Download the authoritative guide: Enterprise Data Storage 2018: Optimizing Your Storage Infrastructure
IPsec Authentication Protocols
Before two systems can exchange secure data, they have to mutually agree on a security pact. This security agreement is called a security association (SA). For communication to happen, both systems must agree on the same SA.
The Internet Key Exchange (IKE) manages the SA negotiation process for IPSec connections. IKE is an Internet Engineering Task Force (IETF)-established standard method of security association and key exchange resolution. IKE performs a two-phase operation: the first phase ensures a secure communications channel, while the second operation negotiates the use of SAs.
To establish IPSec communications, two hosts must authenticate with each other before SA negotiations can take place. Systems can be authenticated in three different ways:
- Kerberos – Kerberos v5 is commonly implemented and is the default authentication technology used with Windows Server 2003. Kerberos provides the primary security protocol for authentication within a domain; when used, it verifies both the identity of the user and network services. Advantages of Kerberos include the fact that it can provide mutual authentication between the user and the server, as well as its interoperability — Kerberos can provide authentication between Server 2003 domains and systems in a Unix environment that is using Kerberos for authentication.
- Public Key Certificates (PKIs) – PKIs are used to authenticate clients that are not members of a trusted domain, non-Windows clients, or computers that are not running the Kerberos v5 authentication protocol. The authentication certificates are issued from a system acting as a certification authority (CA).
- Preshared keys – In preshared key authentication, computer systems must agree on a shared, secret key to be used for authentication in an IPSec policy. Preshared keys are to be used only where certificates and Kerberos cannot be deployed.
IPSec Encryption Protocols
IPSec offers three primary methods of encryption. The one you should choose depends on the security needs of your organization.
- Data Encryption Standard (40-bit) – This encryption method provides the best performance but at a significant cost: the encryption security is lower. The 40-bit Data Encryption Standard (DES) is commonly known as Secure Sockets Layer (SSL). It can be used in environments where data security needs are a little lower.
- Data Encryption Standard (56-bit) – Through your IPSec policies you can implement 56-bit DES as the encryption method. The DES algorithm was published in 1977 by the U.S. National Bureau of Standards, and it allows for the ability to frequently regenerate keys during a communication. This ability prevents the entire data set from being compromised if one DES key is broken. However, its use is considered outdated for businesses; it should be used only for legacy application support. Specialized hardware has been able to crack the standard 56-bit key.
- Triple DES (3DES) – IPSec policies also allow the choice of a strong encryption algorithm, 3DES, which provides stronger encryption than DES for higher security. 3DES uses a 56-bit encryption key as well, but, as the name implies, it uses three of them. As a result, 3DES is considered 168-bit encryption, and it is used in high-security environments like the U.S. government. All computers to which the policy is assigned will receive this policy.
IPSec Transport Modes
IPSec can operate in one of two separate modes: transport mode and tunnel mode. These modes refer to how data is sent and secured throughout the network. In transport mode, IPSec protection is provided all the way from the source to the destination. In this way, transport mode is said to provide end-to-end transmission security.
Tunnel mode secures data only between tunnel points or gateways. Tunnel mode provides gateway-to-gateway transmission security. When data is in transmission between the client and the server, it remains unprotected until it reaches the gateway. Once at the gateway, it is secured with IPSec until it reaches the destination gateway. At this point, data packets are decrypted and verified. The data is then sent to the receiving host unprotected. Tunnel mode is often employed when data must leave the secure confines of a local LAN or WAN and travel between hosts over a public network such as the Internet.
While iSCSI has emerged as an alternative to Fibre Channel, securing IP communications is an important consideration. IPSec provides a method to secure IP transmissions in a heterogeneous environment. In the next Storage Basics article, we will look at working with IPSec in a Windows 2003 environment and configuring IPSec with the NETSH command.