IP Security

Windows 2000 incorporates Internet Protocol security (IPSec) for data protection of network traffic. IPSec is a suite of protocols that allow secure, encrypted communication between two computers over an insecure network. The encryption is applied at the IP network layer which means that it is transparent to most applications that use specific protocols for network communication. IPSec provides end-to-end security, meaning that the IP packets are encrypted by the sending computer, are unreadable en route, and can be decrypted only by the recipient computer. Due to a special algorithm for generating the same shared encryption key at both ends of the connection, the key does not need to be passed over the network.

How IPSec Works

IPSec has many intricate components and options that are worthy of detailed study; but at a high level the process operates in this manner:

  1. An application on Computer A generates outbound packets to send to Computer B across the network.

  2. Inside TCP/IP, the IPSec driver compares the outbound packets against IPSec filters, checking to see if the packets need to be secured. The filters are associated with a filter action in IPSec security rules Many IPSec security rules can be inside one IPSec policy that is assigned to a computer.

  3. If a matched filter has to a negotiate security action, Computer A begins security negotiations with Computer B, using a protocol called the "Internet Key Exchange"IKE). The two computers exchange identity credentials according to the authentication method specified in the security rule. Authentication methods could be Kerberos authentication, public key certificates, or a preshared key value (much like a password). The IKE negotiation establishes two types of agreements, called "security associations," between the two computers. One type (called the "phase I IKE SA") specifies how the two computers trust each other and protects their negotiation. The other type is an agreement on how to protect a particular type of application communication. This consists of two SAs (called "phase II IPSec SAs") that specify security methods and keys for each direction of communication. IKE automatically creates and refreshes a shared, secret key for each SA. The secret key is created independently at both ends without being transmitted across the network.

  4. The IPSec driver on Computer A signs the outgoing packets for integrity, and optionally encrypts them for confidentially using the methods agreed upon during the negotiation. It transmits the secured packets to Computer B.


    Firewalls, routers, and servers along the network path from Computer A to Computer B do not require IPSec. They simply pass along the packets in the usual manner.

  5. The IPSec driver on Computer B checks the packets for integrity and decrypts their content if necessary. It then transfers the packets to the receiving application.

IPSec provides security against data manipulation, data interception, and replay attacks.

IPSec is important to strategies of data confidentiality, data integrity, and nonrepudiation.

Prerequisites for Implementing IPSec

The computers in your network need to have an IPSec security policy defined that is appropriate for your network security strategy and for the type of network communication that they perform. Computers in the same domain might be organized into groups with IP security policy applied to the groups. Computers in different domains might have complementary IPSec security policies to support secure network communications.

How to Implement IPSec

You can view the default IP security policies in the Group Policy snap-in to MMC. The policies are listed under IP Security Policies on Active Directory , or under IP Security Policies (Local Computer) :

Group Policy object
 — Computer Configuration
 — Windows Settings
  — Security Settings
  — IP Security Policies on Active Directory

You can also view IPSec policies by using the IP Security Policy Management snap-in to MMC. Each IP Security policy contains security rules that determine when and how traffic is protected. Right-click a policy and select Properties . The Rules tab lists the policy rules. Rules can be further decomposed into filter lists, filter actions, and additional properties.

For more information about Internet Protocol security, see the Windows 2000 Server Help. See also "Internet Protocol Security" in the Microsoft ® Windows ®  2000 Server Resource Kit TCP/IP Core Networking Guide .

Considerations for IPSec

IPSec provides encryption of outgoing and incoming packets, but at a cost of additional CPU utilization when encryption is performed by the operating system. For many deployments, the clients and servers might have considerable CPU resources available, so that IPSec encryption will not have a noticeable impact on performance. For servers supporting many simultaneous network connections or servers that transmit large volumes of data to other servers, the additional cost of encryption is significant. For this reason, you need to test IPSec using simulated network traffic before you deploy it. Testing is also important if you are using a third-party hardware or software product to provide IP security.

Windows 2000 provides device interfaces to allow hardware acceleration of IPSec per-packet encryption by intelligent network cards. Network card vendors might provide several versions of client and server cards, and might not support all combinations of IPSec security methods. Consult the product documentation for each card to be sure that it supports the security methods and the number of connections you expect in your deployment.

You can define Internet Protocol security (IPSec) policies for each domain or organizational unit. You can also define local IPSec policy on computers that do not have domain IPSec policy assigned to them. You can configure IPSec policies to:

  • Specify the levels of authentication and confidentiality required between IPSec clients.

  • Specify the lowest security level at which communications are allowed to occur between IPSec-aware clients.

  • Allow or prevent communications with non-IPSec-aware clients.

  • Require all communications to be encrypted for confidentiality or you can allow communications in plaintext.

Consider using IPSec to provide security for the following applications:

  • Peer-to-peer communications over your organization's intranet, such as legal department or executive committee communications.

  • Client-server communications to protect sensitive (confidential) information stored on servers. For file share points that require user access controls, consider using IPSec to ensure that other network users cannot see the data as it is being communicated.

  • Remote access (dial-up or virtual private network) communications. (For virtual private networks using IPSec with L2TP, remember to set up Group Policy to permit autoenrollment for IPSec computer certificates. For detailed information about computer certificates for L2TP over IPSec VPN connections, see Windows 2000 Help.)

  • Secure router-to-router WAN communications.

Consider the following strategies for IPSec in your network security deployment plan:

  • Identify clients and servers to use IPSec communications.

  • Identify whether client authentication is based on Kerberos trust or digital certificates.

  • Describe how each computer will initially receive the proper IPSec policy and will continue to receive policy updates.

  • Describe the security rules inside each IPSec policy. Consider how certificate services are needed to support client authentication by digital certificates.

  • Describe enrollment process and strategies to enroll computers for IPSec certificates.