Protecting Communications with IP Security

IP Security (IPSec) is a mechanism or policy for establishing end-to-end encryption of all data packets sent between computers. IPSec operates at Layer 3 of the OSI model and subsequently uses packets for all traffic between computers participating in the IPSec policy.

IPSec is often considered to be one of the best ways to secure the traffic generated in an environment, and is useful for securing servers and workstations, both in high-risk Internet access scenarios and also in private network configurations as an enhanced layer of security.

Fundamentals of IPSec

As mentioned earlier, all traffic between participating computers (whether initiated by an application, the operating system, services, and so on) is encrypted. IPSec places its own header on each encrypted packet and sends the packets to the destination server to be decrypted. The primary advantage to this is that it helps prevent eavesdropping and discourages unauthorized access.

As you can imagine, IPSec requires additional processing overhead in order to efficiently encrypt and decrypt data as it moves among the participating computers. There are network interface cards (NICs) that have built-in support for IPSec and which offload much of the processing overhead. These NICs are highly recommended in a production environment.

Key IPSec Functionality

IPSec in Windows Server 2003 provides the following key functionality:

• Data Privacy All information sent from one IPSec machine to another is thoroughly encrypted by such algorithms as 3DES, which effectively prevent the unauthorized viewing of sensitive data.

• Data Integrity The integrity of IPSec packets is enforced through ESP headers, which verify that the information contained within an IPSec packet has not been tampered with.

• Anti-Replay Capability IPSec prevents streams of captured packets from being re-sent, known as a "replay" attack.

• Per Packet Authenticity IPSec uses certificates or Kerberos authentication to ensure that the sender of an IPSec packet is actually an authorized user .

• NAT Transversal Windows Server 2003's implementation of IPSec now enables IPSec to be routed through current NAT implementations , a concept that will be defined more thoroughly in the following sections.

• Diffie-Hellman 2048-Bit Key Support Virtually unbreakable Diffie-Hellman 2048-bit key lengths are supported in Windows Server 2003's IPSec implementation, assuring that the IPSec key cannot easily be broken.

IPSec NAT Transversal (NAT-T)

IPSec in Windows Server 2003 supports the concept of Network Address Translation Transversal (NAT-T). Understanding how NAT-T works requires a full understanding of the need for NAT itself.

Network Address Translation (NAT) was developed because not enough IP addresses were available for all the clients on the Internet. Because of this, private IP ranges were established (10.x.x.x, 192.168.x.x, and so on) to enable all clients in an organization to have a unique IP address in their own private space. These IP addresses were designed to not route through the public IP address space, and a mechanism was needed to translate them into a valid, unique public IP address.

NAT was developed to fill this role. It normally resides on firewall servers or routers to provide NAT capabilities between private and public networks. RRAS for Windows Server 2003 also provides NAT capabilities.

Because the construction of the IPSec packet does not enable NAT addresses, IPSec traffic has, in the past, been dropped at NAT servers, because there was no way to physically route the information to the proper destination. This posed major barriers to the widespread implementation of IPSec because many of the clients on the Internet today are addressed via NAT.

NAT Transversal, which is a new feature in Windows Server 2003's IPSec implementation, was jointly developed as an Internet standard by Microsoft and Cisco Systems. NAT-T works by sensing that a NAT network needs to be transversed and subsequently encapsulating the entire IPSec packet into a UDP packet with a normal UDP header. NAT handles UDP packets flawlessly, and they are subsequently routed to the proper address on the other side of the NAT.

NAT Transversal works well but requires that both ends of the IPSec transaction understand the protocol so as to properly pull the IPSec packet out of the UDP encapsulation. With the latest IPSec client and server, NAT-T becomes a reality and is positioned to make IPSec into a much bigger success than it is today.