Network Data Protection

Network data within your site (local network and subnets) is secured by the authentication protocol. For an additional level of security, you can also choose to encrypt network data within a site. Using Internet Protocol security, you can encrypt all network communication for specific clients or for all clients in a domain. Network data passing in and out of your site (across intranets , extranets, or an Internet gateway) can be secured by using the following utilities:

• Internet Protocol Security (IPSec)

  Comprises a suite of cryptography-based protection services and security protocols

• Routing and Remote Access

  Configures remote access protocols and routing

• Internet Authentication Service (IAS)

  Provides security and authentication for dial-in users

Internet Protocol Security

The long- term direction for secure networking, IPSec is a suite of cryptography-based protection services and security protocols. Because it requires no changes to applications or protocols, you can easily deploy IPSec for existing networks.

IPSec provides computer-level authentication, as well as data encryption, for virtual private network (VPN) connections that use the Layer 2 Tunneling Protocol (L2TP). IPSec is negotiated between your computer and a L2TP-based VPN server before an L2TP connection is established. This negotiation secures both passwords and data. L2TP uses standard PPP-based authentication protocols, such as Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP version 2, CHAP, Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP) with IPSec.

Encryption is determined by the IPSec Security Association (SA). A security association is a combination of a destination address; a security protocol; and a unique identification value, called a Security Parameters Index (SPI). The available encryptions include

• Data Encryption Standard (DES), which uses a 56-bit key

• Triple DES (3DES), which uses three 56-bit keys and is designed for high-security environments

Routing and Remote Access

The Routing and Remote Access service for the Windows Server 2003 family is a full-featured software router and is an open platform for routing and internetworking. It offers routing services to businesses in LAN and WAN environments or over the Internet by using secure VPN connections.

An advantage of the Routing and Remote Access service is integration with the Windows Server 2003 family. The Routing and Remote Access service delivers many cost-saving features, and it works with a wide variety of hardware platforms and hundreds of network adapters. The Routing and Remote Access service is extensible with application programming interfaces (APIs) that developers can use to create custom networking solutions and that new vendors can use to participate in the growing business of open internetworking.

Internet Authentication Service

Internet Authentication Service (IAS) in the Standard Edition, Enterprise Edition, and Datacenter Edition of Windows Server 2003 is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy:

• As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless, authenticating switch, remote access dial-up, and VPN connections.

• As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. RADIUS is an Internet Engineering Task Force (IETF) standard.