Choosing the Right Security
Now that the basic differences in the three main security mechanisms in Windows 2000 have been discussed, the types of security you should plan to use as you are designing your implementation of Active Directory will be addressed. At the beginning of this chapter, we identified that there are essentially two different types of security relative to Active Directory and Windows 2000:
Security for access to the network environment and Active Directory resources
Security for the data that crosses the network between hosts on the network
Kerberos and PKI are security mechanisms for regulating access to the environment, whereas IPSec is a security method for regulating the data on the network.
Kerberos Compared with PKI
As the default protocol for Windows 2000, Kerberos is also the most widespread security protocol used in initial implementations of Active Directory. It requires relatively planning and preparation before implementing Active Directory, as long as there is no need for you to integrate the KDC in Windows 2000 with a KDC that already exists as part of a Kerberos realm outside of Windows 2000.
With the current release of Windows 2000, it is possible to intermix Windows-based and non-Windows-based Kerberos implementations. For example, it is possible for a Windows 2000 client to authenticate to a KDC that is Kerberos version 5 compliant running on UNIX. In addition, it is possible for a non-Windows client to authenticate to a Windows 2000 KDC, as long as the client supports Kerberos version 5.
More planning is needed if there is a requirement for two Kerberos domains to trust each other, and one domain is based on Windows 2000, but the other is not. It is possible to establish explicit Kerberos trusts between the two domains. However, security principals in the non-Windows domain do not have the necessary authorization data that the Windows 2000-based service requires. Consequently, it is necessary to use the users and computers management tool in Active Directory to map each external security principal to a specific internal Active Directory security principal (user).
Because mapping hundreds or even thousands of external user accounts to internal accounts might be a limiting factor in utilizing Kerberos security for external users, this is an excellent example of when to use public key authentication rather than Kerberos. If an organization has an external vendor with which it needs to exchange data on a regular basis, it is possible to implement public key authentication for the external vendor rather than establishing a Kerberos trust. A CA would be established, which trust certificates from the CA of the external vendor. These certificates can then be used to grant access to resources on servers in the Windows 2000 domain.
In addition, as pointed out earlier in this chapter, a PKI should be implemented if there are plans or requirements for users of the network email system to digitally sign or encrypt mail. Kerberos does not provide for a digital signature capability.
When to Use IPSec
Evaluating when to use IPSec is a different process than evaluating when to use Kerberos or PKI. IPSec is primarily used for network traffic that is internal to an organization. In addition, because it is transparent to users and applications, it is a protocol that is used when administrators feel there is a need for additional security for the data that is traveling across the network, rather than authenticating who is actually accessing the information or resources in the organization.
It is prudent to be cautious, however, when implementing IPSec in an organization. There are a few guidelines to follow to limit any impact on network and host performance.
Implement host-to-host encryption only if absolutely necessary. It is better to implement a scenario whereby not all the hosts in a specific subnet need to encrypt traffic to each other. Rather, they only need to encrypt traffic if it is destined for a host outside of the subnet.
Critically evaluate if IPSec is required at all. No matter how streamlined the protocol, IPSec introduces increased latency in the performance of the network and each host on the network. If what you are trying to accomplish with IPSec can be accomplished with firewall, it is preferable.