This article was previously published under Q231585
This article has been archived. It is offered "as is" and will no longer be updated.
Windows Internet Protocol security (IPSec) is designed to encrypt data as it travels between two computers, protecting the data from modification and interpretation if anyone were to see it on the network. IPSec is a key line of defense against internal, private network, and external attacks. Although most network security strategies have focused on preventing attacks from outside an organization's network, a great deal of sensitive information can be lost by internal attacks that interpret data on the network. Most data is not protected when it travels across the network, so employees, supporting staff members, or visitors may be able to plug into your network and copy data for later analysis. They can also mount network-level attacks against other computers. Firewalls offer no protection against such internal threats, so using IPSec offers significantly greater security for corporate data.
IP Security is a Security service that gives administrators the ability to monitor traffic, examine addresses, and apply various security methods to the IP data packet regardless of which program generates the data.
Using IP filtering, IPSec examines all IP packets for addresses, ports, and transport protocols. Rules contained in local or group policies tell IP Security to ignore or secure specific packets, depending on addressing and protocol information.
There are six main components of IP Security that allow for this level of secure communication:
The IP Security (IPSec) Driver that monitors, filters, and secures traffic.
The Internet Security Association Key Management Protocol (ISAKMP/Oakley) key exchange and management services that oversee security negotiations between hosts, and provide keys for use with security algorithms.
The Policy Agent that looks for policies and delivers them to the IPSec driver and ISAKMP.
The IP Security Policy and the Security Associations derived from those policies that define the security environment in which two hosts communicate.
The Security Association API that provides the interface between the IPSec driver, ISAKMP, and the Policy Agent.
The management tools that create policies, monitor IP Security statistics, and log IP Security events.
Using these six components, the IP Security process is as follows:
An IP packet matches an IP filter that is part of an IP Security policy.
The IP Security policy can have several optional security methods. The IPSec driver needs to know which method to use to secure the packet. The IPSec driver requests that ISAKMP negotiate a security method and security key.
ISAKMP negotiates a security method and sends it with a security key to the IPSec driver.
The method and key become the IPSec Security Association (SA). The IPSec driver stores this SA in its database.
Both communicating hosts need to secure or unsecure IP traffic, so both need to know and store the SA.
IP Security methods are applied to an IP packet by the IPSec driver. There are two security methods that can be used, either separately or in unison. The two methods are:
Data and address integrity through keyed hashing (HMAC)
Data integrity plus confidentiality through encryption
Encrypting data packets as they travel on the wire requires a Security Association between the two computers involved. An administrator must first define how the two computers will trust each other, and then specify how the computers will secure their traffic. This configuration is contained in an IPSec policy that the administrator creates and applies on the local computer or using Group Policy in Active Directory.