Chapter Summary

Previous page
Table of content
Next page

  < Day Day Up > 


  • Use IPSec in transport mode to protect communications between two IPSec- enabled computers. Use IPSec in tunnel mode when protecting communications to an entire network.

  • Main Mode IKE negotiations occur at the beginning of a session. Quick Mode negotiations occur immediately after Main Mode negotiations complete, and then recur on a regular basis while the session is active.

  • You can choose to use either the AH or ESP protocol with IPSec. You will usually use ESP, because ESP provides encryption and is compatible with NAT-T. Use AH only when you specifically do not want to encrypt traffic.

  • IPSec can be used to provide packet filtering for Windows systems. It compliments ICF by providing filtering based on source or destination IP addresses.

  • You should use GPOs to deploy IPSec whenever practical. However, you should limit access to modify the IPSec policies to the smallest number of administrators possible to reduce the opportunity for both human error and abuse.

  • Use Kerberos authentication when all IPSec peers are members of a trusted Active Directory forest. Use public key certificates for IPSec authentication when Active Directory does not exist, or when some computers are external to your organization. Use preshared key authentication only when neither Kerberos nor public key certificates can be used to authenticate IPSec connections.

  • Windows Server 2003 IP filters can be dynamic, being defined by IPSec based on the host’s network configuration information. Dynamic IP filter lists can be created by using the IP addresses of DNS servers, DHCP servers, WINS servers, and the default gateway.

  • IP security policies can be defined on the local computer by using the IP Security Policy Management snap-in. To configure policy for an entire domain, use Group Policy Object Editor. For scripting purposes, IP security policies can also be configured from the command line by using Netsh.

  • If you use public key certificates to authenticate IPSec sessions, you should configure Windows 2000 to check CRLs. Windows XP and Windows Server 2003 automatically check CRLs.


  < Day Day Up > 


Previous page
Table of content
Next page
MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[. .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217
Authors: Anthony Northrup, Orin Thomas
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
SQL Hacks
Introduction to 80x86 Assembly Language and Computer Architecture
Twisted Network Programming Essentials
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy