IPSec session with the client. The session will be alive for 1 hour and if the client wants to initiate a session after 1 hour, the entire process will be repeated.

How to configure IPSec?

In Windows 2003, IPSec can be configured using Group Policy. The computers need to be a part of the same or trusted Windows 2000 or higher domain. In this scenario, let’s say we have two client computers running Windows 2000 Professional which are in the same domain, named Client1 and Client2. We have a domain controller in the same domain named DC1. Following are the steps to configure IPSec:

1) On Client1 and Client2, enable local auditing, by selecting ‘Success’ and ‘Failure’ for ‘Audit Logon Events’ and ‘Audit Object Access’

2) On Client1, right click ‘Secure Server’ and click ‘Assign’

3) On Client2, right click ‘Client (Respond Only)’ and click ‘Assign’

4) Client2, ping client1. You will notice that the request is negotiating IP security.

5) Ping again after a couple of minutes and you will notice that the ping goes through.

6) From Client2, check out the security log to see an event proving that the communication happened over IPSec. Look for ‘Encapsulation Transport Mode’ in the body of the event.

This is all it takes to configure a simple implementation of IPSec between a client and a server in Transport Mode. In this case the encryption was handled due to the presence of Kerberos and all systems being in the same domain. In case of systems in multiple and non-trusted domains, you need a common public key and a certificate server to provide the algorithm for encryption.

On what platforms can IPSec work?

IPSec is platform independent and can run on any platform. However, in this article, the emphasis is on the usage of IPSec using Windows.


Post a Comment

<< Home

Free Website Counter
Free Web Counter Technology Blogs by Indian Bloggers Technology Blog Top Sites