Storage Basics: Securing iSCSI Using IPSec, Part 2 Page 3
Configuring IPSec Security
Once the level of IPSec security has been identified, the next step is to configure IPSec security. The IPSec policy configuration is the translation of your security requirements into one or more IPSec policies, only one of which can be assigned at the domain, site, organizational unit, or local level. Each IPSec policy consists of one or more IPSec rules, with each IPSec rule consisting of a filter list, filter action, authentication method and connection type.
The filter list determines which IP traffic is to be affected by the security rule. Once the filter list is triggered, then the filter action is applied. The filter actions identify how security will be handled for the IP addresses identified in the filter list. There are three actions that can be taken when configuring IPSec filter actions:
Permit: The Permit IPSec security option is the absence of security.
Packets are allowed to travel around the network without IPSec
Block: On the other side of the security spectrum is the Block
option. When the block filter option is used, a protocol that matches the
associated IP filter will not be accepted on the network.
Negotiate Security: If an IPSec filter is matched, the Negotiate
Security option enables the administrator to set the encryption and
algorithms that must be used to secure data transmissions.
Kerberos: Kerberos V5 is the default authentication technology used
with Server 2003. Kerberos provides the primary security protocol for
authentication within a domain. When used, it verifies both the identity of
the user and network services. Advantages of Kerberos include
interoperability and the fact that it can provide mutual authentication
between the user and the server. Kerberos can provide authentication between
Server 2003 domains and systems in a UNIX environment that is using Kerberos
Public Key Certificates (PKI): PKIs are used to authenticate clients
that are not members of a trusted domain, non-Windows clients, or computers
that are not running the Kerberos V5 authentication protocol. The
authentication certificates are issued from a system acting as a
Certification Authority (CA).
- Preshared Keys: In preshared key authentication, computer systems must agree on a shared, secret key to be used for authentication in an IPSec policy. Preshared keys are only to be used where certificates and Kerberos cannot be deployed.