RE: Between Forest IPSec Implementation?
From: Chris Weber (Chris.weber@foundstone.com)Date: 03/21/02
- Previous message: barath br: "RE: account lockout problems"
- Maybe in reply to: John Munyan: "Between Forest IPSec Implementation?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chris Weber <Chris.weber@foundstone.com> To: 'John Munyan' <johnm@attrition.ws>, focus-ms@securityfocus.com Date: Thu, 21 Mar 2002 12:09:30 -0800
Using Windows 2000, your design should work fine with Certificates and CA's,
but not with Kerberos. And stay away from preshared keys, because they are
stored in clear text.
As far as using a CA, you can setup your IPSec policies in each forest to
use the same CA, be it Verisign or your own standalone CA. Just use the
Certificates snap-in to manage your trusted root CA's, and add/remove the
ones you want.
Kerberos cross-forest auth will not work in 2000. This may or may not be an
option for you but if you upgrade to XP/.NET you can use cross-forest trust
and enable Kerberos authentication for your IPSec solution.
Hope this helps,
Chris Weber
-----Original Message-----
From: John Munyan [mailto:johnm@attrition.ws]
Sent: Tuesday, March 19, 2002 7:34 PM
To: focus-ms@securityfocus.com
Subject: Between Forest IPSec Implementation?
Currently I am working a project calling for the enforcement of ipsec
communication for all internal web site traffic to increase security and
would appreciate some feedback from those who may have had to address this.
The problem I am coming up against is how to create/enforce ipsec
communications between Windows 2000 machines in different forests. Within
one forest I can see how this would be approached, but where forest lines
are crossed my understanding breaks down.
In reviewing the possibilities there appears to be three ways to do auth; 1)
Kerberos 2) Preshared Key, and 3) Cert. I haven't tested the first method
yet but have reservations that even with an existing domain to domain trust
in place that Kerberos authentication will work across forests. If not it
is my thought that the best solution would be to use a localized certificate
authority to handle the auth. In reviewing the CA offering it appears the
policy element for machine ipsec policy is solely the providence of the
Enterprise CA and Subordinate Enterprise CA. Is it possible to use an
Enterprise CA in one forest to provide auth for another forest if clients
trusted CA lists are updated to reflect the Enterprise CA as being trusted?
It was my initial thought to use a stand alone root CA but upon inspection
this appears to not be possible.
Can anyone offer some advice about how to configure cross forest ipsec
communications?
Thanks,
John
- Previous message: barath br: "RE: account lockout problems"
- Maybe in reply to: John Munyan: "Between Forest IPSec Implementation?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
