7.5.1 IPsec (DirectAccess) Overview

  • Article

Because IP network traffic can flow across a wide variety of networks, including networks populated or even controlled by hostile parties, end hosts communicating using IP face a variety of threats. These include packet-tampering (modifying packets in transit to alter their effect on the receiver); packet inspection (reading confidential information from packets in transit); and identity spoofing (making packets appear to originate with a different sender, to alter their effect on the receiver).

To protect against these threats, IP communications can be secured in Windows using Internet Protocol security (IPsec) [RFC4301]. IPsec defines a set of authentication protocols and cryptographic packet transforms that, when used, ensures that packets cannot be tampered with, that their origin is identifiable and verifiable, and that their contents cannot be determined by in-transit inspection. IPsec supports creating policies that control what traffic is allowed and how that traffic is to be protected. Examples of such policies include access control, privacy, and authentication. All hosts communicating with other hosts in the organization have to be authenticated within a particular Windows domain and it is recommended that all related traffic between hosts be private (encrypted) and protected against traffic spoofing (digitally signed).

DirectAccess, introduced in Windows 7 operating system and Windows Server 2008 R2 operating system, establishes an IPsec connection that enables network users to access corporate resources without connecting to a virtual private network (VPN). DirectAccess provides network users with the same experience working remotely as they would have when working in the office. For more information, see the DirectAccess Technical Overview [MSFT-DATO].

Windows IPsec architecture

Figure 4: Windows IPsec architecture

The Windows extensions to IPsec protocols are as follows.

Protocol

Specification short name

Authenticated Internet Protocol Specification

[MS-AIPS]

Firewall and Advanced Security Protocol

[MS-FASP]

Group Policy: Firewall and Advanced Security Data Structure

[MS-GPFAS]

Group Policy: IP Security (IPsec) Protocol Extension

[MS-GPIPSEC]

Internet Key Exchange Protocol Extensions

[MS-IKEE]

Layer 2 Tunneling Protocol (L2TP) IPsec Extensions

[MS-L2TPIE]