To achieve secure communications with a low cost of ownership, Windows XP simplifies the deployment of IPSec with the following features:
Integration with the Windows 2000 security framework
IPSec uses the Windows 2000 secure domain as a trust model. By default, IPSec policies use the Active Directory default authentication method (Kerberos V5 authentication) to identify and trust communicating computers. Computers that are members of a Windows 2000 domain and are in trusted domains can easily establish IPSec secured communications.
Centralized IPSec policy administration through Active Directory
IPSec policies can be assigned through Group Policy configuration of Active Directory domains and organizational units. This allows the IPSec policy to be assigned at the domain, site, or organizational unit level, eliminating the administrative overhead of configuring each computer separately.
Transparency of IPSec to users and applications
Integration at the IP layer (layer 3) provides security for any protocol in the TCP/IP suite of protocols. You do not need separate security for each protocol in the TCP/IP suite of protocols, because applications using TCP/IP pass the data to the IP protocol layer, where it is secured.
Flexible security configuration
The security services within each policy can be customized to meet the majority of security requirements for the network and data traffic.
Automatic key management
Internet Key Exchange (IKE) services dynamically exchange and manage cryptographic keys between communicating computers.
Automatic security negotiation
Internet Key Exchange (IKE) services dynamically negotiate a common set of security settings between communicating computers, eliminating the need for both computers to have identically configured policies.
Public key infrastructure support
Using public key certificates for authentication is supported. This allows trust and secure communication for computers that do not belong to a Windows 2000 trusted domain, non-Windows-brand operating systems, computers that have membership in untrusted domains, and instances in which computer access must be restricted to a smaller group than domain authentication allows.
Preshared key support
If authentication using the Kerberos V5 protocol or public key certificates is not possible, a preshared authentication key can be configured.