IPSec on entire network?

[stvleaze]

Is there any cons to just implementing the default (Server request) ipsec policy on all computers inside of a domain?

Will this slow down network traffic? Or cause any problems?

This will force computers to try to establish ipsec tunnels with each other, but still make it where they can talk to non secure computers.

 

[WhoKilledKenny]

I have not implemented IPSEC on my network, but I would imagine that there would be some overhead associated with it. I would also suspect that network slowness would have to do with the number of resources on your network and the design of your network. I noticed that you were not getting any replies, which is pobably a good indication of how many of us have it implemented. Sorry could not have been more help, but you are doing the right thing by researching the subject.

 

[porkchopexpress]

Take a look at this FAQ on the MS site. Your best option is probably to test it and monitor performance. One of the biggest pros if you enable your servers to respond to encrypted requests only is that it makes it harder for worms to connect to your boxs even if you haden't patched a flaw.

http://www.microsoft.com/technet/community/chats/trans/network/net0610.mspx

 

[NetIntruder]

Server "Request" means that not all traffic needs to be encrypted. Server "Require" will force the IPSec connection and stop any client not using it. As far as overhead, from my experience, if you have fairly new hardware, you should not notice a change in performance. You may see a few spikes in CPU during some large file transfers, but that's about it.


~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"