Share via

New column -- Using IPsec for network protection

  • Article

I'm now writing semi-regular articles for TechNet. These are part of the security management series, and they're also linked from the security newsletter.

 

The first column is a two-parter about IPsec. Part 1 describes the technology: how it operates, its various modes and methods, a bit on IKE, and how it works over NAT.

 

https://www.microsoft.com/technet/community/columns/secmgmt/sm121504.mspx

 

Part 2 illustrates three excellent scenarios that you can apply IPsec to today: stopping worms, protecting servers, and isolating domains -- a very cool approach for requiring domain membership of all your computers. Get rid of the rogues!

 

https://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx

 

 

Security newsletter

 

If you haven't already, I urge you to sign up for the security newsletter. Hundreds of thousands of subscribers -- many of whom might be your competitors (LOL) -- already benefit from the tips, tricks, updates, guidance, and news we publish every month. So sign up today! My columns are always linked from here, too.

 

https://www.microsoft.com/technet/security/secnews/default.mspx

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    February 10, 2005
    Thanks Steve! Been looking for something like this for a long time.

    Great writing and easy to understand!

    As a MCT teaching this subject next week I will sincerly recommend this for further reading in my "must have" url -LIST ;-)
  • Anonymous
    February 20, 2005
    Steve, I think it is incorrectly to use term 'SHA1 or MD5 digital signature' then you describe authentication. Definitely one of the core properties of DigSig is that other party could not compute its own version and compare that with stored 'signature'
  • Anonymous
    February 27, 2005
    No, my terminology is correct. It's the digital signataure that provides the per-packet authentication of the traffic. IOW, the signature authenticates that the packet actually comes from the sending IP address that's claiming to have sent the packet. When the receiving side computes its own version of the packet's signature, that second computation must match the same signature that's included in the packet.
  • Anonymous
    February 28, 2005
    The comment has been removed
  • Anonymous
    March 02, 2005
    Ah, I see your point. I am using the term "digital signature" more loosely here. You are technically correct, SHA-1 and MD5 are one-way hashes, not true digital signatures in the classic sense of that term. But the definition of the concept of "singing" has expanded to include hashing, too.