IPsec implementation questions

Posted on 2009-04-15
Last Modified: 2012-05-06
Hey guys, hoping someone can help me verify what I am understanding about how IPsec is going to look on my network.

Currently, we are planning a small implementation.  Expectation is to implement in transport mode between a web/application front end residing in a public accessible DMZ and a SQL/data store residing on the internal network.  These two zones are seperated by a hardware firewall device.

Here is my understanding and intention.  Using transport mode, the data payload of the packets will be encrypted and validated end to end.  When the data is passed down the stack, the port mapping will be re-encapsulated with the IPsec port/protocol maps (e.g. tcp 1433, 1434, 1444 will be re-encapsule to tcp 50, 51 and udp 500) and traffic will then travel along these ports.

First, am I understanding things correctly above?
Running IPsec on IPv4 -
2.  Once IPsec is implemented, I will be able to close SQL ports on my firewall, correct?
3.  I can configure IPsec on 2k3 to be selective of 1.) What hosts will use IPsec between themselves, leaving communications with other hosts in plaintext - 2.)What protocols/ports are actually encrypted between these IPsec hosts, leaving other protocols plaintext.  3.)  On the IPsec host, I can define protocol rules for inbound traffic which will reject connections from undefined/unsecured hosts (e.g. reject SQL traffic from all other hosts or from any unsecured host)  Is this understanding correct?
Question by:atlas_shuddered
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

EmpKent earned 500 total points
ID: 24150198

You are pretty much correct in all of your assumptions. IPSec will add some overhead to your data traffic because it is taking your existing data, encrypting it and re-encapsulate the packet for transport. Once it hits the other end of the tunnel, it will decrypt the packet back to your SQL data and send it along with no indication that is was ever anything else.

You can therefore reject SQL traffic on your firewall as it will not have any indication that any SQL packets are passing.


LVL 10

Author Comment

ID: 24152130

Two more clarifications real quick.

On the IPsec peers -

IPsec can be configured so that it is only used/mandatory on a specific group of protocol (SQL) and then other, general protocols (DNS, ICMP) can be configured to run clear text?

Additionally, hosts running IPsec for a peer communication can be configured to talk with other, non-IPsec hosts in cleartext?

I promise, this is it.



Expert Comment

ID: 24152507

I suppose you could differentiate certain protocols to be encrypted and others not but I don't know why you would. The processing burden on the encryption is negligible with today's CPUs although this might have been a concern 7 or 8 years ago. That being said, SQL is not a protocol in TCP/IP, it is simply data within a packet to a SQL host so you would then have to separate your SQL data to another IP address perhaps and only run that data through the tunnel but, still, why?

Your IPSec boxes should default so that one interface goes only to the opposite end of the tunnel and the other receives data from the local, unencrypted LAN. This way, any data going through that interface will be encrypted and the firewall will only see it as IPSec traffic and you setup rules to allow or dissallow certain IP addresses.

Hope that clears it up for you,


LVL 10

Author Closing Comment

ID: 31570561
Cheers -  Thanks for the input.  I have been reading on this like mad for the last few days and just wanted to be sure that I was getting everything correct.  Thanks again for the help.  Atlas

Expert Comment

ID: 24153489
Good luck Atlas. IPSec can be intimidating but it is a very valuable tool and one you will not regret learning about..


Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question