What are IPSEC Policies and how do I work with them?
If you’ve studied Windows 2000 security much, then you know that one of the biggest security features that’s included in Windows 2000 is the IPSec protocol. IPSec is a protocol that’s designed to protect individual TCP/IP packets traveling across your network by using public key encryption. In a nut shell, the source PC encapsulates the normal IP packet inside of an encrypted IPSec packet. This packet then remains encrypted until it arrives at the destination PC. While this concept sounds simple enough, there’s actually quite a bit that you need to know about IPSec before you can effectively use it on your network.
One of the first things that you should know about IPSec is that it’s slower than a normal IP packet because of the larger packet size and the overhead required for encryption and decryption. The larger packet size also means that IPSec can consume more network bandwidth than traditional IP packets. Needless to say, you probably only want to use IPSec for communications that really need to be secure. Fortunately, using IPSec isn’t an all or nothing situation. There are ways for telling Windows which communications need to be performed through IPSec and which communications can be sent through traditional packets. Such rules can be established through the use of IPSec policies. In this article, I’ll introduce you to the concept of IPSec policies. As I do, I’ll explain how to implement various types of IPSec policies in your organization.
What’s an IPSec Policy?
An IPSec policy is nothing more than a set of rules that govern when and how Windows 2000 uses the IPSec protocol. The IPSec policy interacts directly with the IPSec driver. The policy tells Windows such things as which data to secure and which security method to use.
Elements of an IPSec Policy
Before I jump right in to showing you how to work with IPSec policies, I wanted to take a few moments and explain the basic elements of an IPSec policy. You’ll need to know what each of these elements are and what they do before you’ll be able to effectively use them.
IPSec policies work by determining which IP traffic should be secured and which IP packets should be left alone. This is accomplished through the use of an IP filter list, individual IP filters, and filter actions. The IP filter is a tells Windows that a certain types of IP packets need to have some type of action applied to them. In this case that action (the filter action) may be to secure the packets. The IP filter list is a collection of individual filters that the filter action is applied to.
Once you’ve established the basic IP filtering, you’ll have to provide the IPSec policies with some information about your network. This information may include things like the security method to use, the connection type, and the tunnel settings. The security method simply dictates which security algorithms should be used during the authentication process and which algorithms should be used for key exchanges. The connection type refers to whether the policy should be applied to remote access connections, LAN connections, or all network connections regardless of the type. The tunnel settings are only used if you’re using IPSec over a virtual private network. The tunnel settings define the DNS name or the IP address of the tunnel’s end point.
Each of the elements that I’ve described in this section combined together form a rule. An IPSec policy is a collection of one or more rules.
Editing The Built In IPSec Policies
Now that you know what goes into an IPSec policy, let’s look at a real life policy. To do so do the following:
Open an MMC window (Start > Run > MMC).
Add the IP Security and Policy Management Snap-In.
In the Select which computer this policy will manage window select the local computer (or any other policy depending upon your needs). Click Close then click Ok.
Now, click the Close button followed by the OK button and you’ll see the IP Security Policy Management snap-in added to the console.
If you select the IP Security Policies On Active Directory object from the Console tree, you’ll see that there are three built in IPSec policies. You can either implement these policies into your network as is, or you can use them as a building block for more complex policies. There are 3 default policies already installed:
The first policy on the list is the Client (Respond Only) policy. This policy is designed to be run on client machines that don’t normally need to worry about security. The policy is designed in such a way that the client will never initiate secure communications on its own. However, if a server requests that the client go into secure communications mode, the client will respond appropriately.
The next policy on the list is the Secure Server (Require Security) policy. This policy is only appropriate for servers that require all communications to be secure. Once this policy has been applied, the server will neither send or accept insecure communications. Any client wanting to communicate with the server must use at least the minimum level of security described by the policy.
The final policy on the list is the Server (Request Security) policy. Contrary to the name, this policy can be used on both client and server PCs. This policy will use IPSec security for all outbound security. However, this policy will accept insecure inbound communications. If a client requests a secure session, the policy will allow the client to establish one.
Now that you’re familiar with the individual policies, let’s revue the procedure that you’d use for editing one of them. Because the Secure Server (Require Security) policy is the most complex of the three, let’s look at it more closely. To do so, right click on the policy and select the Properties command from the resulting context menu. When you do, you’ll see the policy’s properties sheet.
By default, the Rules tab will be selected. The Rules tab displays a list of all of the rules contained in the policy. Each rule has a check box next to it. If the check box contains a check mark then the rule is active within the policy. You can edit any of the rules by selecting the rule and clicking the Edit button.
When you edit a rule, you’ll see the Edit Rule Properties sheet. This properties sheet contains five different tabs.
The default tab is the IP Filter List tab. This tab allows you to add, edit, and remove IP filters.
The adjacent tab is the Filter Action tab. The Filter Action tab contains three different radio buttons. These radio buttons allow you to select the type of filter action that you want to use. You can allow insecure IP traffic, or you can set up the filter action to request security or to require security. You can manipulate any of the built in settings by selecting the filter action and clicking either the Add, Edit or Remove button.
On the next row of tabs, the first tab that you’ll come to is the Authentication Methods tab. By default, this tab is set to use Kerberos. However, by using the Add, Edit and Remove buttons you can set the Authentication Method to use a certificate server or to use a pre shared key.
The next tab that you’ll encounter is the Tunnel Settings tab. By default, the rules within this IPSec policy don’t apply to a tunnel. However, you could easily change all that by selecting the The Tunnel Endpoint Is Specified By This IP Address radio button, and entering the corresponding IP address.
The final tab on the Edit Rule Properties sheet is the Connection Type tab. This tab allows you to specify whether the rule should apply to remote access traffic, Local Area Network (LAN) traffic, or all network traffic, by selecting the corresponding radio button.
When you’ve finished editing a rule, click the OK button twice to return to the main console screen.
Creating an IPSec Policy
Now that you know how to edit an existing policy, let’s take a look at the procedure for building a new policy from the ground up. To create a new policy, return to the main console screen and right click on the IP Security Policies on Active Directory container and select the Create IP Security Policy command from the resulting context menu.
When you do, Windows will launch the IP Security Policy Wizard. Click Next to skip the introduction screen.
The next screen that you’ll encounter asks you to specify the name and a description for the policy that you’re creating. Enter this information and click Next to continue.
At this point, you’ll see a screen that explains that in order for there to be any amount of security, the policy must contain a rule that allows it to respond to requests for secure communications. Assuming that you want to leave this rule enabled, make sure that the Activate The Default Response Rule check box is selected and then click Next to move on.
The next screen you’ll see is a screen that asks which security method that you want to use for the default rule. By default, Windows is set to use Kerberos version 5. You can select any of the available options, but the Wizard will only let you select one authentication method. You can enable multiple authentication methods, but to do so, you’ll have to go back later on and edit the rule in the same manner as I used earlier. Click Next to continue.
At this point, you’ll see a screen that informs you that you’ve completed the wizard and established a basic IPSec policy. The wizard also gives you the option of editing the policy that you just created. All you have to do is to make sure that the Edit Properties check box is selected and then click the Finish button.
Windows will now open the properties sheet for the policy that you just created. If you need to modify the default rule, you can do so by selecting the rule and clicking the Edit button. The process for editing this rule is identical to the process that I described earlier.
Often times, a single rule simply isn’t enough for a policy. You can add other rules to the policy by making sure that the Use Add Wizard check box is selected and then clicking the Add button. This will launch the Security Rule Wizard. This wizard is a little bit different from the wizard that you used earlier.
Begin by clicking the Next button to bypass the introduction screen. The next screen that you’ll encounter asks if the rule will apply to a tunnel. If the rule applies to a tunnel, select the appropriate radio button and enter the IP address of the tunnel’s end point. Otherwise, select the This Rule Does Not Specify A Tunnel radio button and click Next.
You’ll now see a screen that asks what type of network traffic that the rule should apply to. Select either All Network Connections, Local Area Network (LAN), or Remote Access and click Next.
Next, you’ll see a screen that asks for the authentication method to be used. This screen is identical to the one that you saw earlier. Choose your authentication method and click Next.
The next screen that you’ll see asks if the rule should apply to IP traffic or to ICMP traffic. Make your selection and click the Edit button. You’ll now have the opportunity to configure the filtering options for the protocol that you’ve selected. When you’ve made your selection, click OK followed by next.
You’ll now see a screen similar to the one that you saw earlier. It asks whether you want to use Permit, Request Security, or Require Security as your filter action. Make your selection and click Next. You can also click Add to add a new filter action (if, for example, you want to block all specific traffic, and not to negotiate security…).
You’ll now see the last screen of the wizard. This screen gives you the chance to edit the properties of the rule that you just created by selecting the Edit Properties check box. Whether or not you want to edit the rule’s properties, click the Finish button to close the wizard.
Back in the MMC window right-click the new IPSec policy you’ve just created and select Assign (screenshot made of a policy called Block Ping, but I believe you’ll get the point).
As you can see, IPSec policies can go a long way to controlling the way that Windows handles IPSec traffic. If your network needs to secure some, but not all of the traffic flowing across it, you can free up a lot of bandwidth by creating the appropriate IPSec policies.
This article is based upon the excellent article – Working With IPSec Policies by Brien M. Posey.
You may find these related articles of interest to you:
Article based upon the excellent article – Working With IPSec Policies by Brien M. Posey