Common IPSec Example
This describes a deployment example for a common IPSec configuration. While your network configuration might be different than what is discussed here, the basic concepts apply.
Providing security for groups that normally exchange highly sensitive information often required segmenting the intranet. Groups of computers on different, physical segments prevents security violations. IPSec provides protection while still allowing groups of secure computers to reside within the same physical intranet.
Figure 8.14 represents a domain comprised of computers in a financial department. Most intranet clients do not need to communicate securely. However, a group of servers in the network store highly sensitive information that some intranet clients need to access. All computers have computer accounts in the Active Directory.
Figure 8.14 An Intranet Domain with End-to-End Communications
The computers accounts are grouped into Active Directory Organizational Units (OU) for security reasons. This enables the appropriate assignment of IPSec policies, based on the function of the computers:
Servers that store and exchange highly sensitive information belong to the Highest Security Servers OU.
Servers that might use unsecured communication to enable data exchange with non-Windows 2000 computers in the domain belong to the Secure Servers OU.
Clients that require the ability to appropriately respond when secure communications are required. These are in the default Computers group.
Grouping computers into OUs enables the assignment of IPSec policies to only those that require IPSec. It also allows the appropriate level of security to be assigned, avoiding excessive security overhead. In this scenario, the Active Directory stores the IPSec policies for all computers.
High security between the clients and the domain controller is unnecessary: Kerberos-related exchanges between the clients and the domain controller are already encrypted, and the IPSec policy transmission from the Active Directory to the member computers is protected by Windows 2000 LDAP security.
In this example, IPSec should be combined with access control security. User permissions are still a necessary part of using security to protect access to the file shares available on any of the Highest Security or Secure Servers. IPSec secures the network level traffic, so that attackers can not interpret or modify the data. For information about setting user permissions, see the Windows 2000 Help.
Policies Required
The following are the types of required IPSec policies to consider.
Computers: Client (Respond Only)
Domain member computers receive the IPSec policy assigned to the domain security policy. The predefined policy, Client (Respond Only), is assigned to the domain group security policy to ensure these computers can respond as needed to requests for secure communications.
Secure Servers: Server (Request Security)
Computer accounts in this OU generally communicate securely, but also might need to communicate with computers that cannot respond to secure requests. Assigning the predefined policy, Server (Request Security), enables initiation of secure communications when necessary, but also initiates communication with non-Windows 2000 legacy systems that might be part of the domain.
Highest Security Servers: Secure Server (Require Security)
Computer accounts in this OU do not communicate with any computers that do not or cannot initiate and successfully negotiate security. These servers store and transmit highly sensitive data. The predefined policy, Secure Server (Require Security), is assigned to ensure that outgoing communication never falls back to unsecured if negotiations fail or the other computer is not IPSec-capable. Even communication with the domain controller is negotiated and secured. Due to the strictness of this policy, you might have to add exemptions for special traffic types such as SNMP traffic. For information about altering IPSec policy, see "Special IPSec Considerations" earlier in this chapter.