Re: Between Forest IPSec Implementation?

From: Kurt Seifried (bugtraq@seifried.org)
Date: 03/20/02 

From: "Kurt Seifried" <bugtraq@seifried.org>
To: "John Munyan" <johnm@attrition.ws>, <focus-ms@securityfocus.com>
Date: Wed, 20 Mar 2002 11:40:33 -0700

Quick way to do enforce IPSec usage: firewall the webservers and block
everything but:

Protocol TCP, port 500, UDP (IPSec key daemon)
Protocol 50, 51 (AH and ESP)

It's what I use at my vpn gateway to make it a) difficult to attack and b)
make sure I don't forget to use IPsec =).

As far as authentication goes if you are 100% windows the kerberos stuff is
fine, cert is great for interoperability between various clients since
almost all support it (unlike the kerberos thing, pgp keys, etc.)

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.idefense.com/digest.html

----- Original Message -----
From: "John Munyan" <johnm@attrition.ws>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, March 19, 2002 8:34 PM
Subject: Between Forest IPSec Implementation?

Currently I am working a project calling for the enforcement of ipsec
communication for all internal web site traffic to increase security and
would appreciate some feedback from those who may have had to address
this. The problem I am coming up against is how to create/enforce ipsec
communications between Windows 2000 machines in different forests.
Within one forest I can see how this would be approached, but where
forest lines are crossed my understanding breaks down.

In reviewing the possibilities there appears to be three ways to do
auth; 1) Kerberos 2) Preshared Key, and 3) Cert. I haven't tested the
first method yet but have reservations that even with an existing domain
to domain trust in place that Kerberos authentication will work across
forests. If not it is my thought that the best solution would be to use
a localized certificate authority to handle the auth. In reviewing the
CA offering it appears the policy element for machine ipsec policy is
solely the providence of the Enterprise CA and Subordinate Enterprise
CA. Is it possible to use an Enterprise CA in one forest to provide
auth for another forest if clients trusted CA lists are updated to
reflect the Enterprise CA as being trusted? It was my initial thought
to use a stand alone root CA but upon inspection this appears to not be
possible.

Can anyone offer some advice about how to configure cross forest ipsec
communications?

Thanks,

John

Relevant Pages

  • RE: Between Forest IPSec Implementation?
    ... Using Windows 2000, your design should work fine with Certificates and CA's, ... As far as using a CA, you can setup your IPSec policies in each forest to ... Kerberos cross-forest auth will not work in 2000. ... Subject: Between Forest IPSec Implementation? ...
    (Focus-Microsoft)
  • Re: IPSec doesnt work in an AD Forest
    ... support, that kerberos in a ad forest is not supported (what ever that ... do you have more than two domains in your forest and you ... secure all these dc's with ipsec. ... > I don't think you are correct, we use IPSec with Kerberos authentication to ...
    (microsoft.public.windows.server.active_directory)
  • Between Forest IPSec Implementation?
    ... Currently I am working a project calling for the enforcement of ipsec ... communications between Windows 2000 machines in different forests. ... forest lines are crossed my understanding breaks down. ... solely the providence of the Enterprise CA and Subordinate Enterprise ...
    (Focus-Microsoft)
  • Re: IPsec between computers in diffferent domains.
    ... Certificate authentication is supported for ipsec machine authentication. ... the domains are in the same forest or trusted Windows 2003 forests then ...
    (microsoft.public.security)
  • IPSec aktiv?
    ... IPSec verschlüsselt ist? ... Gestern auf der Tech@Night wurde uns erzählt, dass IPSec mit Win2003 Server ... innerhalb eines Forest auch ohne Zertifikate, ...
    (microsoft.public.de.security.netzwerk.sicherheit)