Establishing IPSec policies

By Brien M. Posey | Sep 13, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/624071/Establishing-IPSec-policies.htm

In the article " Understanding the IPSec protocol ," I explain how the IPSec policy is used within Windows 2000 to secure confidential communications across networks. Like most security systems, it has several settings you can use to control the way security is enforced. The primary way is through security policies. In this article, I'll introduce you to IPSec security policies.

Security policy basics

Existing security policies

When you load the MMC snap-in, you'll notice that there are three existing security policies:

  • Client (Respond Only)--Intended for computers that don't normally initiate secure transactions. This policy simply sets up the machine to respond to a request from another machine for a secure session.
  • Server (Require Security)--Renders the server incapable of sending or receiving data unless that data is secured.
  • Server (Request Security)--A more flexible policy. It secures all outbound packets. It will accept insecure inbound packets but will require the sender to secure them before it allows further communications.

By default, these policies are inactive. They offer a great place to start implementing the basic elements of your security policy. You can implement any or all of these three policies, modify them to meet your needs, or start completely from scratch.

Before we get started creating an IPSec policy, let's take a look at how they work. When you configure an IPSec policy, the policy is taken from the policy agent and applied directly to the IPSec driver, where it controls all aspects of IPSec security. There are several parts to an IPSec policy, as follows:

  • IP filter--A list that tells IPSec which inbound and outbound traffic should be secured, based on IP address, port number, and protocol.
  • IP filter list--Nothing more than the collection of all applicable IP filters.
  • Filter action--Tells the policy agent how items on the IP filter list should be secured.
  • Security method--The security algorithms used for key exchange and authentication.
  • Tunnel setting--Contains the IP address or the DNS name of the destination PC if you're using IPSec tunneling.
  • Connection type--Tells IPSec whether it's being used across a LAN or a wide area link. As you can imagine, the way that IPSec functions depends greatly on the physical environment.
  • Rule--A cumulative collection of the basic components already described. For example, a rule may consist of an IP filter, a filter action, the security method, the tunnel setting, and the connection type. You can use multiple rules to achieve your desired level of security.

Creating a security policy

Now that you understand a little bit about the components at work behind a security policy, it's time to create one. As with most things in Windows 2000, IPSec policies are installed and configured through the Microsoft Management Console (MMC). To access the IPSec policies, open a new MMC session by entering "MMC" at the Run prompt. When the management console loads, select the Console|Add/Remove Snap In command. Next, click the Add button and select IP Security Policy Management from the list of snap-ins. When the snap-in loads, a dialog box asks you to indicate which computer the snap-in will manage. You can choose between the local computer, the computer's domain, another computer, or another domain.

To create your own policy, right click on the IP Security Policies On key in the management console and select the Create IP Security Policy command from the resulting context menu. Click Next to begin the IP Security Policy Wizard.]]When you do, you'll see the IP Security Policy Wizard. Click Next to begin the wizard.

In the the first screen you'll need to enter a name and description for the policy you're creating. Be sure to enter a detailed description in case you have trouble remembering what a particular policy does later on. After you've entered this information and clicked Next, you'll see a screen asking how you want the machine to respond to requests for secure communications. The default function is to go into secure mode, should a computer ask for it. However you can disable this functionality, if necessary, by deselecting the Activate The Default Response Rule check box.

If you've chosen the default response rule, the next screen that will ask for the Default Response Rule Authentication Method. By default, the Kerberos V5 protocol is chosen. Although this protocol works well, keep in mind that it has two big limitations. First, it's only effective among Windows 2000 machines. Second, the machines involved must belong to the same domain. If these two conditions rule out your using Kerberos V5, your next best choice is to use a certificate from a certificate authority. Of course, you can also choose to enter your own preshared key.

The next screen informs you that you've completed the wizard. However, if you'd like to fine-tune your policy a bit, select the Edit Properties check box before clicking the Finish button. If you select this option, you'll see the newly created rule's properties sheet when you click Finished.

As I mentioned above, a policy is simply a collection of rules. The properties sheet you're looking at contains the Default Response rule that you either enabled or disabled earlier. However, you'll probably want your security policy to do more than just regulate the default response. If so, you can add more rules to the policy. You can do this through the Add Rules Wizard or through the various properties sheets. My personal preference is not to use the wizard, because I like to see what's really going on. If you don't want to use the wizard, deselect the Use Add Wizard before clicking the Add button. Otherwise, simply click Add to use the wizard.

When you click Add, you'll see the New Rule Properties sheet shown in Figure 1, which consists of five tabs. The default tab is the IP Filter list. This list allows you to choose between filtering all ICMP traffic or all IP traffic. You can also establish custom filters via the Add, Edit, and Remove buttons.

Figure 1: The New Rule Properties sheet

Once you've decided which traffic to filter, select the Filter Action tab. This tab allows you to determine how the filter will test for and require secure traffic. You can do things like allow insecure traffic, request secure traffic, or require secure traffic. You can also use the buttons at the bottom of the tab to establish custom filter actions.

Next, select the Authentication Methods tab, shown in Figure 2. This tab allows you to determine which authentication method will be used when preparing to exchange secure data. The default method is to use Kerberos. Kerberos does have its limits, as I noted above. Alternatively, you can use an authentication method preference order. The machine will try to use Kerberos first; but if the computer that it's trying to communicate with doesn't support Kerberos, it will automatically test to see if the other computer supports the next authentication method on the list.

Figure 2: The Authentication Methods tab.

Now, select the Tunnel Setting tab. If you're using an IPSec tunnel to secure data, you'll have to use the Tunnel Setting tab to specify the tunnel's end point. The tunnel's end point may be specified in the form of either an IP address or a DNS name, and should always refer to the end point that's located the closest to the data's final destination.

The last tab is the Connection Type tab, which allows you to set the types of network traffic that you want the rule to apply to. For example, as you might guess, secured traffic tends to require more bandwidth than insecure traffic. Therefore, you might want to limit this level of security to your local network to avoid congesting your slower wide area links. On the other hand, you might feel pretty good about your local security, but think that the IPSec rules need to apply only to wide area links. And of course, you can always apply security to all network connections. Whatever your security philosophy, you can determine which links it should be applied to through the Connection type tab. Simply select the radio button that corresponds to the type of traffic that you want to secure. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the Director of Information Systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.