After they are compromised they can no longer be used to secure identities and information. Discovering that a key has been compromised is often a difficult endeavor. Often the only way a compromised key is discovered is after some vital piece of information is found to be no longer secret, as in cases of corporate espionage.
IPSec Architecture
IPSec defines a network security architecture that allows secure networking for the enterprise while introducing a minimum of overhead. IPSec allows you to secure packets at the network layer. By performing its services at the network layer, IPSec secures information in a manner that is transparent to the user and also to the protocols that lie above the transport layer. IPSec provides layer-3 protection.
The IPSec security architecture exercises an end-to-end security model. Only the endpoints of a communication need to be IPSec aware. Computers and devices that serve as intermediaries of message transfer do not need to be IPSec enabled. This allows the administrator of a Windows 2000 network to implement IPSec for end-to-end security over diverse network infrastructures, including the Internet. Transit network devices such as bridges, switches, and routers can be oblivious to IPSec without compromising its efficacy.
This end-to-end capability can be extended to different communication scenarios, including:
• Client to client
• Gateway to gateway
When IPSec is used to protect communications between two clients—for example, on the same LAN—the machines can utilize IPSec in what is known as transport mode. In transport mode, both clients must use TCP/IP as their network protocol. In this example, the endpoints of the secure communication are the source machine and the destination host.
By contrast, with a gateway-to-gateway solution, information traversing a transit network (such as the Internet) is protected by IPSec. Packets are protected as they leave the exit gateway and then decrypted or authenticated at the destination network’s gateway. In this scenario, the host and destination computers do not employ IPSec, and can use any LAN protocol supported by IPSec (IPX/SPX, AppleTalk, NetBEUI, TCP/IP).
When gateways represent the endpoints of secure communication, IPSec works in tunnel mode. A tunnel is created between the gateways, and client-to-client communications are encapsulated in the tunnel protocol headers. Tunnels can be created using IPSec as the tunneling protocol, or you can combine IPSec with L2TP, which stands for Layer 2 Tunneling Protocol and allows for data encryption via IPSec. In this case L2TP
rather than IPSec creates the tunnel.
Overview of IPSec Cryptographic Services
IPSec is able to ensure security of communication by employing a variety of cryptographic techniques.
Cryptography is the making and deciphering of hidden or scrambled messages in such a manner that if the message or communication is intercepted, the thief cannot ascertain the contents of the message.
There are several component features of a good security system. The IPSec security architecture is designed to provide these features:
• Integrity
• Confidentiality
• Authentication
Previous Table of Contents Next
http://corpitk.earthweb.com/reference/pro/1928994024/ch07/07-02.html (3 of 4) [8/3/2000 6:54:01 AM]
Configuring Windows 2000 Server Security:IP Security for Microsoft Windows 2000 Server
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights
reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement.
http://corpitk.earthweb.com/reference/pro/1928994024/ch07/07-02.html (4 of 4) [8/3/2000 6:54:01 AM]
Configuring Windows 2000 Server Security:IP Security for Microsoft Windows 2000 Server
Configuring Windows 2000 Server Security
by Thomas W. Shinder, M.D., MCSE, MCP+I, MCT, Debra Littlejohn Shinder, MCSE, MCP+I, MCT, D. Lynn White, MCSE, MCPS, MCP+I, MCT
Syngress Publishing, Inc.
ISBN: 1928994024 Pub Date: 06/01/99
Search this book:
Search Tips
Advanced Search
Previous Table of Contents Next
Title
Message Integrity
The term integrity refers to the assurance that the message received was indeed the message sent. Integrity is violated if the communication is somehow altered between the sending and receiving computer. Message integrity can be assured via the creation of digital signatures. A digital signature is a fingerprint. This