Solved

IPSEC Practice

Posted on 2004-08-15
2
378 Views
Last Modified: 2012-05-05
Would it be good practice in a Network, where there are 7 servers (Win 2000 and Win 2003), connected by a GB Switch, to use IPSEC on the traffic between the Servers?
If not, what are any suggestions on when to use IPSEC.
Any related Websites would be helpful.

Thanks in advance... Michael
0
Comment
Question by:Linux_Hawk
2 Comments
 

Expert Comment

by:yasuo
ID: 11806817
I would recommend researching this topic in depth as there is quite a bit to the design and proper setup of an IPSEC network.

That said, I find this article good for in-general topics on "is it needed" security:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Also, here is an additional white-paper on the design and use of IPSEC in the corporation on Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a774012a-ac25-4a1d-8851-b7a09e3f1dc9&displaylang=en



To comment however...it is always good practice to excercise as much security as convenient and comfortable. I.E: it would not be good to enable IPSEC on your servers etc. without evaluating the overall impact to your business practices and ease of operation. If it requires a serious adaptation and engagement to your administrative/management or userbase then it could be a disadvantage. Additionally, it also depends on the endpoints you are using for security, if you mean client-server IPSEC security this can be a daunting task, especially for a new user/employee or otherwise trying to connect a computer to the network or server for the first time. It can also mean an administrative nightmare in troubleshooting.

Again you also must take into account that all traffic encrypted is not capable of being reviewed by an Intrusion Detection System between the client-server later on as well. Server-Server traffic can be a good thing, and in practice I personally try to secure and encrypt as much as I can comfortably accomodate. There are however specific areas where flexibility is not an option (such as VPN tunnels, specific traffic networks and/or private servers) in which case full security is afforded.

Bottom line is, what level of exposure to traffic does your servers have, do they require utmost security given the data  store on them? Seeing as you are on a switch, sniffing is difficult without performing a man-in-the-middle operation. Aside from that, if you are a company that needs to ensure a high-degree of security amongst their servers then it might necessarily be a positive and necessary effort. I would in any event ensure that I fully understood my final implementation and had tested it within a private lab/sandbox if possible before attempting such a task.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 11809084
IPSEC is a standards-based encryption method designed for securing traffic over a public medium.  As your network isn't public, it doesn't need IPSEC.
Why do you think you need to do this ?
On a LAN level, IPSEC is too resource and bandwidth intensive to use, bearing in mind there is a lot of overhead in error checking, strong encryption and multi-vendor support necessary for traversing across the Internet.
I would recommend a hardware / L2 encryption device as an alternative - eg X-Cryptor, http://www.bemac.com/ISec/section2.asp?S2ID=14.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question