Monitoring Secured Communications through IPSECMON

By Brien M. Posey | Dec 4, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/625271/Monitoring-Secured-Communications-through-IPSECMON.htm

If you've worked much with Windows 2000 security, you're no doubt aware that the IPSec protocol is used to secure and encrypt IP packets as they flow across your network. Just open any book on Windows 2000, and you'll find pages and pages discussing the importance of using the IPSec protocol. However, in the dozens of Windows 2000 books I've read, I've yet to find one that discusses the importance of checking IPSec's operational status.

Checking the operational status of IPSec is essential. After all, if your data is important enough to warrant enabling IPSec in the first place, wouldn't you at least like to know if IPSec is doing its job? Fortunately, checking up on IPSec is easier than you might imagine. You can easily check IPSec's operational status through a Windows 2000 utility called IPSECMON.

Putting IPSECMON to Work

To access IPSECMON, simply enter "IPSECMON" at the Run prompt. When you do, Windows 2000 will load the IPSECMON utility, also known as the IP Security Monitor. As you can see in Figure 1, the IP Security Monitor is very simple to use. This utility has only two buttons: a Minimize button to minimize the utility, and an Options button that controls the refresh rate (set to 15 seconds by default).

Figure 1: The IP Security Monitor can tell you whether the IPSec protocol is doing its job.

As you can see in the figure, the IP Security Monitor keeps tabs on a number of different factors. If you use the ESP protocol on your network, be sure to check out the Confidential Bytes Sent and Confidential Bytes Received fields. These fields measure the number of packets sent or received with confidentiality. If a packet used confidentiality, it means that ESP was working.

You should also look at the Authenticated Bytes Sent and Authenticated Bytes Received fields. Any bytes that appear in these columns were successfully sent or received using the IPSec protocol.

CrossLinks

Finally, you should check the Bad SPI Packets, Packets Not Decrypted, and Packets Not Authenticated fields for non-zero values. Non-zero values in these fields indicate a problem with IPSec. For example, the Packets Not Authenticated field measures packets that were supposed to be sent with IPSec, but weren't for some reason. You can gain insight as to these reasons by looking at the other two columns I mentioned. For example, non-zero values in the Bad SPI Packets column may indicate that a security association has expired and is no longer valid. A non-zero number in the Packets Not Decrypted field means that the sender was able to encrypt and send the IPSec packets, but that the receiver was unable to decrypt them. This may also be due to an expired security association. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.