You can create customized IPSec policies, each with its own set of rules. Each policy can host more than one rule, and it is important to understand how these rules work because these rules govern how and when a policy is invoked. Any number of rules can be active simultaneously.
You can create or modify existing rules to meet your requirements. Filters are applied in the order of most-specific filters first.
E X E R C I S E 4 . 3
Setting IPSec to Run in Tunnel Mode
1. Open the Group Policy in the Properties dialog box of the object that you want to modify.
2. Navigate to the IP Security Policies In Active Directory node.
3. Select the setting in the right pane in which you want to set tunnel mode.
4. Open the setting’s Properties dialog box.
5. Select the rule that you want to modify and click Edit to open the Edit Rule Properties dialog box.
6. Click the Tunnel Setting tab.
7. Select The Tunnel Endpoint Is Specified By This IP Address.
8. Enter the IP address of the device that will act as the endpoint for the tunnel.
9. Click Apply.
10. Close the Properties dialog box and exit the Group Policy object.
4332.book Page 141 Wednesday, May 19, 2004 4:01 PM
A rule consists of the following components:
Tunnel endpoint A tunnel endpoint defines the IP address to which the tunnel will guarantee secured communications. There must be two rules to define an IPSec tunnel—one rule for each direction.
Network type Use this setting to select the scope of the rule. You can select All Network Connections, Local Area Network (LAN), or Remote Access (see Figure 4.4).
Authentication method You select the authentication method in the Authentication Meth-ods tab. The default is Kerberos, as shown in Figure 4.5. If you click Add, you can select the other supported authentication methods in Windows, which are shown in Figure 4.6 and then described.
F I G U R E 4 . 4 Configure the scope of the rule in the Connection Type tab.
F I G U R E 4 . 5 The Authentication Methods tab
Understanding IPSec 143
F I G U R E 4 . 6 Supported authentication methods that can be selected for any given rule
Windows Default (Kerberos) This is the default for Windows 2000 and Windows Server 2003.
This selection uses the Kerberos V5 authentication protocol. Any Kerberos-compliant clients can use Kerberos V5, even if they are not Windows-based clients. However, every client must be a member of a local or trusted domain.
Use A Certificate From This Certificate Authority (CA) This selection requires that a trusted CA be available and that both the sender and the receiver use a certificate issued by the trusted CA.
Use This String To Protect The Key Exchange (Preshared Key) This setting specifies a secret, shared key that both computers will use to encrypt and decrypt the packets. Obvi-ously, this selection requires manual preconfiguration prior to its use.
Once a particular method is selected using the wizard, you can go back into the authentication methods tab for the policy and add another method for authentication.
IP filter list This selection defines which traffic will be secured by this rule. You can use the defaults of All ICMP Traffic (Internet Control Message Protocol) or All IP Traffic, or you can select the type of traffic that you want to include in the rule.
The filter is rather granular, allowing you to make selections in two areas: addressing and protocols. In addressing, you can select to filter traffic against any of the following defined addresses in Windows Server 2003 (see Figure 4.7):
My IP address
Any IP address
A specific IP address
A specific IP subnet
DNS Servers <dynamic>
WINS Servers <dynamic>
4332.book Page 143 Wednesday, May 19, 2004 4:01 PM
DHCP Servers <dynamic>
Default Gateway <dynamic>
To access the tab in Figure 4.7, first highlight the filter list that you wish to edit in the IP Filter List tab (either All ICMP Traffic or All IP Traffic) and then click the Edit button. This invokes the IP Filter List dialog box. Click the Edit button on this box, and the Filter Properties dialog box illustrated in Figure 4.7 opens.
In the Protocol tab, you can select to filter traffic against the following defined protocols and either any port number or a predefined port number (see Figure 4.8):
Any
EGP (Exterior Gateway Protocol)
HMP (Host Monitoring Protocol)
ICMP (Internet Control Message Protocol)
Other
RAW (protocol 255)
RVD (MIT Remote Virtual Disk Protocol)
TCP (Transmission Control Protocol)
UDP (User Datagram Protocol)
XNS-IDP (Xerox NS IDP)
Filter action The filter action lists the security actions that will occur when traffic matches the IP filter. These actions appear on the Filter Action tab in the Edit Rule Properties dialog box.
There are three basic default settings (see Figure 4.9):
Permit, which permits unsecured IP packets to pass.
Request Security (Optional), which means that the server will request secure methods of communicating but will transfer data in an unsecured manner too.
F I G U R E 4 . 7 The Addresses tab in the Filter Properties dialog box
Understanding IPSec 145
F I G U R E 4 . 8 The Protocol tab in the Filter Properties dialog box
Require Security, which means that the server will accept unsecured connections but then will require clients to communicate using only secured methods. This selection instructs the server to not communicate with untrusted clients.
What is interesting here is how granular the filter action can be. Figure 4.10 shows the default settings for the Request Security (Optional) security methods, which can be navigated to by clicking the Protocol tab in the Filter Properties dialog box. Notice that this method allows unsecured communications, but that each connection is responded to with IPSec. What this means is that the server attempts IKE with each computer that connects to it in an attempt to communicate using IPSec.
F I G U R E 4 . 9 The Filter Action tab in the Edit Rule Properties dialog box 4332.book Page 145 Wednesday, May 19, 2004 4:01 PM
F I G U R E 4 . 1 0 The default settings for the Request Security (Optional) security method
The Session Key Perfect Forward Secrecy setting is cleared by default. Perfect forward secrecy (PFS), when selected, means that every time rekeying occurs, a new master key is also generated. Although this is the most secure setting possible, it also generates additional over-head for your server and should be selected only in highly secure environments. Because a new master key is generated, both server and client will need to renegotiate new key material, and this can create interoperability problems with some non-Microsoft products.
So when you put all of these parts together, you have the ability to create a rule that defines the following:
The scope (tunnel endpoint and network type)
The authentication method
Which traffic to secure (the IP filter list)
The actions to take when the rule is met (the filter action)
When taking the exam, it will be easy to get lost in the details of the question. Keep yourself focused on the larger picture and remember how to further secure traffic using an IPSec filter rule. For instance, if you need to secure traffic over the Internet, make sure that you have selected a tunnel endpoint. If you need to authenticate using certificates, you’ll need a CA trusted by all parties involved in the process. If you want to secure only certain types of traffic, understand that you are working with the IP filter list to select a protocol and port combination.
And if you want to tweak the actions to be taken when traffic meets the defined rules, you are working in the Filter Action area.
If, after applying a rule, you don’t like the results, you can restore default policies. Right-click the IP Security Policies Local Machine, choose Restore Default Policies from the shortcut menu, and then click Yes from the pop-up IP Security Policy Management message box.
Understanding IPSec 147