Chapter 6: Configuring and Troubleshooting Windows IP Security | MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)

Introduction

Chapter 5 discussed how encryption (in the form of the Encrypting File System [EFS]) can be used to protect data stored on disk. Equally important to today's network administrator is the protection of sensitive data as it travels across a network. In the early days of networking, local area networks (LANs) were lone entities. These isolated networks typically ran NETBIOS Extended User Interface (NetBEUI) in small workgroups of fewer than 200 computers and were not connected to any other networks. The major security concerns in this isolated environment typically revolved around employees located at the site. Security efforts focused on local access controls, such as locking down disk drives on employee workstations and checking briefcases and handbags for printed materials. Extremely sensitive data was encrypted onto disk.

Today's networks are very different from the isolated NetBEUI networks of yesteryear. Most likely, your network is connected to other networks, including the global Internet, by way of dedicated leased lines or your organizational remote access server (RAS). Some workstations on your LAN might even have their own link to the outside via a modem and phone line.

Each of these points of access represents an ever-increasing security risk. In the "old" days, electronic documents had to be copied to a disk or printed in order to leave the company's premises; now, transporting data is as easy as sending an e-mail attachment over the Internet. Your organization's prized database can easily be posted to an electronic newsgroup. Hackers can penetrate the network and gain usernames and passwords that allow them to bypass normal access controls. Innocent experimentation by fledgling systems engineers and power users can corrupt or destroy data just as effectively as the actions of the most malignant hackers.

Effective network security standards are the sum total of a well-planned and carefully implemented security infrastructure. These measures include hardware security, file and folder access controls, strong passwords, smart cards, social security, physical sequestration of servers, file encryption, and protection of data as it moves across the wire within the organizational intranet and as it moves outside the organization.

This chapter focuses on protecting the integrity and confidentiality of information while it is in transit across a network. First, we look at some of the common security risks incurred as data moves across the wires. Next, we discuss the basics of cryptography and how these basic tasks function within the framework of Microsoft's implementation of the industry-standard Internet Protocol Security (IPSec). Finally, we cover the specifics of implementing IPSec in your network.