IPsec implementation questions

Posted on 2009-04-15
Last Modified: 2012-05-06
Hey guys, hoping someone can help me verify what I am understanding about how IPsec is going to look on my network.

Currently, we are planning a small implementation.  Expectation is to implement in transport mode between a web/application front end residing in a public accessible DMZ and a SQL/data store residing on the internal network.  These two zones are seperated by a hardware firewall device.

Here is my understanding and intention.  Using transport mode, the data payload of the packets will be encrypted and validated end to end.  When the data is passed down the stack, the port mapping will be re-encapsulated with the IPsec port/protocol maps (e.g. tcp 1433, 1434, 1444 will be re-encapsule to tcp 50, 51 and udp 500) and traffic will then travel along these ports.

First, am I understanding things correctly above?
Running IPsec on IPv4 -
2.  Once IPsec is implemented, I will be able to close SQL ports on my firewall, correct?
3.  I can configure IPsec on 2k3 to be selective of 1.) What hosts will use IPsec between themselves, leaving communications with other hosts in plaintext - 2.)What protocols/ports are actually encrypted between these IPsec hosts, leaving other protocols plaintext.  3.)  On the IPsec host, I can define protocol rules for inbound traffic which will reject connections from undefined/unsecured hosts (e.g. reject SQL traffic from all other hosts or from any unsecured host)  Is this understanding correct?
Question by:atlas_shuddered
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

EmpKent earned 500 total points
ID: 24150198

You are pretty much correct in all of your assumptions. IPSec will add some overhead to your data traffic because it is taking your existing data, encrypting it and re-encapsulate the packet for transport. Once it hits the other end of the tunnel, it will decrypt the packet back to your SQL data and send it along with no indication that is was ever anything else.

You can therefore reject SQL traffic on your firewall as it will not have any indication that any SQL packets are passing.


LVL 10

Author Comment

ID: 24152130

Two more clarifications real quick.

On the IPsec peers -

IPsec can be configured so that it is only used/mandatory on a specific group of protocol (SQL) and then other, general protocols (DNS, ICMP) can be configured to run clear text?

Additionally, hosts running IPsec for a peer communication can be configured to talk with other, non-IPsec hosts in cleartext?

I promise, this is it.



Expert Comment

ID: 24152507

I suppose you could differentiate certain protocols to be encrypted and others not but I don't know why you would. The processing burden on the encryption is negligible with today's CPUs although this might have been a concern 7 or 8 years ago. That being said, SQL is not a protocol in TCP/IP, it is simply data within a packet to a SQL host so you would then have to separate your SQL data to another IP address perhaps and only run that data through the tunnel but, still, why?

Your IPSec boxes should default so that one interface goes only to the opposite end of the tunnel and the other receives data from the local, unencrypted LAN. This way, any data going through that interface will be encrypted and the firewall will only see it as IPSec traffic and you setup rules to allow or dissallow certain IP addresses.

Hope that clears it up for you,


LVL 10

Author Closing Comment

ID: 31570561
Cheers -  Thanks for the input.  I have been reading on this like mad for the last few days and just wanted to be sure that I was getting everything correct.  Thanks again for the help.  Atlas

Expert Comment

ID: 24153489
Good luck Atlas. IPSec can be intimidating but it is a very valuable tool and one you will not regret learning about..


Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDP Console with access to multiple Servers 9 40
Measure time after installing Antivirus 8 105
BgInfo help 5 110
Multicast IGMP Join Group 8 56
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question