Solved

IPsec implementation questions

Posted on 2009-04-15
5
522 Views
Last Modified: 2012-05-06
Hey guys, hoping someone can help me verify what I am understanding about how IPsec is going to look on my network.

Currently, we are planning a small implementation.  Expectation is to implement in transport mode between a web/application front end residing in a public accessible DMZ and a SQL/data store residing on the internal network.  These two zones are seperated by a hardware firewall device.

Here is my understanding and intention.  Using transport mode, the data payload of the packets will be encrypted and validated end to end.  When the data is passed down the stack, the port mapping will be re-encapsulated with the IPsec port/protocol maps (e.g. tcp 1433, 1434, 1444 will be re-encapsule to tcp 50, 51 and udp 500) and traffic will then travel along these ports.

Questions:
First, am I understanding things correctly above?
Running IPsec on IPv4 -
2.  Once IPsec is implemented, I will be able to close SQL ports on my firewall, correct?
3.  I can configure IPsec on 2k3 to be selective of 1.) What hosts will use IPsec between themselves, leaving communications with other hosts in plaintext - 2.)What protocols/ports are actually encrypted between these IPsec hosts, leaving other protocols plaintext.  3.)  On the IPsec host, I can define protocol rules for inbound traffic which will reject connections from undefined/unsecured hosts (e.g. reject SQL traffic from all other hosts or from any unsecured host)  Is this understanding correct?
0
Comment
Question by:atlas_shuddered
  • 3
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
EmpKent earned 500 total points
ID: 24150198
Atlas,

You are pretty much correct in all of your assumptions. IPSec will add some overhead to your data traffic because it is taking your existing data, encrypting it and re-encapsulate the packet for transport. Once it hits the other end of the tunnel, it will decrypt the packet back to your SQL data and send it along with no indication that is was ever anything else.

You can therefore reject SQL traffic on your firewall as it will not have any indication that any SQL packets are passing.

Thanks,

Kent
0
 
LVL 10

Author Comment

by:atlas_shuddered
ID: 24152130
Kent

Two more clarifications real quick.

On the IPsec peers -

IPsec can be configured so that it is only used/mandatory on a specific group of protocol (SQL) and then other, general protocols (DNS, ICMP) can be configured to run clear text?

Additionally, hosts running IPsec for a peer communication can be configured to talk with other, non-IPsec hosts in cleartext?

I promise, this is it.

Cheers

Atlas
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24152507
Atlas,

I suppose you could differentiate certain protocols to be encrypted and others not but I don't know why you would. The processing burden on the encryption is negligible with today's CPUs although this might have been a concern 7 or 8 years ago. That being said, SQL is not a protocol in TCP/IP, it is simply data within a packet to a SQL host so you would then have to separate your SQL data to another IP address perhaps and only run that data through the tunnel but, still, why?

Your IPSec boxes should default so that one interface goes only to the opposite end of the tunnel and the other receives data from the local, unencrypted LAN. This way, any data going through that interface will be encrypted and the firewall will only see it as IPSec traffic and you setup rules to allow or dissallow certain IP addresses.

Hope that clears it up for you,

Thanks,

Kent
0
 
LVL 10

Author Closing Comment

by:atlas_shuddered
ID: 31570561
Cheers -  Thanks for the input.  I have been reading on this like mad for the last few days and just wanted to be sure that I was getting everything correct.  Thanks again for the help.  Atlas
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24153489
Good luck Atlas. IPSec can be intimidating but it is a very valuable tool and one you will not regret learning about..

Kent
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now