Between Forest IPSec Implementation?

From: John Munyan (johnm@attrition.ws)
Date: 03/20/02 

Date: Tue, 19 Mar 2002 19:34:15 -0800
From: "John Munyan" <johnm@attrition.ws>
To: <focus-ms@securityfocus.com>

Currently I am working a project calling for the enforcement of ipsec
communication for all internal web site traffic to increase security and
would appreciate some feedback from those who may have had to address
this. The problem I am coming up against is how to create/enforce ipsec
communications between Windows 2000 machines in different forests.
Within one forest I can see how this would be approached, but where
forest lines are crossed my understanding breaks down.

In reviewing the possibilities there appears to be three ways to do
auth; 1) Kerberos 2) Preshared Key, and 3) Cert. I haven't tested the
first method yet but have reservations that even with an existing domain
to domain trust in place that Kerberos authentication will work across
forests. If not it is my thought that the best solution would be to use
a localized certificate authority to handle the auth. In reviewing the
CA offering it appears the policy element for machine ipsec policy is
solely the providence of the Enterprise CA and Subordinate Enterprise
CA. Is it possible to use an Enterprise CA in one forest to provide
auth for another forest if clients trusted CA lists are updated to
reflect the Enterprise CA as being trusted? It was my initial thought
to use a stand alone root CA but upon inspection this appears to not be
possible.

Can anyone offer some advice about how to configure cross forest ipsec
communications?

Thanks,

John

Relevant Pages

  • Re: Between Forest IPSec Implementation?
    ... Quick way to do enforce IPSec usage: ... As far as authentication goes if you are 100% windows the kerberos stuff is ... Subject: Between Forest IPSec Implementation? ... solely the providence of the Enterprise CA and Subordinate Enterprise ...
    (Focus-Microsoft)
  • Re: IPsec - restrict communcation
    ... IPsec can use three different methods to initially authenticate machines: ... permit, block, or negotiate security, as well as authentication methods ... you don't need the communications to be private. ...
    (microsoft.public.security)
  • RE: Between Forest IPSec Implementation?
    ... Using Windows 2000, your design should work fine with Certificates and CA's, ... As far as using a CA, you can setup your IPSec policies in each forest to ... Kerberos cross-forest auth will not work in 2000. ... Subject: Between Forest IPSec Implementation? ...
    (Focus-Microsoft)
  • Re: Two domains - creating one
    ... dedicaded line for internal communications. ... secure side is in mixed mode with some W2K shares still on their network. ... means that everybody belongs to the same forest, of course that DFL may be ... We have one network but two completely separate domains with a firewall in ...
    (microsoft.public.windows.server.active_directory)
  • Re: lan ipsec ws2003 / xp pro deplyoyment
    ... Since your computers are on the ... Ipsec configuration is totally separate from vpn. ... All you should need to do to use ipsec to secure lan communications using ... When ipsec policy is configured correctly it requires no ...
    (microsoft.public.windowsxp.security_admin)