IPsec implementation questions
Posted on 2009-04-15
Hey guys, hoping someone can help me verify what I am understanding about how IPsec is going to look on my network.
Currently, we are planning a small implementation. Expectation is to implement in transport mode between a web/application front end residing in a public accessible DMZ and a SQL/data store residing on the internal network. These two zones are seperated by a hardware firewall device.
Here is my understanding and intention. Using transport mode, the data payload of the packets will be encrypted and validated end to end. When the data is passed down the stack, the port mapping will be re-encapsulated with the IPsec port/protocol maps (e.g. tcp 1433, 1434, 1444 will be re-encapsule to tcp 50, 51 and udp 500) and traffic will then travel along these ports.
First, am I understanding things correctly above?
Running IPsec on IPv4 -
2. Once IPsec is implemented, I will be able to close SQL ports on my firewall, correct?
3. I can configure IPsec on 2k3 to be selective of 1.) What hosts will use IPsec between themselves, leaving communications with other hosts in plaintext - 2.)What protocols/ports are actually encrypted between these IPsec hosts, leaving other protocols plaintext. 3.) On the IPsec host, I can define protocol rules for inbound traffic which will reject connections from undefined/unsecured hosts (e.g. reject SQL traffic from all other hosts or from any unsecured host) Is this understanding correct?