Security Considerations for Migrating from NT to Win2K, Part 4

In "Security Considerations for Migrating from NT to Win2K, Part 3," July 2001, I discussed what public key infrastructure (PKI) and Encrypting File System (EFS) can do for Windows 2000 system security. In Part 4, I look at the additional security that IP Security (IPSec) can provide for Active Directory (AD) domains and even for individual Win2K workstations that need to connect securely to one another.

IPSec: Seamless Security
Among the security improvements you'll realize after a Win2K migration is the inclusion of IPSec services. IPSec can provide machine authentication, data authentication, data-integrity protection, data confidentiality, and antireplay protection for end-to-end network connections (e.g., client/server). IPSec can also help secure remote access connections when users dial from their client machines to remote servers over any private or public IP-based network that uses Layer 2 Tunneling Protocol (L2TP). However, IPSec isn't recommended for use in VPN applications because of the security problems inherent in transferring the data and typically weak shared keys across public connections, such as the Internet. IPSec is best suited for security connections, such as Web or Win2K Server Terminal Services connections.

L2TP is a combination of Microsoft's PPTP and Cisco Systems' Layer 2 Forwarding (L2F). The Internet Engineering Task Force (IETF) didn't want to have two incompatible and competing technologies, so it mandated that Microsoft and Cisco work together to combine these two technologies into L2TP. L2TP encapsulates Point-to-Point Protocol (PPP) packets into IP packets, then uses IPSec to encrypt the packets to provide another layer of security.

Microsoft and Cisco also worked together to develop the IPSec services in Win2K. With AD, you can use Group Policies to define IPSec policies that you want to implement across the domain. When you implement the Internet Key Exchange (IKE) in Win2K, you can use three authentication methods:

• Kerberos—provides authentication between computers in one Win2K domain or across multiple trusted Win2K domains. Kerberos is the strongest, most secure authentication method.
• Certificates—uses Win2K Certificate Services or another third-party trusted certificate source (e.g., Entrust, VeriSign) for authentication.
• Preshared keys—uses passwords that come in the form of preshared authentication keys to establish secure connections between systems. Preshared keys can't provide data-packet protection. Preshared-key authentication is the most basic, least secure authentication method.

When two IPSec-enabled computers establish a connection with each other, they first generate encryption keys (i.e., session keys) to encrypt the application data they send and receive. Only those two computers know the session keys, which helps protect the application data from malicious network sniffers or packet-capture software. The computers then decide the type of authentication to use for the connection based on the policies in place and the key authentication methods available to each system (i.e., Kerberos, certificates, or preshared keys). During this process, the systems constantly refresh the session keys based on the settings in the IPSec policy.

IPSec is rather effective in several scenarios. These scenarios include

• establishing user-to-user connections (e.g., two engineers requiring secure IP communications to transfer sensitive data)
• establishing secure connections to internal network servers (e.g., a user connecting to a secure server that stores sensitive data)
• locking down inbound connections to servers that have a direct connection to the Internet, which aids in securing initial authentication to the server for secure remote connections from an outside user through a VPN tunnel

Let's look at how you can use IPSec to establish user-to-user connections.