Storage Basics: Securing iSCSI Using IPSec, Part 2

Continued from Page 3

Predefined IPSec Policies

As mentioned, the rules that we make for IP traffic are used to create IPSec policies. Server 2003 includes three predefined IPSec policies that may meet the security needs of an organization. These security policies may work in their default state or they can be modified to accommodate the unique needs of an organization.

By examining the default options available and reviewing their settings, we get a better idea of what needs to be done when creating a policy from scratch. The default IPSec policies include: Client (Respond Only), Server (Request Security), and Secure Server (Require Security).

Client (Respond Only)

In the Client (Respond Only) configuration, the client tells Server 2003 not to use the IPSec option by default. Instead, IPSec is only engaged when it is requested by another system or network device. In this configuration, the client system will never initiate IPSec security, but will communicate using IPSec when requested to do so.

This default policy is built from what is known as the default response rule. This default rule applies to both inbound and outbound connections. The default configuration settings are:

IP Filter List: <Dynamic>
Filter Action: Default Response
Authentication: Kerberos
Tunnel Setting: None
Connection Type: All

If any of these default settings do not meet our needs, they can be modified or a new policy can be created. For example, if needed, we can change the authentication type from Kerberos to PKI, or we could change the Connection Type from All to LAN or Remote Access only.

Server (Request Security)

The Server (Request Security) option offers more security than the Client option. In this configuration, the system will initially request IPSec secured traffic but will compromise and allow unsecured communications if the other system does not support IPSec. In this way, the entire communication can be unprotected if systems are not IPSec-enabled. To see how this policy is made, we need to take a closer look at the rules used to create the policy. There are three.

Rule 1:

IP Filter List: All IP Traffic
Filter Action: Request Security (Optional)
Authentication: Kerberos
Tunnel Setting: None
Connection Type: All

Rule 2:

IP Filter List: All ICMP Traffic
Filter Action: Permit
Authentication: N/A
Tunnel Setting: None
Connection Type: All

Rule 3 (same default rule as the Client option):

IP Filter List: <Dynamic>
Filter Action: Default Response
Authentication: Kerberos
Tunnel Setting: None
Connection Type: All

Page 5: Secure Server (Require Security)