Solved

IPSEC Practice

Posted on 2004-08-15
2
382 Views
Last Modified: 2012-05-05
Would it be good practice in a Network, where there are 7 servers (Win 2000 and Win 2003), connected by a GB Switch, to use IPSEC on the traffic between the Servers?
If not, what are any suggestions on when to use IPSEC.
Any related Websites would be helpful.

Thanks in advance... Michael
0
Comment
Question by:Linux_Hawk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Expert Comment

by:yasuo
ID: 11806817
I would recommend researching this topic in depth as there is quite a bit to the design and proper setup of an IPSEC network.

That said, I find this article good for in-general topics on "is it needed" security:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Also, here is an additional white-paper on the design and use of IPSEC in the corporation on Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a774012a-ac25-4a1d-8851-b7a09e3f1dc9&displaylang=en



To comment however...it is always good practice to excercise as much security as convenient and comfortable. I.E: it would not be good to enable IPSEC on your servers etc. without evaluating the overall impact to your business practices and ease of operation. If it requires a serious adaptation and engagement to your administrative/management or userbase then it could be a disadvantage. Additionally, it also depends on the endpoints you are using for security, if you mean client-server IPSEC security this can be a daunting task, especially for a new user/employee or otherwise trying to connect a computer to the network or server for the first time. It can also mean an administrative nightmare in troubleshooting.

Again you also must take into account that all traffic encrypted is not capable of being reviewed by an Intrusion Detection System between the client-server later on as well. Server-Server traffic can be a good thing, and in practice I personally try to secure and encrypt as much as I can comfortably accomodate. There are however specific areas where flexibility is not an option (such as VPN tunnels, specific traffic networks and/or private servers) in which case full security is afforded.

Bottom line is, what level of exposure to traffic does your servers have, do they require utmost security given the data  store on them? Seeing as you are on a switch, sniffing is difficult without performing a man-in-the-middle operation. Aside from that, if you are a company that needs to ensure a high-degree of security amongst their servers then it might necessarily be a positive and necessary effort. I would in any event ensure that I fully understood my final implementation and had tested it within a private lab/sandbox if possible before attempting such a task.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 11809084
IPSEC is a standards-based encryption method designed for securing traffic over a public medium.  As your network isn't public, it doesn't need IPSEC.
Why do you think you need to do this ?
On a LAN level, IPSEC is too resource and bandwidth intensive to use, bearing in mind there is a lot of overhead in error checking, strong encryption and multi-vendor support necessary for traversing across the Internet.
I would recommend a hardware / L2 encryption device as an alternative - eg X-Cryptor, http://www.bemac.com/ISec/section2.asp?S2ID=14.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question