IPSec between DC's

Is setting up any IPSec policies between Domain Controllers ideal, recommended? Would this be redundant? Hold my hand as I walk down this unfamiliar concept. Thanks!
MCSE tests left: 294, 297 |

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    It would depend on the situation. If the domain controllers are connected over private leased lines, it may not be needed, if you're using VPNs over the Internet that are already encrypted, again it may not be needed. As long as the additional overhead isn't too much for the servers then go for it. In most cases it is overkill but I understand the desire to secure the domain controller to domain controller replication as well as the GC - GC replication traffic.
    The only easy day was yesterday!
  • CorySCoryS Member Posts: 208
    awesome thanks for the reply, my understanding was that there was already some form of encapsulation going on between DCs (may or may not be true) and as you mentioned this idea came about as an additional step for security of this kind of traffic. The DCs will reside in the same physical site behind cisco and microsoft firewalls. I just wanted to error (network ****) on the side of security.

    Again thanks for the reply.
    MCSE tests left: 294, 297 |
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    As long as you are also using Active Directory Integrated for your DNS then I wouldn't worry too much. AD is already RC4 encrypted by default, not the strongest cipher in the world but certainly strong enough to be considered secure on a normal network. If you are not using AD Zones for DNS then I would at least setup an IPSEC policy for Zone Transfers (if you can't migrate to AD Zones natively for some reason).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • CorySCoryS Member Posts: 208
    Good deal, thanks for the quick confirmations and advice.

    When I need solid security advice this is my first forum stop now, I used to be all over many registered forums but consistantly this place provides top notch advice from dedicated professionals. :)

    Cheers,
    Cory
    MCSE tests left: 294, 297 |
Sign In or Register to comment.