IPsec implementation questions

Hey guys, hoping someone can help me verify what I am understanding about how IPsec is going to look on my network.

Currently, we are planning a small implementation.  Expectation is to implement in transport mode between a web/application front end residing in a public accessible DMZ and a SQL/data store residing on the internal network.  These two zones are seperated by a hardware firewall device.

Here is my understanding and intention.  Using transport mode, the data payload of the packets will be encrypted and validated end to end.  When the data is passed down the stack, the port mapping will be re-encapsulated with the IPsec port/protocol maps (e.g. tcp 1433, 1434, 1444 will be re-encapsule to tcp 50, 51 and udp 500) and traffic will then travel along these ports.

Questions:
First, am I understanding things correctly above?
Running IPsec on IPv4 -
2.  Once IPsec is implemented, I will be able to close SQL ports on my firewall, correct?
3.  I can configure IPsec on 2k3 to be selective of 1.) What hosts will use IPsec between themselves, leaving communications with other hosts in plaintext - 2.)What protocols/ports are actually encrypted between these IPsec hosts, leaving other protocols plaintext.  3.)  On the IPsec host, I can define protocol rules for inbound traffic which will reject connections from undefined/unsecured hosts (e.g. reject SQL traffic from all other hosts or from any unsecured host)  Is this understanding correct?
LVL 13
atlas_shudderedSr. Network EngineerAsked:
Who is Participating?
 
EmpKentCommented:
Atlas,

You are pretty much correct in all of your assumptions. IPSec will add some overhead to your data traffic because it is taking your existing data, encrypting it and re-encapsulate the packet for transport. Once it hits the other end of the tunnel, it will decrypt the packet back to your SQL data and send it along with no indication that is was ever anything else.

You can therefore reject SQL traffic on your firewall as it will not have any indication that any SQL packets are passing.

Thanks,

Kent
0
 
atlas_shudderedSr. Network EngineerAuthor Commented:
Kent

Two more clarifications real quick.

On the IPsec peers -

IPsec can be configured so that it is only used/mandatory on a specific group of protocol (SQL) and then other, general protocols (DNS, ICMP) can be configured to run clear text?

Additionally, hosts running IPsec for a peer communication can be configured to talk with other, non-IPsec hosts in cleartext?

I promise, this is it.

Cheers

Atlas
0
 
EmpKentCommented:
Atlas,

I suppose you could differentiate certain protocols to be encrypted and others not but I don't know why you would. The processing burden on the encryption is negligible with today's CPUs although this might have been a concern 7 or 8 years ago. That being said, SQL is not a protocol in TCP/IP, it is simply data within a packet to a SQL host so you would then have to separate your SQL data to another IP address perhaps and only run that data through the tunnel but, still, why?

Your IPSec boxes should default so that one interface goes only to the opposite end of the tunnel and the other receives data from the local, unencrypted LAN. This way, any data going through that interface will be encrypted and the firewall will only see it as IPSec traffic and you setup rules to allow or dissallow certain IP addresses.

Hope that clears it up for you,

Thanks,

Kent
0
 
atlas_shudderedSr. Network EngineerAuthor Commented:
Cheers -  Thanks for the input.  I have been reading on this like mad for the last few days and just wanted to be sure that I was getting everything correct.  Thanks again for the help.  Atlas
0
 
EmpKentCommented:
Good luck Atlas. IPSec can be intimidating but it is a very valuable tool and one you will not regret learning about..

Kent
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.