RE: ipsec for lan

From: Chris Weber (Chris.weber@foundstone.com)
Date: 07/26/01 

Message-ID: <5B8559F3126DD4119C5100B0D022A06DD5332D@mailwest>
From: Chris Weber <Chris.weber@foundstone.com>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Subject: RE: ipsec for lan
Date: Wed, 25 Jul 2001 16:57:16 -0700

The short answer is Yes, IPsec is the right solution if you need packet
level security. The long answer is that the default IPsec policies
Microsoft provides you may not be what you really need.
Because IPsec is such a robust protocol, its use needs nearly as much, if
not more, planning as your normal TCP/IP network scheme. You have to know
exactly the types of traffic you want to protect, and how you want to
protect it. You need to ask yourself where encryption of packets is
important, or where you just need authentication and integrity of the
communications.
You are on the right track saying that you will use kerberos for IPsec
authentication. However, I would hesitate to use the "server option" that
Microsoft has provided as a default policy. It may or may not fill your
needs, make sure you understand it first.
Before implementing IPsec for the wonderful security benefits it can
provide, I would suggest reading up on the protocol RFCs (2401 - 2411), and
reading Microsoft's documentation.

Step by STep walkthrough:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechn
ol/windows2000serv/deploy/walkthru/ispstep.asp

IPsec on Windows 2000 Server

http://www.microsoft.com/windows2000/docs/IPSecurity.doc

Thanks,
Chris Weber

-----Original Message-----
From: Frédéric Médery [mailto:fmedery@sympatico.ca]
Sent: Tuesday, July 24, 2001 7:40 PM
To: focus-ms@securityfocus.com
Subject: ipsec for lan

Hello everybody,
This is my first mail to the ML. If my question is in the FAQ, please
forgive me :-) My domain is 100% Win 2k (SRV and station). I like t use
ipsec all over my LAN. Since my LAN is 100% win2k I'll use Kerberos. In the
propriety of ipsec, I've got 3 options : client, secure server and server.
Because my domain is connected to internet (through DMZ) I read that I have
to use the "server option" so all my computers will be able to communicate
inside my LAN. Is it the right solution for implementing ipsec for my lan ?

Thank you for your (futures) advices.

Frederic

Relevant Pages

  • ipsec and/or netfilter problem
    ... It's a LAN ... The server has 3 NIC's: eth0 which is connected to the internet with my ... My goal with ipsec is to secure all the LAN traffic (both ethernet and ...
    (Linux-Kernel)
  • Re: RRAS two way (pptp) vpn possible?
    ... If the dedicated server is on a public network, your best bet is to use ... VPN is designed to link remote clients to a LAN (ie the client is ... To set up a secure link between two servers, IPSec is the tool to use. ...
    (microsoft.public.windows.server.networking)
  • Re: IIS IpSec
    ... >then try browse from remote in the same ... >your LAN, working ?? ... >> production IIS Server and I can browse websites just ... >> with the same definitions in my IPSec. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Domain Member Server in DMZ - Kommunikation mit IPSec sichern?
    ... Domain Member Server, die Domaincontroller stehen im internen LAN. ... IPSec halte ich in dem Fall nicht ...
    (microsoft.public.de.german.windows.server.networking)
  • Racoon routing
    ... My home PC acts as router/NAT box for my LAN, ... I can communicate in every way from work to home over ipsec. ... the packets go and come back (and see them on my work computer, ... 166.70.37.148/30 dev eth1 proto kernel scope link src 166.70.37.150 ...
    (comp.os.linux.networking)