IPSec is the long-term direction for secure networking. It provides a key line of defense against private network and Internet attacks, balancing security with ease of use.
IPSec has two goals:
Both goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management. This foundation provides both the strength and flexibility to protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be used to block receipt or transmission of specific traffic types.
IPSec is based on an end-to-end security model, establishing trust and security from a source IP to a destination IP address. The IP address itself does not necessarily have to be considered an identity, rather the system behind the IP address has an identity that is validated through an authentication process. The only computers that must know about the traffic being secured are the sending and receiving computers. Each computer handles security at its respective end, with the assumption that the medium over which the communication takes place is not secure. Any computers that only route data from source to destination are not required to support IPSec, unless firewall-type packet filtering or network address translation is being done between the two computers. This model allows IPSec to be successfully deployed for the following enterprise scenarios:
Typically both sides require IPSec configuration (called an IPSec policy), to set options and security settings that will allow two systems to agree on how to secure traffic between them. The Windows XP implementation of IPSec is based on industry standards developed by the Internet Engineering Task Force (IETF) IPSec working group. Portions of IPSec-related services were jointly developed by Microsoft and Cisco Systems, Inc.