Improve company productivity with a Business Account.Sign Up

x
?
Solved

IPsec implementation questions

Posted on 2009-04-15
5
Medium Priority
?
535 Views
Last Modified: 2012-05-06
Hey guys, hoping someone can help me verify what I am understanding about how IPsec is going to look on my network.

Currently, we are planning a small implementation.  Expectation is to implement in transport mode between a web/application front end residing in a public accessible DMZ and a SQL/data store residing on the internal network.  These two zones are seperated by a hardware firewall device.

Here is my understanding and intention.  Using transport mode, the data payload of the packets will be encrypted and validated end to end.  When the data is passed down the stack, the port mapping will be re-encapsulated with the IPsec port/protocol maps (e.g. tcp 1433, 1434, 1444 will be re-encapsule to tcp 50, 51 and udp 500) and traffic will then travel along these ports.

Questions:
First, am I understanding things correctly above?
Running IPsec on IPv4 -
2.  Once IPsec is implemented, I will be able to close SQL ports on my firewall, correct?
3.  I can configure IPsec on 2k3 to be selective of 1.) What hosts will use IPsec between themselves, leaving communications with other hosts in plaintext - 2.)What protocols/ports are actually encrypted between these IPsec hosts, leaving other protocols plaintext.  3.)  On the IPsec host, I can define protocol rules for inbound traffic which will reject connections from undefined/unsecured hosts (e.g. reject SQL traffic from all other hosts or from any unsecured host)  Is this understanding correct?
0
Comment
Question by:atlas_shuddered
  • 3
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
EmpKent earned 2000 total points
ID: 24150198
Atlas,

You are pretty much correct in all of your assumptions. IPSec will add some overhead to your data traffic because it is taking your existing data, encrypting it and re-encapsulate the packet for transport. Once it hits the other end of the tunnel, it will decrypt the packet back to your SQL data and send it along with no indication that is was ever anything else.

You can therefore reject SQL traffic on your firewall as it will not have any indication that any SQL packets are passing.

Thanks,

Kent
0
 
LVL 12

Author Comment

by:atlas_shuddered
ID: 24152130
Kent

Two more clarifications real quick.

On the IPsec peers -

IPsec can be configured so that it is only used/mandatory on a specific group of protocol (SQL) and then other, general protocols (DNS, ICMP) can be configured to run clear text?

Additionally, hosts running IPsec for a peer communication can be configured to talk with other, non-IPsec hosts in cleartext?

I promise, this is it.

Cheers

Atlas
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24152507
Atlas,

I suppose you could differentiate certain protocols to be encrypted and others not but I don't know why you would. The processing burden on the encryption is negligible with today's CPUs although this might have been a concern 7 or 8 years ago. That being said, SQL is not a protocol in TCP/IP, it is simply data within a packet to a SQL host so you would then have to separate your SQL data to another IP address perhaps and only run that data through the tunnel but, still, why?

Your IPSec boxes should default so that one interface goes only to the opposite end of the tunnel and the other receives data from the local, unencrypted LAN. This way, any data going through that interface will be encrypted and the firewall will only see it as IPSec traffic and you setup rules to allow or dissallow certain IP addresses.

Hope that clears it up for you,

Thanks,

Kent
0
 
LVL 12

Author Closing Comment

by:atlas_shuddered
ID: 31570561
Cheers -  Thanks for the input.  I have been reading on this like mad for the last few days and just wanted to be sure that I was getting everything correct.  Thanks again for the help.  Atlas
0
 
LVL 7

Expert Comment

by:EmpKent
ID: 24153489
Good luck Atlas. IPSec can be intimidating but it is a very valuable tool and one you will not regret learning about..

Kent
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …
Watch the video to know the process of migration of Exchange or Office 365 mailboxes in absence of MS Outlook. It is an eminent tool which can easily migrate Public, Archive user mailboxes from one another Exchange server and Office 365. Kernel Migr…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question