Freigeben über


Technology to Support Consumerisation: IPSec

A technology that’s been around for quite some time is IPSec, it helps to ensure security of communications between two network devices.  With IPSec in place two devices need to establish a peer-to-peer trust before communication can take place, it’s kind of like having a secret handshake.

If your enabling an environment where people will be able to bring their own device you probably have some requirement to prevent them accessing some services, such as the HR system, so that they don’t walk off with the CEOs pay slip.  IPSec is perfect in this situation to preform something called Server and Domain Isolation.  Essentially this means that only specific devices can access the super-secret servers but every device can have broad network access. 

Accesses to services and resources is somewhere that an 80/20 rule applies.  Most people need access to most of the network for most of their work, some people will need access to the other 20%.  Using SDI and IPSec you can require people to access secure information from devices you consider to be more trustworthy.  Perhaps they can’t access the HR System from their Windows Phone but they can from their Windows Laptop, that’s BitLocker encrypted etc.

IPSec is implemented in Server 2008R2 and Windows 7 using Group Policy controls for Windows Firewall with Advanced Security.  Essentially you place your super-secure resources into a group or OU that REQUIRES access and place clients that you are happy to have access to those resources into a group or OU that set things up so that clients will reply correctly if asked to do the secret handshake.  If the client doesn’t know the secret handshake that’s the end of the conversation.  Whilst you’re at it you can raise the general security level on your network by telling all clients to REQUEST access.  That way the first thing the client will say is “do you know the secret handshake” if the answer is no they can still talk to each other.

For Windows everything is controlled through Group Policy, so not only is it easy to administer it’s easy to get very granular, for example you could say that  only clients that match a specific WMI query get the IPSec policy's applied.

If you’re wondering why you wouldn’t just do this with some app level access control or some file level access control then consider this: you don’t know what’s running in the background maliciously on any device that someone casually brings in.

RESOURCES for IPSec and SDI have been gathered together in one place already on this IPSec Page of TechNet but I thoroughly recommend the following: