What IPSec policies does Windows Server 2003 provide by default?
2.
Why is IPSec so important in a routed environment?
3.
What is Kerberos used for in Windows Server 2003?
4.
You are planning a new IPSec policy for use on your internal network between your Financial subnet and your Accounting subnet. What authentication methods will you have to select from when creating this new policy?
5.
What functions does AH provide in IPSec?
Answers to Review Questions
1.
Windows Server 2003 comes with the following three preconfigured IPSec policies that may or may not meet your needs:
Client (Respond Only) This policy requires IPSec-provided security only when another computer requests it. This policy allows the computer to attempt unsecured communications first and switch to IPSec-secured communications if requested. This policy contains the default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on the requested protocol and port traffic for the communication that is being secured. This policy, which can be used on workstations and servers alike, provides the minimum amount of IPSec security.
Server (Request Security) This policy requests security from the other computer and allows unsecured communication with non IPSec-aware computers. The computer accepts inbound unsecured traffic but always attempts to secure further communications by requesting IPSec security from the sending computer. If the other computer is not IPSec-enabled, the entire communication is allowed to be unsecured. This policy, which can be used on workstations and servers alike, provides a medium level of IPSec security.
Secure Server (Require Security) This policy is implemented on computers that require highly secure communications, such as servers transmitting sensitive data. The filters in this policy require all outbound communication to be secured, allowing only the initial inbound communication request to be unsecured. This policy has a rule to require security for all IP traffic, a rule to permit ICMP traffic, and the default response rule to respond to requests for security from other computers. This policy, typically used only on servers, provides the highest level of IPSec security on a network. This policy can also be used on workstation computers if you want. Non-IPSec-enabled computers cannot establish any communications with computers using this policy.
You can opt to either use one of the preconfigured policies that comes with Windows Server 2003 or create your own policy. You can also modify the preconfigured policies to suit your needs if you want. For more information, see the section "Configuring and Implementing IPSec."
2.
IPSec provides data integrity between two host IDs. The data and identity are safe and kept from being changed or read by other users through intermediary software. For more information, see the section "Monitoring and Troubleshooting Network Protocol Security."
3.
The Kerberos version 5 protocol is used for user authentication in Windows 2000 and newer networks. For more information, see the section "Monitoring and Troubleshooting Kerberos."
4.
IPSec on Windows Server 2003 can use Kerberos v5, a digital certificate, or a shared secret (string) for user authentication. For more information, see the section "What's New with Windows Server 2003 IPSec."
5.
The IPSec AH provides three services as part of the IPSec protocol. First (as its name might suggest), AH authenticates the entire packet. Second, it ensures data integrity. Third, it prevents any replaying of the packet by a third party who might be trying to penetrate the IPSec tunnel. One service AH doesn't provide is payload encryption. AH protects your data from modification, but an attacker who is snooping the network would still be able to read the data. For more information, see the section "Authentication Header (AH)."
