While many books and articles drown on about the various reasons for using encryption on a network, I’ll spare you the details. Everyone who has worked with networks knows that if a data stream hasn’t been secured, then it is theoretically possible for some intermediary person to possibly read or change the data. The various applications and attacks that make that possible are well documented elsewhere, and certainly some are more common than others. All things being equal, it is up to you to decide what is considered sensitive information on your network, and how you wish to proceed with policies that meet your needs. IPSec actually provides both encryption and authentication services, and understanding the difference is key to your planning process.
IPSec is most commonly looked at as a protocol for securing network traffic via encryption. The way in which this is handled is via something called ESP, the Encapsulating Security Payload. The purpose of ESP in to provide data encryption – while packets are still visible on the network if you used a network sniffer or similar tool, the actual contents (often referred to as the payload, or less technically, the ‘important stuff’) of the packet beyond the original IP header are encrypted. How the encryption process happens I’ll cover in a moment. The other function that IPSec is capable of is authentication and integrity settings via AH, the Authentication Header. That is, instead of actually encrypting a packet, it is rather signed, such that the receiver can be sure that the data came from the original sender and vice versa. The concern in this case is that the data hasn’t been modified in transit, and that somebody (or some machine) isn’t trying to impersonate someone else. While AH provides data integrity, it does nothing to actually secure the data stream, unless used in conjunction with ESP. Both AH and ESP can be used alone, or in conjunction with one another.
A small note here – be aware that ESP traffic uses IP protocol 50 to identify itself, while AH uses IP protocol 51. This is important in cases where you want these types of traffic to pass through a firewall or filtering device. Note also that IPSec will require that traffic can be passed over UDP port 500, over which ISAKMP/Oakley transfers (to be discussed shortly) take place.