• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

IPSEC Practice

Would it be good practice in a Network, where there are 7 servers (Win 2000 and Win 2003), connected by a GB Switch, to use IPSEC on the traffic between the Servers?
If not, what are any suggestions on when to use IPSEC.
Any related Websites would be helpful.

Thanks in advance... Michael
0
Linux_Hawk
Asked:
Linux_Hawk
1 Solution
 
yasuoCommented:
I would recommend researching this topic in depth as there is quite a bit to the design and proper setup of an IPSEC network.

That said, I find this article good for in-general topics on "is it needed" security:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Also, here is an additional white-paper on the design and use of IPSEC in the corporation on Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a774012a-ac25-4a1d-8851-b7a09e3f1dc9&displaylang=en



To comment however...it is always good practice to excercise as much security as convenient and comfortable. I.E: it would not be good to enable IPSEC on your servers etc. without evaluating the overall impact to your business practices and ease of operation. If it requires a serious adaptation and engagement to your administrative/management or userbase then it could be a disadvantage. Additionally, it also depends on the endpoints you are using for security, if you mean client-server IPSEC security this can be a daunting task, especially for a new user/employee or otherwise trying to connect a computer to the network or server for the first time. It can also mean an administrative nightmare in troubleshooting.

Again you also must take into account that all traffic encrypted is not capable of being reviewed by an Intrusion Detection System between the client-server later on as well. Server-Server traffic can be a good thing, and in practice I personally try to secure and encrypt as much as I can comfortably accomodate. There are however specific areas where flexibility is not an option (such as VPN tunnels, specific traffic networks and/or private servers) in which case full security is afforded.

Bottom line is, what level of exposure to traffic does your servers have, do they require utmost security given the data  store on them? Seeing as you are on a switch, sniffing is difficult without performing a man-in-the-middle operation. Aside from that, if you are a company that needs to ensure a high-degree of security amongst their servers then it might necessarily be a positive and necessary effort. I would in any event ensure that I fully understood my final implementation and had tested it within a private lab/sandbox if possible before attempting such a task.
0
 
Tim HolmanCommented:
IPSEC is a standards-based encryption method designed for securing traffic over a public medium.  As your network isn't public, it doesn't need IPSEC.
Why do you think you need to do this ?
On a LAN level, IPSEC is too resource and bandwidth intensive to use, bearing in mind there is a lot of overhead in error checking, strong encryption and multi-vendor support necessary for traversing across the Internet.
I would recommend a hardware / L2 encryption device as an alternative - eg X-Cryptor, http://www.bemac.com/ISec/section2.asp?S2ID=14.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now