Filter network traffic with IPsec filtering rules

Windows XP comes with its own software firewall that can be used to control what information travels between your customers' PCs and the Internet. You can also control what enters and exits their PCs by using IPsec filtering

    Requires Free Membership to View

rules to filter particular protocol and port combinations for both inbound and outbound network traffic. Traditionally it's been used to secure remote access connections, but you can use it to secure internal network traffic against eavesdropping and modification.

IPsec filtering rules are implemented by creating and assigning an IPsec Policy through Group Policy, which allows IPsec settings to be configured at the domain, site or organizational unit level. The first step is to create and define the filtering rules and actions, which control the protocols, ports and IP addresses that are allowed or blocked. These rules will be based on the policies for secure operations as agreed upon with your customer. To manage IPsec policies for domain members using the IP Security Policies snap-in, you will need to select to manage "The Active Directory Domain of which this computer is a member". You can now add, edit and remove filters by right-clicking IP Security Policies in the left pane of the MMC console, and selecting Manage IP Filter Lists and Filter Actions. The next step is to create an IPsec Policy by adding the various IP Filters and Filter Actions to the new Policy. To assign the IPsec Policy to Group Policy, select the Group Policy object to which you want to assign the IPsec Policy. Next, expand the Computer Configuration view and click the IP Security Policies folder, then right-click the Policy you want to assign, and click Assign.

An IPsec Policy can contain several different filter rules and actions, making it very flexible. As well as controlling access to domains and computers, it can be used to block access to certain sites or applications, such as chat rooms. The IPsec protocol can also be used to provide data privacy, integrity and authenticity, but it can't secure all types of network traffic -- see the Microsoft Knowledge Base article 253169 for further details.

A word of caution: when using IPsec filter rules you need to have a clear understanding of the impact of blocking specific ports. For example, blocking port 135 to guard against the DCOM RPC vulnerability can impact the functionality of Active Directory and Microsoft Exchange, which also use port 135. It's important, therefore, to test the filters to ensure that you have accomplished your intended goals. Microsoft Service Pack 2 for XP includes a command line tool IPSeccmd.exe, which can be used to manage IPsec policy and filtering rules, but it's not that intuitive to use. Thankfully, Vista is integrating firewall filtering functions and IPsec protection settings. These will now be managed using a single snap-in called Windows Firewall with Advanced Security. This means it's far less likely that you will set up firewall filters that conflict with IPsec policies and prevent your customer's network traffic from working the way you intend.

About the author
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book
IIS Security and has written numerous technical articles for leading IT publications including SearchSecurity.com.

This was first published in December 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.