430 T2 DQ1

    This topic introduces IPsec and DNSSEC from an application perspective. Research how to implement these protocols using networking devices. Why would an organization choose to implement these protocols using external networking devices rather than from within a domain controller? Briefly provide some benefits and disadvantages.

    Reply to responses

    A Shauna

    DNSSEC adds security to DNS responses by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource records are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a DNS zone using a process called zone signing. IPSec is usually used in the context of a virtual private network between two machines over a public network that is almost as secure as a connection on a private network. VPN's most well-known use case is to allow remote employees to access secured files behind a corporate firewall as if they were working in the office. The reason of why an organization may use external networking devices is because a domain controller holds a lot of sensitive information and is best to keep anything malicious off of the domain controller. Implementing these protocols can make sure sites are legitimate and they are trusted.

    Fruhlinger, J. (2021, December 30). How IPsec works, it's components and purpose. CSO Online. Retrieved March 22, 2022, from https://www.csoonline.com/article/2117067/data-protection-ipsec.html 

    Step-by-step: Demonstrate DNSSEC in a test lab. Microsoft Docs. (2016, August 31). Retrieved March 22, 2022, from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831411(v=ws.11) 

    B Cory

    Hello Professor Ligon and Class,

    IPSec and DNSSEC are both implemented in order to protect an organization’s network and internet traffic. DNSSEC adds two security features to the original DNS protocol. These features consist of data origin authentication and data integrity protection security controls. IPSec also was created to further secure an organization’s network and internet traffic that uses a group of protocols that are used together to set up secure, encrypted connections between two devices. These types of protections are much needed for any organization that needs to protect it’s network but where to implement these protocols is a question for some. There is the capability to implement both IPSec and DNSSEC on a Windows Server Domain Controller but it is much better to implement these protocols on external network devices instead. Domain Controllers contain very sensitive information and has the configuration ability to let anyone or anything malicious into the network if it fell into the wrong hands. This is the main reason why you would want to set up DNSSEC and IPSec on external devices. You do not want to add any extra network traffic or overhead to something like a domain controller. This may make the domain controller more vulnerable and ultimately the entire network. This is compared to just letting a separate device do it altogether.

    C Jessica.

        IP Security Architecture (IPsec) is a protocol that is intended to boost security for communications within and outside of a network. It functions on the IP Level of the TCP/IP Protocols, and essentially allows the packets of data that are transmitted to be encrypted to deter potential threats that are listening or for those packets that are captured. It also helps authenticate packets that the network and devices receive to ensure they are not malicious. A famous example of IPsec in action would be a Virtual Private Network (VPN) (Roles of IPsec, n.d.) Domain Name System Security Extensions (DNSSEC) is another protocol that was designed with the intention of boosting security for networks and their devices. It was originally based on the Domain Name System (DNS), and was developed as DNS became less reliable. DNSSEC strengthens the DNS protocols by enforcing Data Origin Authentication, which is essentially when the sender of the data is verified as true, and Data Integrity Protection, which checks that the data received has not been changed or altered in any way since it left the sender. This helps the network to verify if the data it receives is both accurate and trustworthy, which greatly assists in protecting the network overall (Liu, 2013). 

    For implementation purposes, these protocols are generally implemented on the network devices themselves, rather than on the domain controller. The reason for this is for fault tolerance purposes. If these protocols are only enabled on the Domain Controller and if the Domain Controller Device ever went offline, the rest of the network would then be left vulnerable without these protocols enabled. On the opposite side, while it would be advantageous to only host these protocols on the Domain Controller to have better control and overall view of how the network is processing data, the advantages do not outweigh the risks (Implementing IPSec Network Security, 2011).

                                                                                                                                      Order Now