Hardening Communications - Use IPSec Policies
(Page 2 of 11 )
IPSec is a security protocol built in to the Windows TCP/IP stack of Windows XP, Windows Server 2003, and Windows 2000. An IPSec policy can be configured and assigned that will protect communications by providing mutual computer authentication, encryption, integrity, protection from replay attacks, and message origination authentication. It is also widely used as a security protocol in VPNs. Its use in Windows-based VPNs is discussed in the later section “Use L2TP/IPSec VPNs.”
Here are three major uses for IPSec in Windows LANs:
- To provide encryption of communications between two computers
- To manage connections on the basis of IP address and protocol used
- To prevent connections to network resources from rogue computers
IPSec policies are created using Group Policy. A policy can be developed and assigned to a single computer at a time using the local group policy, or configured in a GPO linked to an OU or entire domain and thus implemented on any number of computers.
IPSec is a complex protocol, and to thoroughly understand and troubleshoot IPSec is beyond the scope of this book. A few simple facts, however, will allow you to write and use the simple policies outlined here. These facts are easier to understand by following the policy steps, but these are their basics:
- A policy is composed of rules, filters, and filter actions.
- Rules are composed of settings and a list of filters.
- Filters specify source and destination IP addresses and protocols.
- Filter actions determine what happens if a rule’s filter is matched.
- Possible filter actions are: Block, Permit, and Negotiate. Rules are often referred to by their filter action.
- Each rule can have only one filter action; however, a policy may be composed of one or more rules.
- In order for Allow and Negotiate policies to work, each computer involved must have an IPSec policy assigned.
- IPSec policies are not in effect until the policy is assigned.
- Policies may be scripted, or the IPSec Policy Wizard can be used.
- Three methods of authentication are available. Kerberos (only in Windows domains), certificates (all computers must have certificates and must be able to validate them), preshared key (the weakest, but good for testing).
HEADS UP! It is possible to create an IPSec policy that can so successfully shut down communications that recovery of the computer system may be a difficult chore. To prevent complications, always test an IPSec policy in a test environment and always start by implementing the policy on one test computer at a time, then moving to a test domain.
 This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now. |
Next: Use IPSec for Confidentiality >>
More Windows Security Articles
More By McGraw-Hill/Osborne
