Hardening Communications - Use IPSec to Manage Connections

(Page 4 of 11 )

In the preceding example, a policy was created that requires all communications between computer A and computer B to be encrypted. It also is a policy that manages connections. Although communications with other computers are unaffected, the policy does restrict communications between computer A and computer B.

IPSec policies can do more than control whether or not two computers must encrypt information sent between them. Polices can manage connections in other ways:

• Block all communications from a specific IP address, or range of IP addresses.

• Block all communications over a specific protocol/port.

• Permit communications from a specific IP address or a range of IP addresses.

• Permit communications over a specific protocol/port.

• Negotiate communication in terms of these items as well as in terms of the ability of a computer to use specified encryption, authentication, and integrity choices.

To use IPSec policies for these features, create a policy using the preceding steps but use the following adjustments.

When adding filters (see step 7) instead of using the IP address information described, use the destination and source IP address information required. In Windows Server 2003, in addition to naming a specific IP address or a specific IP subnet, you may select DNS, DHCP, WINS, or default gateway information. (The computer’s TCP/IP configuration information will be used to supply the IP address of the servers from which IP addresses will be used.) Choices in Windows 2000 are more limited.

When adding filters, after managing IP address information, select the Protocol tab on the IP Filter Properties page. Use the Select a Protocol Type drop-down box to select a protocol. Use the Set the IP Protocol Port buttons and text box to set specific boxes. Figure 11-1 shows the configuration to filter on the Telnet protocol.

• Make as many filters as you want, but remember that only one filter action can be selected per rule. If you need to write a policy that blocks all telnet communications to a server but allows an encrypted telnet session from a specific computer, you will need two rules.

• Use the Filter Action page to select the filter action for the rule, or to add a filter action. The Permit filter action is present, for example, but the Block filter action is not.

Use IPSec to Prevent Connections from Rogue Computers

If an IPSec policy requires certificate authentication, and certificate distribution is controlled, then rogue computers can be prevented from connecting to network resources. This type of policy does not specify encryption or integrity. Instead, it simply requires that each computer authenticate using a certificate. If you implement a Windows Enterprise Certification Authority and configure automatic certificate enrollment for computers, all computers joined in the domain will have the certificate. Rogue computers, those computers brought from home by employees or brought along by contractors, vendors, and visitors, will not be able to authenticate to protected resource computers on your network.

Figure 11-1.  Use the IP Filter property pages to identify specific  

To protect computers, create a domain IPSec policy that requires certificates for authentication but does not require anything else.

1. Right-click the IP Security Policies on Local Computer container and select Create an IP Security Policy.

2. Click Next on the Welcome page.

3. Enter a name for the policy and click Next.

4. Uncheck Activate the Default Response Rule.

5. Click Next; then click Finish.

6. Click Add to add a filter, and then select the Protocol page. Select All IP Traffic. Examine this filter list by clicking the Edit button. Note that it matches all traffic with the exception of broadcast, multicast, Kerberos, RSVP, and ISAKMP. You can write a more specific rule to block all traffic if you wish. Click Close to close the page.

7. On the New Rule Properties, select Authentication Methods.

8. Click Add.

9. On the Authentication Method page, select Use a Certificate from This Certification Authority (CA).

10. Use the Browse button to select a copy of the CA certificate. (The Browse button defaults to the Enterprise Trust certificate store of the local computer; you must make sure that a copy of the appropriate CA certificate is in the store of each computer.) Click OK.

11. Select the Filter Action page.

12. Click Add to add a new filter action.

13. Select Negotiate Security.

14. Click Add to create a Security Method.

15. Select Custom, and then select Settings.

16. Click to deselect Data Integrity and Encryption (ESP) and select Data and Address Integrity Without Encryption (AH) as shown in the following illustration. Then click OK.
    
    

17. Select the General page and enter a name, Authentication for the new Filter action. Then click OK.

18. Select Authentication and click Close; then click OK to close the policy.

19. Assign the policy to all domain computers after testing.

This is from Hardening Windows Systems, by Roberta Bragg, (McGraw-Hill/Osborne, ISBN: 0072253541). Check it out at your favorite bookstore today. Buy this book now.

Next: Protect IPSec-Protected Computers During Startup >>
 

More Windows Security Articles
More By McGraw-Hill/Osborne

Comments On: Hardening Communications

>>> Be the FIRST to comment on this article!