Using Internet Protocol Security Policies

IPSec provides end-to-end security for network communications—in the form of confidentiality, integrity, and authentication—using public-key technology to protect individual IP packets. Chapter 18 provides a description of this protocol. This section covers the MMC snap-in for IPSec configuration, IP Security Policy Management.

To add the IP Security Policy Management snap-in to the MMC, select Add/Remove Snap-In from the Console menu. Click Add and select IP Security Policy Management from the list of available snap-ins. The dialog box that appears allows you to select the range of management: the local computer, the local computer's domain, another domain, or another computer.

Defining IPSec Policies

An IPSec policy is passed from the policy agent to the IPSec driver and defines proper procedures for all facets of the protocol, from when and how to secure data to what security methods to use. Policies can get a bit involved. Before jumping into the actual configuration, let's go over some terminology by defining the components of an IPSec policy:

  • IP filter A subset of network traffic based on IP address, port, and transport protocol. It tells the IPSec driver what outbound and inbound traffic should be secured.
  • IP filter list The concatenation of one or more IP filters, defining a range of network traffic.
  • Filter action How the IPSec driver should secure network traffic.
  • Security method Security algorithms and types used for authentication and key exchange.
  • Tunnel setting The IP address or DNS name of the tunnel endpoint (if using IPSec tunneling to protect the packet destination).
  • Connection type The type of connection affected by the IPSec policy: remote access, LAN, or all network connections.
  • Rule A composite of the components: an IP filter, a filter action, the security methods, a tunnel setting, and a connection type. An IPSec policy can have multiple rules to protect each subset of network traffic differently.

Using Predefined IPSec Policies

Three basic predefined policies are available for immediate use or as a starting point for more involved IPSec policies. Figure 19-13 shows the predefined policies.

Figure 19-13. The three predefined IPSec policies.

The Client (Respond Only) policy should be used on computers that normally do not send secured data. This policy does not initiate secure communications. If security is requested by a server, the client responds, securing only the requested protocol and port traffic with that server.

The Server (Request Security) policy can be used on any computer—client or server—that needs to initiate secure communications. Unlike the Client policy, the Server policy attempts to protect all outbound transmissions. Unsecured inbound transmissions are accepted but not resolved until IPSec requests security from the sender for all subsequent transmissions. The strictest of the predefined policies, the Secure Server (Require Security) policy neither sends nor accepts unsecured transmissions. Clients attempting to communicate with a secure server must use at least the Server predefined policy or an equivalent.

The section that follows demonstrates how to generate an IPSec policy from scratch. Let's first peruse one of the predefined policies to get our feet wet. Right-click the Secure Server policy and choose Properties to bring up the Secure Server (Require Security) Properties dialog box, with the Rules tab in the foreground, as shown in Figure 19-14.

Figure 19-14. The Secure Server (Require Security) Properties dialog box.

This policy has three rules, all activated, as indicated by the check marks. The first rule has an IP filter of All IP Traffic, a filter action of Require Security, an authentication method of Kerberos, a tunnel setting of None, and a connection type of All. A rule can be added or removed from this list with the appropriate buttons. Clicking Edit brings up an Edit Rule Properties dialog box with five tabs, one for configuring each field of the rule (Figure 19-15).

Figure 19-15. The Edit Rule Properties dialog box.

We'll explore these configurations in the next section. Back in the Secure Server (Require Security) Properties dialog box (Figure 19-14), you can view the general properties of the policy—including a policy description and minute intervals at which to check for policy change—by clicking the General tab.

Clicking Advanced in the General tab displays a Key Exchange Settings dialog box, shown in Figure 19-16. This dialog box allows you to specify the life of a key in minutes or sessions. Using a short key lifetime makes transmission more secure by increasing the number of keys that an attacker would have to break, but it adds overhead to transmission time. Selecting the Master Key Perfect Forward Secrecy check box ensures that existing keys cannot be reused to generate additional keys. This option should be used with caution, as it adds significant overhead. Clicking Methods allows you to select security methods and preference order. A security method includes an encryption and integrity algorithm, along with a Diffie-Hellman group, which affects key generation.

Figure 19-16. The Key Exchange Settings dialog box.

Creating an IPSec Policy

In addition to using a predefined IPSec policy as a template, an administrator can generate policies from the ground up with the IP Security Policies item in the MMC. A custom policy can be restrictive or permissive, simple or powerful, depending on the function of the machine, the environment in which it operates, and the types of systems it communicates with.

To add an IPSec policy, right-click the IP Security Policies item in the MMC and select Create IP Security Policy. You're presented with the IP Security Policy Wizard. The following steps guide you through this wizard:

  1. Click Next at the welcome screen.
  2. In the next screen, enter a meaningful policy name and description and click Next.
  3. Select or clear the Activate The Default Response Rule check box, based on whether the policy should allow negotiation with computers that request IPSec. Clearing this check box adds an inactivated response rule to the policy. Click Next.
  4. If you selected the Activate The Default Response Rule check box in the previous step, you see the dialog box shown in Figure 19-17, in which you choose the authentication method. Kerberos version 5 is the Windows 2000 default protocol but is allowed only on machines that are members of a domain. The second choice, Use A Certificate From This Certificate Authority (CA), promotes public-key authentication. You'll need to choose a certificate authority that is appropriate for the certificate to be used. The third and final option allows you to type a preshared key to be used for key exchange. This string must also be known by the requesting computer for successful exchange. Click Next when you've made your choice.
  5. Select the Edit Properties check box if you want to display the policy's Properties dialog box. You can also display this window by right-clicking the policy once it's listed and choosing Properties.

Figure 19-17. Choosing an authentication method for the Default Response rule.

Editing an IPSec Policy

The previous section showed how to create an IPSec policy, but to really add functionality to your policy, you'll need to edit it. (To do so, right-click the policy and choose Properties.) Figure 19-14 in the previous section shows the Properties dialog box for an IPSec policy. A newly created policy contains only one default response rule, which will be activated—or not activated—depending on the choices you made in the wizard during policy creation.

You add functionality to an IPSec policy by creating rules that govern when and how security should be supplied. Each combination of a filter list, filter action, authentication method, tunnel setting, and connection type is a separate rule.

Rules can be added manually or with the Add Wizard; both accomplish the same thing, but the wizard is a bit friendlier. We'll turn off the Add Wizard by clearing the Use Add Wizard check box in the lower right corner of the Properties dialog box for the policy. Doing so allows us to explore each aspect of a rule in its native dialog box. Editing rules after they're created will be done through this interface as well.

With the Add Wizard turned off, click Add. You're presented with the New Rule Properties dialog box, which, except for the title, is the same as the Edit Rule Properties dialog box shown in Figure 19-15. The dialog box has five tabs, one for each element of a rule. We'll look at each of the tabs in turn.

IP Filter List The IP filter list is made up of one or more filters that specify which network traffic to act on. As shown in Figure 19-18, the All IP Traffic and the All ICMP Traffic filter lists are added by default but are not activated. In the figure, a third filter list has been added and activated by clicking its option button.

Figure 19-18. The IP Filter List tab of the New Rule Properties dialog box.

Clicking Add brings up the IP Filter List dialog box, which allows you to specify filters to include in a customized filter list. Figure 19-19 shows a filter list under construction. Here, if you click Add with the Use Add Wizard check box selected on, the IP Filter Wizard starts, which allows you to construct a new filter based on the following categories:

  • Addressing Filters the source and destination addresses specified by IP address (My IP Address, Any IP Address, Specific IP Address, or Specific IP Subnet) or a specific DNS name.
  • Protocol Filters by protocol type, such as TCP, and source and destination ports.

Figure 19-19. The IP Filter List dialog box.

Filter Action The filter action determines how the IPSec driver responds to those computers represented by entries in the filter list and what security methods to use. You can choose one of the supplied actions shown in Figure 19-20 by selecting it, or you can add your own action.

The Request Security action causes the driver to attempt to establish secure communications with the client, but if this is unsuccessful it communicates without security. The Require Security action requires clients to establish trust and security methods. The Permit action allows unsecured IP packets to pass through.

Figure 19-20. The Filter Action tab of the New Rule Properties dialog box.

Adding an action involves choosing a filter name, a description, and general behavior that either permits communications, blocks communications, or negotiates security. If you choose to negotiate security, you'll need to configure two other areas. Under Handling Non-IPSec Clients, you choose either not to communicate with computers that don't support IPSec or to allow unsecured communication.

You also select a Security Method: high (encrypted, authenticated, and unmodified), medium (authenticated and unmodified), or custom. For the custom security method, you'll choose encryption and integrity algorithms and specify session key settings, such as how often to generate new keys.

Authentication Methods The authentication method specifies how trust will be established with the remote computer. You can specify one or more methods to use when requesting secure communications or when being asked for secure communications. Figure 19-21 shows three allowable authentication methods, listed in order of preference. Change the priority of a method with the Move Up and Move Down buttons. The Add button provides you with three choices for a new method:

  • Windows 2000 Default (Kerberos V5 Protocol) This option provides the easiest configuration as long as all clients are running the Kerberos V5 protocol and are members of a trusted domain.
  • Use A Certificate This option uses public-key certificates for authentication. You'll need to specify the certificate authority of users or entities to authenticate. To allow authentication for users under separate CAs, add a separate authentication method for each.
  • Use This String To Protect The Key Exchange This option uses a preshared key that you specify in the box provided. You can use multiple preshared keys by adding other authentication methods.

Figure 19-21. The Authentication Methods tab of the New Rule Properties dialog box.

Tunnel Setting The Tunnel Setting tab allows you to specify a tunneling endpoint if you choose to invoke IPSec tunneling. The endpoint can be specified as a DNS name if you're running the DNS service on your network, or it can be in the form of an IP address.

Connection Type Finally, the Connection Type tab allows you to further refine a rule based on connection type. The All Network Connections option is set as the default; you can instead select either Local Area Network or Remote Access to create a stricter rule.

Assigning IPSec Policies

Once an IPSec policy has been established in the IP Security Policies item in MMC, it can be applied to a single machine or to a set of computers governed by a Group Policy object. To assign an IPSec policy to a local machine, right-click the policy name and choose Assign from the shortcut menu. The active policy's icon includes a green dot. If another policy has already been assigned, this action resets that policy for this computer. Assign IPSec policies to groups by selecting the target Group Policy object in the MMC. Under this object, expand Computer Configuration, Windows Settings, and then Security Settings. Select IP Security Policies, right-click the desired policy, and choose Assign.

IPSec policies can be transferred using the Import Policies and Export Policies commands on the Action menu under All Tasks.



Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net