Encryption
The next step I recommend is to encrypt your network traffic. Begin by implementing IPSec wherever possible. Here are a few things that you need to know about implementing IPSec security. When you configure a machine to use IPSec, you can configure IPSec to either require encryption or to request encryption. If you configure IPSec to require encryption, any machine that the machine attempts to connect to will be informed that encryption is required. If the other machine is capable of IPSec encryption, a secure channel will be established and the communications session will begin. If the other machine is incapable of IPSec encryption, the communications session will be denied because the required encryption can't occur. The request encryption option works a little differently. When a machine requests a connection, it also requests encryption. If both machines support IPSec encryption, a secure channel is established and communications begin. If one of the machines doesn't support IPSec encryption, the communications session is established anyway, but the data isn't encrypted. There are a couple of things I suggest doing. First, I recommend placing all of the servers within a site on a secure network. This network should be completely isolated from the normal network. Each server that users require access to should have two network cards, one for connecting to the main network and the other for connecting to the private server network. The server network should consist only of servers and should have a dedicated hub or switch. By implementing such a configuration, you create a dedicated backbone between the servers. All server-based traffic, such as RPC traffic and traffic used for replication, can flow across this dedicated backbone. This will help secure the server-based traffic and increase the amount of available bandwidth on the main network. Second, for the server-only network, I recommend that you configure IPSec to require encryption. After all, this network consists of nothing but servers, so unless you have UNIX, Linux, Macintosh, or some other non-Microsoft server, there's no reason why all of your servers shouldn't support IPSec. Therefore, you're perfectly safe requiring encryption. For all of the workstations and the server connections on the primary network, you should configure the machines to request encryption. By doing so, you've achieved the optimal balance between security and functionality. Unfortunately, IPSec can't distinguish between network adapters on multihomed computers. Therefore, unless a server is attached exclusively to the server network, you'll want to use the request encryption option; otherwise, clients may not be able to access the server. Of course, IPSec isn't the only type of encryption available for your network traffic. You must also consider how you'll secure traffic that flows through your perimeter and traffic that flows across your wireless networks. Wireless encryption tends to be a touchy subject because wireless networking devices are still evolving. Many administrators view wireless networks as inherently insecure since network packets are flying through the air and anyone with a laptop and a wireless NIC card can intercept them. Although there are certainly risks associated with wireless networks, in some ways, wireless networks are more secure than wired networks. The reason is that the primary mechanism for encrypting wireless traffic is WEP encryption. WEP encryption ranges in strength from 40-bit on up to 152-bit or even higher. The actual strength depends on the lowest common denominator. For example, if your access point supports 128-bit WEP encryption, but one of your wireless clients supports only 64-bit WEP encryption, you'll be limited to using 64-bit encryption. These days, however, just about all wireless devices support at least 128-bit WEP encryption. What many administrators fail to realise is that just because wireless networks use WEP encryption, it isn't the only encryption type they can use. WEP encryption simply encrypts whatever traffic is flowing across the network, regardless of the type of traffic. Therefore, if you are already encrypting data with IPSec, as you should be, then WEP will simply provide a second level of encryption to the already encrypted data.