Planning Security

IP does not have a default security mechanism. Without security, both public and private IP networks are susceptible to unauthorized monitoring and access. To prevent these types of security breach, develop a security strategy for your IP deployment in tandem with your overall network security plan.

Ways that you can enhance security when deploying IP include:

• Securing IP packets. Provide end-to-end security by securing IP packets, which requires that you not use address translation (unless both peers support IPSec NAT-T and use ESP to protect traffic). IPSec is the most efficient way to provide a secure data stream.

• Deploying a perimeter network. Use a perimeter network to help secure your internal network from intrusion. Several options are available for doing this.

Figure 1.10 shows the tasks involved in incorporating IPSec and a perimeter network in your IP security plan.

Figure 1.10: Planning IP Security

Using IPSec

Effective integration with IPSec is becoming increasingly important to the secure deployment of IP in an enterprise internetwork. IPSec is a framework of open standards for ensuring private, secure communications over IP networks through the use of cryptographic security services. The implementation of IPSec that runs on Windows Server 2003, Windows XP, and Windows 2000 is based on standards developed by the IETF IPSec working group.

IPSec provides a comprehensive technology for securing networks. However, the larger your organization, the more planning and engineering are required to implement IPSec. Assess the relative importance of your information resources — domain controllers, mail servers, and financial servers may rank high among the resources you want to protect. Include confidentiality considerations in your assessment. For example, many organizations might target Human Resources information for IPSec protection. After identifying the critical information resources to secure, configure IPSec policies as appropriate on those computers.

Windows Server 2003 uses the IPSec protocol suite to protect data traffic as it crosses a network. Although file encryption and required passwords protect information stored on network resources, they do not protect information as it moves across a network.

By implementing IPSec, you can secure the following types of data:

• Data that moves across the part of your intranet that external users do not access.

• Data that moves across the part of your intranet that can be accessed by external users who have appropriate permissions.

• Data that moves across the Internet.

• Data that moves across an extranet.

IPSec security protects the content of IP packets from both active and passive attacks. In an active attack, a hacker modifies existing data or adds false data. In a passive attack, an intruder reads data.

IPSec secures communication through the following methods:

• Peer authentication. IPSec verifies the identity of each computer. Each peer sends security credentials that are verified by the peer at the other end of the connection. Windows Server 2003 IPSec provides multiple methods of peer authentication.

• Data origin authentication. By incorporating a cryptographic checksum calculated with a shared secret key with each packet of protected data, IPSec can verify that the packet must have been sent by a peer that has knowledge of the secret key.

• Confidentiality (data encryption). IPSec offers confidentiality by encrypting data before transmission, ensuring that the data cannot be read during transmission — even if an attacker monitors or intercepts the packet. IPSec encryption is applied at the IP network layer, which makes it transparent to applications that use TCP or User Datagram Protocol (UDP) for network communication.

• Integrity. IPSec protects data from unauthorized modification in transit, ensuring that the information received is exactly the same as the information sent.

• Anti-replay. IPSec ensures that any attacker who might intercept data cannot reuse or replay that data to establish a session or to illegally gain information or access to resources.

Deploying IPSec requires careful planning. For more information about deploying IPSec, see "Deploying IPSec" in this book. For more technical information about IPSec, see the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at http://www.microsoft.com/reskit).

Using a Perimeter Network

A perimeter network protects your intranet or enterprise LAN from intrusion by controlling access from the Internet or other large network. The perimeter network (also known as a demilitarized zone or DMZ) is bounded by firewalls. A firewall is not a single component, but rather a system or combination of systems that enforces a boundary between two or more networks.

Figure 1.11 shows a perimeter network bounded by firewalls placed between a private network and the Internet in order to secure the private network.

Figure 1.11: Perimeter Network Securing an Internal Network

Organizations vary in their use of firewalls for providing security. IP packet filtering offers weak security, is cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and easier to manage because they pertain only to a few specific applications, such as a particular e-mail system. Circuit gateways are most effective when the user of a network application is of greater concern than the data being passed by that application. The proxy server — the recommended solution — is a comprehensive security tool that includes an application gateway, safe access for anonymous users, and other services.

IP packet filtering You can configure packet filtering, the earliest implementation of firewall technology, to accept or deny specific types of packets. Packet headers are examined for source and destination addresses, TCP and UDP port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. You cannot use IP packet filtering when IP packet payloads are encrypted because the port numbers are encrypted and therefore cannot be examined.

In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection.

Application gateways Used when the actual content of an application is of greatest concern, application gateways do not adapt easily to changes in technology. However, unlike IP packet filtering, application gateways can be used in conjunction with encryption.

Circuit gateways As tunnels connecting specific processes or systems on each side of a firewall, circuit gateways are best employed in situations where the person using an application is potentially a greater risk than the information that the application carries. The circuit gateway differs from a packet filter in its capability for connecting to an out-of-band application scheme that can add additional information.

Proxy servers Proxy servers are comprehensive security tools that include firewall and application gateway functionality to manage Internet traffic to and from a private intranet. Proxy servers also provide document caching and access control. A proxy server can improve performance by caching and directly supplying frequently requested data such as a popular Web page. A proxy server also can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.

Take advantage of those firewall security features that can help you. Position a perimeter network in your network topology at a point where all traffic from outside the corporate network must pass through the perimeter that the external firewall maintains. You can fine-tune access control for the firewall to meet your needs and can configure firewalls to report all attempts at unauthorized access.