Summary

In this chapter, we took a close look at Windows Server 2003’s implementation of IPSec. We first provided an overview of the goals and purposes of IPSec, and then we discussed the features built into Microsoft’s implementation, including the IPSec management console, IPSec integration with Active Directory, supported authentication methods, and backward compatibility with Windows 2000.

You learned some of the terminology and concepts used in discussing IPSec. Specifically, you learned about the two primary protocols used by IPSec: AH and ESP. You learned that AH provides for data authentication and integrity, and ESP also provides those services, and also adds data confidentiality. AH and ESP can be used separately or together.

You learned that an SA is an agreement between two IPSec-enabled computers as to the security settings that will be used for a communication session. The SA is negotiated according to the settings on each computer.

Then you learned about the key-management and key-exchange protocols associated with IPSec, including ISAKMP and IKE, and the Oakley key-determination protocol and the Diffie-Hellman key-generation protocols. You learned about the DES and 3DES encryption algorithms and the MD-5 and SHA hashing algorithms.

We covered the basics of how SAs function, and you learned that IKE uses a bidirectional SA called a main mode SA. However, the SAs used by IPSec itself are unidirectional, and there are two per communication: one for outbound and one for inbound traffic.

We discussed the purposes of security—authentication, integrity, and confidentiality—along with the related concept of nonrepudiation. You learned that authentication deals with verification of identity, integrity ensures that data has not been changed, and confidentiality “scrambles” the data so it cannot be read by unauthorized persons. Nonrepudiation is a way to ensure that the sender of a message will not be able to later deny sending it.

You learned about the two modes in which IPSec can operate: tunnel mode and transport mode. We examined how tunnel mode is used primarily between gateways or between a server and a gateway. You learned that transport mode, on the other hand, provides end-to-end security (from the originating computer to the destination).

We examined the role of the IPSec driver, and you learned that it is used to match packets against the filter list and applies specified filter actions.

You learned how to plan an IPSec deployment, and how to use the IPSec extensions for the new Windows Server 2003 tool, RSoP, to learn what the effects of IPSec policies will be. We took a look at the default policies and how you can use the IPSec management console to enable or modify them. You learned that there are three default policies: Client (Respond Only), Server (Request Security), and Server (Require Security). You also learned about creating custom policies.

We also discussed how to use the command-line tool netsh with the ipsec context that is new to Windows Server 2003, and you learned that this context operates in one of two modes: static mode, which can be used to perform the same basic functions as the IP Security Policy Management MMC, and dynamic mode, which is used to display the current state of IPSec and immediately affect the configuration of IPSec policies.

Finally, you learned about troubleshooting problems with IPSec, using handy tools such as the IP Security Monitor console and the Network Monitor.