Storage Basics: Securing iSCSI Using IPSec, Part 2 Page 2
Developing an Overall IPSec Security Strategy
With a basic idea of the security options available using IPSec, the next step is to develop an overall IPSec security strategy. As with other security measures, this involves finding the balance between making information accessible to the largest number of users, while at the same time protecting sensitive information from unauthorized access.
In the security world, there is no exact definition of the measures that define a standard security policy. Security strategies can vary widely, depending on an organization's policies and infrastructures. The following security levels can be considered a general basis for planning your IPSec deployment:
Minimal security: Sensitive data is not passed between computers and, therefore, IPSec is not active by default. In Server 2003, no administrative action to disable IPSec is required.
Moderate security: When network systems such as database or file servers hold or transmit sensitive data, IPSec security measures must be put in place. However, these security measures must be balanced so they do not interfere with daily operations. Server 2003 provides default IPSec policies that secure data but do not force overly prohibitive security measures: Client (Respond Only) and Server (Request Security). Using these default security designs can optimize efficiency without compromising security.
High security: For the data that cannot be tampered with or comprised in any way, a high IPSec security configuration is used. In some cases, a default IPSec security setting, Secure Server (Require Security), will provide the level of security needed. Unsecured communication with a non IPSec-aware computer is not allowed.