How to Create an IPsec Policy to Restrict Ports
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
Internet Protocol security (IPsec) is designed to encrypt data
as it travels between two computers, protecting it from modification and
interpretation. To use IPsec, you must define how computers that
attempt to connect will trust each other and how the computers will
secure their traffic. To implement these specifications, create and
apply an IPsec policy. IPsec policies support policy-based stateful
packet filtering rules that can be used with IPsec authentication and
encryption to provide robust end-to-end security.
Example: Creating an IPsec Policy
This section provides step-by-step instructions for creating
an example IPsec policy that allows inbound requests to connect only to
ports 80 and 443. Port 80 is the default port for HTTP requests, and
port 443 is the default port for HTTPS requests. The policy blocks
requests for all other ports on the server.
In contrast with typical firewall or packet filtering rules, there is no way to order the list of rules in an IPsec policy. The rule engine matches traffic with rules according to specificity. If a packet matches more than one rule, the engine will apply the most specific rule to the packet. In the following example, packets that match the filter list that allows connections to port 80 also match the filter list that blocks all incoming traffic. Because the former list is more specific, the rule engine uses that list to make its decision. Therefore, traffic that connects to port 80 or port 443 is passed to the server, while everything else is blocked. You need to create multiple filter lists to make the policy effective.
There are several steps to creating an IPsec policy:
To create IPsec filter lists, begin by changing the security settings on the local computer.
To create the IPsec filter lists
To set the filter actions
To create the IPsec policies
To add rules to the policy
To assign the IPsec policy
Thanks,
NetworkSupportSoltion
In contrast with typical firewall or packet filtering rules, there is no way to order the list of rules in an IPsec policy. The rule engine matches traffic with rules according to specificity. If a packet matches more than one rule, the engine will apply the most specific rule to the packet. In the following example, packets that match the filter list that allows connections to port 80 also match the filter list that blocks all incoming traffic. Because the former list is more specific, the rule engine uses that list to make its decision. Therefore, traffic that connects to port 80 or port 443 is passed to the server, while everything else is blocked. You need to create multiple filter lists to make the policy effective.
There are several steps to creating an IPsec policy:
- Create IPsec filter lists. Filter lists include ports, protocols, and directions and trigger a decision when traffic matches an item in the list. This example requires you to create three filter lists. The first two filter lists apply to inbound traffic that attempts to connect to port 80 or 443, and the third filter list applies to all ports.
- Set filter actions. Filter actions are the required response when traffic matches a filter list. This example uses only permit and block actions for its IIS IPsec policy.
- Create the IPsec policy. The IPsec policy is a collection of rules, which are the correlation of a filter list with a filter action. You can have only one active, or assigned, policy at any particular time.
To create IPsec filter lists, begin by changing the security settings on the local computer.
To create the IPsec filter lists
-
From the Start menu, point to All Programs, point to Administrative Tools, and then select Local Security Policy.
-
In the Local Security Settings dialog box, click IP Security Policies on Local Computer. The right pane displays the default Windows Server 2003 policies.
-
Right-click the right pane, and then click Manage IP filter lists and filter actions.
-
In the Manage IP filter lists and filter actions dialog box, on the Manage IP Filter Lists tab, click Add.
-
In the IP Filter List dialog box, in the Name
box, type a name for your filter list, such as Inbound HTTP, and type a
description if you want one. This is the filter list that applies to
all inbound HTTP connections.
-
Click Add. The IP Filter Wizard appears. Create a filter list with the following specifications:
- Description: Optional.
- Source address: Any IP Address.
- Destination address: My IP Address. Or click A specific IP address, and then type the IP address of the interface that is connected to the Internet.
- Protocol type: TCP.
- Protocol Port: From any port.
- To this port: 80.
-
In the Completing the IP Filter Wizard screen, clear the Edit properties check box, and then click Finish.
-
In the IP Filter List dialog box, click OK.
-
Repeat steps 1 through 8, this time to create a filter
list that applies to destination port 443 for HTTPS connections. Name
the filter list Inbound HTTPS, or something similar.
-
Repeat steps 1 through 8, this time to create a filter
list that applies to all destination ports. This filter list will apply
to the policy that blocks all inbound traffic. Name the filter list All
Inbound, or something similar.
To set the filter actions
-
After you create the filter lists, in the Local Security Settings dialog box, right-click the right pane, and then click Manage IP filter lists and filter actions.
-
In the Manage IP filter lists and filter actions dialog box, click the Manage Filter Actions tab, and then click Add. The Filter Action Wizard appears.
-
Create a filter action with the following specifications:
- Name: Block
- Description: Optional
- Filter Action General Options: Block
-
In the Completing the IP Security Filter Action Wizard screen, clear the Edit properties check box, and then click Finish.
-
In the Manage IP filter lists and filter actions dialog box, click Close.
To create the IPsec policies
-
After you set the filter actions, in the Local Security Settings dialog box, right-click the right pane, and then select Create IP Security Policy. The IP Security Policy Wizard appears.
-
Create a policy with the following specifications:
- Name: Packet Filter
- Description: Optional
-
In the Requests for Secure Communication screen, clear the Activate the default response rule check box, and then click Next.
-
In the Completing the IP Security Policy Wizard screen, make sure that the Edit properties check box is selected, and then click Finish. The New IP Security Policy Properties dialog box appears. Do not close this dialog box.
To add rules to the policy
-
After you create the IPsec policies, in the New IP Security Policy Properties dialog box, click Add. The Security Rule Wizard appears.
-
Create a rule with the following specifications:
- Tunnel endpoint: This rule does not specify a tunnel.
- Network type: All network connections.
- IP filter lists: All Inbound (or the name of your filter list that applies to inbound traffic on any port).
- Filter Action: Block.
-
In the Completing the Security Rule Wizard screen, clear the Edit properties check box, and then click Finish.
-
In the New IP Security Policy Properties dialog box, click Close.
-
Repeat steps 1 through 4 to create rules that apply to
the Inbound HTTP and Inbound HTTPS filter lists. For these rules, choose
the Permit filter action.
To assign the IPsec policy
-
In the Local Security Settings dialog box, right-click the policy you created, and click Assign.
Thanks,
NetworkSupportSoltion
0 comments:
Post a Comment