Daniel, not knowing any details of the environment I'll offer that in
general, as a security implementer I think you owe it to them (and yourself)
to really quantify what they're looking to achieve - what exactly they
want/need secured. By simply following their direction you may not achieve
their "true" desired result. i would rethink this and look at TLS or SSL
and central data storage.
If you must use ipsec is a LAN environment, then try to offload the
encapsulation overhead to the nics as others have pointed out.
Byron
-----Original Message-----
From: Ed Esgro [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 13, 2001 8:35 AM
To: NT 2000 Discussions
Subject: RE: IPSec question
If the data is only on a firewall secured LAN, with invalid IP's NAT'ed to
valids, then there really isn't much security concerns to worry about. They
only need to worry if this data is flowing over unsecured connections, like
the internet or Remote Access. Since you didn't mention anything about a
WAN, there really isn't too much concern. As another has said, keep in mind
encryption slows things down a bit. May want to factor in the bad with the
unnecessary.
-----Original Message-----
From: Schatz, Daniel [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 13, 2001 11:23 AM
To: NT 2000 Discussions
Subject: RE: IPSec question
Good question. But as it�s not my LAN - i can�t really say why they want.
The data that the want to protect is very valuable, but i would advise them
to invest the time into securing and tightening the data on the fileserver.
Possibly more a "want to have cuz sounds good" feature.
Thank you for your comments. Very appreciated.
> -----Original Message-----
> From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 13, 2001 5:14 PM
> To: NT 2000 Discussions
> Subject: RE: IPSec question
>
>
> I'm curious. You say this is a small LAN. What makes you
> think your data
> is at risk to sniffing?
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Schatz, Daniel
> Sent: Thursday, September 13, 2001 8:04 AM
> To: NT 2000 Discussions
> Subject: RE: IPSec question
>
>
> Two additional ones:
>
> If i choose the non-ipsec aware clients to communicate without
> encryption they would be as unsecure as before ? So my data would be
> endangered at that end ?
>
> I hoped to hear something like "Yes, there is a additional
> software/third party to install on top of Win98 to make this
> possible".
>
> Thanks again.
>
> > -----Original Message-----
> > From: Ed Esgro [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, September 13, 2001 4:59 PM
> > To: NT 2000 Discussions
> > Subject: RE: IPSec question
> >
> >
> > Set the local security policy template to compatws.inf. This
> > will allow your
> > non ipsec aware systems to connected without security
> > enabled, but will
> > encrypt those connections that are ipsec aware. Basically any
> > OS before
> > windows 2000 is not IPSec aware.
> >
> > -----Original Message-----
> > From: Schatz, Daniel [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, September 13, 2001 10:46 AM
> > To: NT 2000 Discussions
> > Subject: IPSec question
> >
> >
> > Hy,
> >
> > my question is: there is a small LAN with mainly W2K
> > installed. Plan is to
> > make the network communication more secure so IPSec
> > connection should be
> > used. Would the remaining Win98/NT clients still be able to
> > communicate with
> > the secured W2K workstations ? Any good reading anywhere
> > regarding this ?
> >
> > Thanks a lot
> >
> >
> > "This communication is intended solely for the addressee and
> > is confidential
> > and not for third party unauthorised distribution."
> >
> > ------
> > You are subscribed as [EMAIL PROTECTED]
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe send a blank email to
> [EMAIL PROTECTED]
> >
> > ------
> > You are subscribed as [EMAIL PROTECTED]
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe send a blank email to
> [EMAIL PROTECTED]
> >
>
>
> "This communication is intended solely for the addressee and is
> confidential and not for third party unauthorised distribution."
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
>
> ------
> You are subscribed as [EMAIL PROTECTED]
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe send a blank email to [EMAIL PROTECTED]
>
"This communication is intended solely for the addressee and is confidential
and not for third party unauthorised distribution."
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
