IPSec Policies Essay

IPSec protocols facilitate encrypting data that is being transmitted over the network thus enhancing security and confidentiality of the data. First, it is important to note that IPSec is regularly employed at a Group Security level and it is not generally compatible with all the available operating systems. IPSec is compatible only with Windows operating system series: 2000, XP and 2003. Windows operating system basically consists of three built-in IPSec policies according to Posey (2004). First, is the Server Policy which in other words is called Request-Security Policy. This means that wherever it is applied, the system requests IPSec encryption so as to allow communication between another computer and the main machine. Besides, if that other computer does not support IPSec encryption, the session is allowed to remain encrypted. Second is the Client Policy which in other words is called response-only policy as it does not at all ask for IPSec encryption. Nevertheless, when another device in the network asks for IPSec encryption, a system that applies Client Policy responds by permitting encryption of sessions. Third, is the Secure Server Policy which calls for IPSec encryption for all incoming link requests made to the server. Thus, it does not sustain non-encrypted sessions. However, this policy exempts ICMP traffic to allow connect without any encryption requirements (Posey, 2004). In Win2k3, IPSec facilities in provision of security-in-depth against cyber attacks propagated by hackers and/or un-trusted devices in the network. Internet Protocol security shields devices against attacks in environments such as virtual private network (VPN), host-to-host, secure server and site-to-site or router-to-router. IPSec applies cryptography and packet filtering to secure networks. These features ensure user authentication, data privacy and integrity as well as reliable communication. In this regard, a few requirements which must be met while setting-up IPSec policies in Win2k3. First, in case a system entails ‘Active Directory –based IPSec policy’, then group policy and active directory have to be configured properly, necessary trusts defined, and application of necessary permissions. Second, every device in the network must be assigned IPSec policy compatible that of others in the network. Third, authentication procedures have to be built up properly and identified in IPSec policy to allow for mutual authentication amid IPSec peers. Fourth, routers and additional filtering devices need to be configured properly to allow IP Security protocol interchange on various parts of the shared network. Fifth, all the computers must have IPSec-supportive operating system and incase they have different operating system, compatibility issues of the IPSec policies have to be addressed. Sixth, IPSec-based connections have to be sufficiently sized besides maintaining the amount of IP Security policies at a minimum. Finally, it is necessary that all system administrators are provided with proper training so as to be able to configure the IPSec policies (Microsoft Corporation, 2010). To successfully implement IPSec in Win2k3, the above steps have to be carried out or seen to be done effectively. It is therefore important to ensure they are observed to the latter although certain distinct procedures have to be observed while implementing IPSec policies. To start with, Bird (2007a) writes that the functionality of IPSec is provided on a Win2k3 via IPSec Services. Therefore, while initially configuring IPSec, it is important to ensure that it is operating in the server. This can be done by checking for IPSec functionality withinn the Services MMC. Besides, the Services MMC is accessible via the Administrative Tools menu in the domain controller. The service is put together so that it starts routinely by default. The second important process during implementation of IPSec policy is to choose and assigns a proper IPSec policy. Once IPSec policies are assigned, it is in order to define the specific actions to be executed on arriving network interchange which meets or does not meet a specific criteria. Both IPSec components and policies are configured via IPSec ‘Policy Management MMC snap-in’. Accordingly, Bird (2007a) in his work states that there is no other way to access MMC in Administrative Tools menu and one has ‘to open a blank MMC’ before adding a snap-in. Consequently, the author argues that to access properties of a prevailing rule, so as to modify or change it, one can do this ‘by double-clicking the rule from within the IPSec Security Policies snap-in’. Such page of properties for default policies appears as in the below diagram. Fig. 1 Server Properties NB: Bird, 2007a. Implement IPSec on Windows Server 2003. The IPSec policy consists of regulations that stipulate the type of traffic entailed in the policy and methods used for authentication procedures. Additionally, an IPSec policy encompasses traffic occurrences in cases where it meets specified criteria or not (Bird, 2007a). Thirdly, another important procedure during implementation is referred to as filtering action. It entails specifying whether or not the defined IPSec rule applies to the entire network connections. For instance whether connections emanating from the Local Area Network and/or from remote links. As Indicated in the figure above, the policy consists of three distinct rules. The first rule stipulates that security needs to be called for all the existing IP traffic and that it should Kerberos requires to be applied to enhance encryption (security and privacy) and authentication procedures. Second rule stipulates that the entire ICMP traffic for instance tracert and ping should be granted access without any requirement for security measures. Third rule which is also the default rule stipulates what happens to the network traffic that does not match to any of the rules (Ibid, 2007a). As earlier stated that there exists three distinct IPSec policies, Client policy (Respond policy) is more common although one can be required to create an IPSec policy from scratch. Therefore, for the purpose of this document it is only an overview of Client and Server Policies implementation that are considered. Bird (2007b) in his work takes a closer look at implementation of Client policy on Win2k3 and argues that it distinctly moderate compared to the others. In this environment, when a client applies for an IPSec connection, it is awarded based on security request. It is important to note that authentication procedures in Win2k3 and Active Directory encompass Kerberos as the default method. However, IPSec on Win2k3 supports pre-shared keys as well as digital certificates as alternative methods for authentication. As earlier mentioned, successful IPSec implementation process consists of three processes basically: assigning, configuring and monitoring. In assigning IPSec policy, you first select it in the IPSec Policy Management MMC snap-in, right-click and then activate it. It is only one policy which can be assigned at any given time without necessarily refreshing the policy manually. However, while assigning IPSec via Group Policy, a manual refresh is necessary. At such point, Win2k3 is sufficiently prepared to respond to any requests for inward bound IPSec connections (Bird, 2007b). Configuring or enabling the functionality of IPSec can either be done manually or via Group Policy in case of deployment on sizeable number of clients. In manual configuration, IPSec policy is configured simply by via Local Security Policy MMC in the Control Panel Administrative Tools menu. IPSec policy snap-in is included into the Administrative Tools menu by default. Alternatively, the Control Panel Administrative Tools menu can be accessed by clicking Start, Run and then typing Secpol. msc in the field. It is in the IPSec policy snap-in where one makes use present policy and/or builds a new one. For instance, where Server policy is implemented on workstation, ‘requests to non-IPSec enabled hosts’ are allowed without IPSec and on the other hand, ‘connections to hosts that do support IPSec’ uses encryption. Subsequently, Bird (2007b) writes that up on configuration of IPSec it is in order to monitor and validate the performance of IPSec traffic. This is usually done by using IPSec Monitor MMC snap-in via navigating through the Statistics folder in the system. These statistics consists of the data quantity received or sent in encrypted format as well as number of existing security associations. Furthermore the author states that IPSec acts as a supplement to the network troubleshooting. Hence, at any point in time where connectivity matters arise, one must examine the source of the problem in either the basic network structure or the IPSec. It is important to note that where security of the data is a key consideration, one can comfortably assign, configure, and monitor the IPSec via using Microsoft tools and software.