Windows 2000 provides support for the protocols available through the IPSec ( IP Security) standards. IPSec supplies a standards framework for securing IP traffic. You may want to deploy IPSec on a bastion host — for example, in a network used for external “extranet” communication with business partners.
IPSec can also be used within a perimeter — for example, between a management station and a bastion host running Windows 2000 Terminal Services to achieve stronger authentication on the host level (and also, optionally, to achieve an extra layer of encryption). The IPSec policy agent in Windows 2000 can also be used to control non-IPSec traffic.
This section provides a brief overview of the IPSec implementation in Windows 2000, although it doesn’t by any means discuss all the configuration issues with IPSec.
IPSec provides an authenticated, secure channel using the following protocols:
Authentication using the Internet Key Exchange Protocol (IKE, specified in RFC 2409)
Integrity protection using the Authentication Header (AH, specified in RFC 2402)
Encryption using the Encapsulating Security Payload (ESP, specified in RFC 2406) between two hosts
The Authentication Header (AH) contains a cryptographic checksum on the entire datagram. The AH is inserted after the original IP header in the IPSec datagram, as shown in Figure 3.5. AH offers both data integrity and replay protection (the receiver tracks datagrams ...