Chapter 10, Securing Network Protocols

Chapter 10, Lesson 1

Using Packet Filters

1. Understanding Packet Filtering

|1| A. Packet filtering enables you to control which data packets are permitted to enter a computer, based on TCP/IP criteria such as port and protocol numbers.

1. The system examines each packet arriving over the network interface and either admits it or discards it based on the values of specific fields in the protocol headers.

2. Packet filters can be inclusive or exclusive, meaning that the filter configuration you create can specify either that traffic be blocked or be permitted.

|2| B. Packet filtering is a security technique most commonly used by routers or by dedicated firewalls that are used to isolate a private network from the Internet.

1. Windows 2000 has rudimentary packet filtering capabilities built into its TCP/IP client that you can use to protect an individual computer.

2. Windows 2000 RRAS includes a more comprehensive packet filtering mechanism that you can use to set filters for specific network interfaces and for incoming or outgoing traffic.

C. Effective packet filtering requires an understanding of how the TCP/IP protocols work and of how potential intruders think.

|3| D. The packet-filtering mechanism included with Windows 2000 is relatively limited, but a full-featured firewall can filter packets based on any of the following characteristics:

1. Hardware addresses

a. Packet filtering based on hardware addresses enables only certain computers to transmit data through the filter.

b. This type of filtering is not usually used to protect networks from unauthorized Internet access, but you can use this technique in an internal firewall to permit only specific computers to access a particular network.

c. The advantage of this type of filtering is that it is more difficult for intruders to masquerade as another user.

(1) It is a simple matter to change the IP address of a computer to masquerade as another system, but because hardware addresses are coded into network interface adapters, they cannot be changed as easily.

2. IP addresses

a. You can use IP address filtering to permit only the traffic destined to, or originating from, specific addresses to pass through the filter.

3. Protocol identifiers

a. The IP header’s Protocol field contains a code specifying the protocol that generated the payload carried in the datagram.

(1) Windows 2000 can filter packets based on this code, enabling only Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP) packets, or all three, to enter the system.

4. Port numbers

a. The port number fields in the TCP and UDP headers identify the application that generated the data carried in a packet.

b. By filtering packets based on the source or destination port number, you can be more specific about the types of traffic you allow into a computer or onto a network.

(1) This is called service-dependent filtering.

E. The strength of the firewall protection provided by packet filtering is its ability to combine the various types of filters.

F. Packet-filtering capabilities usually are included in router products, whether the router is a stand-alone hardware device or a software product such as Windows 2000.

1. The RRAS packet filters built into Microsoft Windows 2000 Server prevent unwanted traffic from passing through a computer running Windows 2000 that is configured to function as a router.

G. The main drawback of packet filtering is that it requires a detailed understanding of TCP/IP communications and how potential intruders think.

H. When you use packet filtering on a router, you introduce an extra level of processing overhead because the router must run each packet through the entire list of filters.

2. Configuring Packet Filters in the TCP/IP Client

A. To configure TCP/IP client packet filtering:

1. Click Start, point to Settings, and then select Network And Dial-Up Connections to display the Network And Dial-Up Connections window.

2. Select the Local Area Connection icon, and then select Properties from the File menu to display the Local Area Connection properties dialog box.

3. Select Internet Protocol (TCP/IP), and then click Properties to open the Internet Protocol (TCP/IP) Properties dialog box.

4. Click Advanced to open the Advanced TCP/IP Settings dialog box, and then select the Options tab.

5. Select TCP/IP Filtering, and then click Properties to open the TCP/IP Filtering dialog box.

6. Select the Enable TCP/IP Filtering (All Adapters) check box if you want to apply your filters to all the network interfaces on the computer.

7. To create a packet filter based on TCP port numbers, click Permit Only to activate the TCP Ports list.

8. Click Add to open the Add Filter dialog box, and then type a port number in the TCP Port box.

9. Click OK to add the port to the TCP Ports list.

10. Repeat steps 8–9 to add TCP port numbers to the filter.

11. To create a packet filter based on UDP port numbers, click Permit Only to activate the UDP Ports list, and then repeat steps 8–9.

12. To create a packet filter based on the Protocol field of the IP header, click Permit Only to activate the IP Protocols list.

13. Click Add to open the Add Filter dialog box, and then type a protocol number in the IP Protocol box.

a. Specifying the value 1 has no effect because the TCP/IP client’s filtering mechanism cannot block ICMP traffic.

14. Click OK to add the protocol to the IP Protocols list.

15. Click OK to set the filters you have created and close the TCP/IP Filtering dialog box.

16. Close all the dialog boxes you opened, and then restart the computer when you are prompted to do so.

3. Configuring Packet Filters in RRAS

A. To create packet filters in RRAS, you must first configure the service to function as an IP router, and then create interfaces for the connections that provide access to the networks being routed.

B. You can then create packet filters for each interface, using the following procedure:

1. Click Start, and then select Routing And Remote Access from the Administrative Tools program group to open the RRAS console.

2. Expand the server icon and then the IP Routing icon.

a. Select the General icon to display the list of interfaces in the detail pane.

3. Select one of the interfaces in the list, and then select Properties from the Action menu to display the Properties dialog box for the interface.

4. Click either Input Filters or Output Filters, depending on whether you want to create filters for incoming or outgoing traffic.

a. The Input Filters or Output Filters dialog box appears.

5. Click Add to open the Add IP Filter dialog box.

6. Select the Source Network check box to create a filter that evaluates packets based on the network from which they are arriving.

7. Select the Destination Network check box to create a filter that evaluates packets based on the network to which they are going.

8. Select an entry in the Protocol drop-down list:

a. TCP. Filters TCP traffic originating from or destined for specific ports

b. TCP (established). Filters traffic for TCP connections established by or with the RRAS router

c. UDP. Filters TCP traffic originating from, or destined for, specific ports

d. ICMP. Filters ICMP traffic

e. Any (default). Filters all IP traffic

f. Other. Use to specify a protocol other than TCP, UDP, or ICMP, using the protocol codes defined in the “Assigned Numbers” Request for Comments (RFC)

9. Click OK to add the new filter to the list in the Input Filters or Output Filters dialog box.

a. Repeat steps 5–8 to create additional filters.

10. Click the appropriate option button to indicate whether you want the filters you have created to be inclusive or exclusive.

11. Click OK to close the Input Filters or Output Filters dialog box.

Chapter 10, Lesson 2

Using IPsec

1. Securing IP Communications

A. Windows 2000 can protect the files stored on its drives by encrypting them and placing them behind a wall of permissions.

1. However, when a network user attempts to access a file, the server accesses and decrypts it before sending it over the network.

2. The data, as transmitted over the network, is left completely unprotected and vulnerable to a variety of attacks.

B. The Internet is not the only source of potential intruders. Internal users might attempt to access sensitive data in many ways, including the following:

|4| 1. Packet capturing

a. The ability to capture packets as they are transmitted over the network makes the data carried inside the packets vulnerable to interception by unauthorized users.

2. Data modification

a. When unauthorized users gain access to unprotected packets by capturing them with a protocol analyzer, they can also modify the data and send it on to the original recipient.

3. Spoofing

a. Spoofing is the process by which an unauthorized user masquerades as another user, typically by using the other user’s IP address.

|5| 4. Password compromise

a. Some applications transmit passwords in clear text, meaning that anyone capturing a packet containing a password can simply read it in the protocol analyzer and use it.

b. Many applications use encrypted passwords, but in some cases it is possible to use the password in its encrypted form to gain access to protected resources.

5. Denial of service attacks

a. A denial of service attack occurs when a user floods a network or computer with traffic, preventing it from performing its normal tasks.

6. Key compromise

a. In the same way that unauthorized users can discover passwords in captured packets, they can also discover keys used to encrypt data.

7. Application layer attack

a. Vulnerabilities in applications can enable intruders to modify program or data files or to introduce damaging software, such as viruses, worms, and Trojan horses.

C. Characteristics and advantages of IPsec

1. Instead of physically securing the network itself, you can secure the data transmitted over a Windows 2000 network by using IPsec.

2. IPsec is a series of standards that provide a means for encrypting IP datagrams before they are transmitted over the network.

|6| 3. Because IP carries all application data on a TCP/IP network, IPsec can protect all types of data and eliminate vulnerability to all types of attacks.

4. The network layer of the Open Systems Interconnection (OSI) reference model (where IP operates) is the perfect place to situate an IPsec encryption mechanism.

a. IP is the primary end-to-end protocol in the TCP/IP suite, meaning that it carries data generated by the source system all the way to its final destination.

(1) If you use IPsec to encrypt an IP datagram at its source, the datagram does not have to be decrypted until it reaches its final destination.

5. The routers functioning as the intermediate systems in the internetwork communications process do not have to support IPsec, so you can freely deploy it on local area, wide area, remote access, and virtual private network connections.

a. As long as both the source and destination computers support IPsec, secured communications can occur.

6. Applications need not be modified to use IPsec because all application layer processes are completed before the data reaches the network layer, where IPsec encrypts it.

D. IPsec security functions

1. The encryption that IPsec uses to protect transmitted data is based on either the Data Encryption Algorithm (DES) or the Triple Data Encryption (3DES) algorithm.

|7| 2. IPsec also provides the following additional security functions:

a. Nonrepudiation. IPsec effectively prevents users from denying that they sent a particular message and from masquerading as other users and sending messages on their behalf.

b. Authentication. IPsec supports authentication mechanisms, including Kerberos, digital signatures based on public key certificates, and preshared key authentication, which enable a computer to verify the identity of another user before initiating communications.

c. Antireplay. IPsec uses a technique called Cipher Block Chaining (CBC) with the DES or 3DES encryption algorithm and a unique value for each packet called an initialization vector.

(1) This ensures that no two IPsec-encrypted packets are identical, even when they contain the same message.

d. Packet filtering. IPsec includes its own packet-filtering mechanism that enables administrators to block traffic based on IP addresses, protocols, ports, or all three.

e. Integrity. IPsec prevents intruders from modifying the contents of a packet by including a special signature called an integrity check value (ICV).

|8| 3. An unauthorized user with a protocol analyzer can still capture packets as they are transmitted over the network, but that user cannot do any of the following:

a. Read a packet’s contents, because it is encrypted

b. Modify a packet’s contents, because of the inclusion of a Hash Message Authentication Code (HMAC)

c. Spoof a recipient by assuming another user’s identity, because of the authentication mechanisms

d. Discover passwords and keys, or reuse packets that have not yet been decrypted, because of the CBC mechanism

e. Inhibit network functionality using denial of service attacks, because of the packet-filtering capability

2. IPsec Standards

A. IPsec is based on a series of RFCs that are in the process of being ratified as standards by the Internet Engineering Task Force (IETF).

B. RFC 2411, “IP Security Document Roadmap,” explains how the technologies defined in the various other documents work together.

3. IPsec Protocols

A. IP Authentication Header

1. The IP Authentication Header (AH) protocol provides authentication, antireplay, and integrity services for IP datagrams, but it does not encrypt the data.

2. You can use AH alone in situations requiring a modest amount of security or with Encapsulating Security Payload (ESP) for full protection.

a. When you use AH alone, you can be certain that the messages exchanged by two connected systems have not been modified and that each packet definitely originated at the source specified in the IP header.

(1) However, there is no guarantee that a third party has not intercepted the messages and read their contents.

3. AH provides a service to another protocol, in this case IP, without encapsulating it.

|9| a. AH has its own header, but the AH header is inserted after the IP header and before the IP Data field.

4. The IP header includes a Protocol field that contains a code usually identifying the protocol that generated the message carried in the datagram, such as TCP or UDP.

a. The actual function of the Protocol field is to identify the protocol that generated the header immediately following the IP header.

b. In a typical IP datagram, a TCP, UDP, or ICMP header follows the IP header.

(1) The addition of the AH header immediately following the IP header forces the value of the Protocol field to change to 51.

(2) The task of identifying the protocol that generated the datagram message is left to the Next Header field in the AH header.

|10| 5. Functions of the fields in the AH header

a. Next Header (1 byte). Identifies the protocol whose header immediately follows the AH header, using the standard values defined in the “Assigned Numbers” RFC

b. Payload Length (1 byte). Specifies the total length of the AH header in 4-byte words minus 2

c. Reserved (2 bytes). Unused

a. Security Parameters Index (4 bytes). Contains an arbitrary value that identifies the security association for the datagram

(1) A security association is a negotiated agreement between two computers on the security measures they will use to protect the data they intend to transmit.

e. Sequence Number (4 bytes). Contains a value that starts at 1 and is incremented for every packet using a particular security association, providing the protocol’s antireplay service

f. Authentication Data and Padding (variable). Contains the ICV that is calculated by the transmitting system, which the receiving system uses to verify the packet’s integrity

(1) The length of the value must be a multiple of 32 bits.

(2) The field might contain padding to bring its length up to the next 32-bit boundary.

B. IP Encapsulating Security Payload

1. The IP Encapsulating Security Payload (ESP) protocol provides the actual encryption of the data carried in IP packets, as well as authentication, integrity, and antireplay services.

|11| a. ESP differs from AH (which simply adds a header to the IP datagram) by encapsulating the IP Data field within a header and a trailer.

2. All the data following the ESP header and up to and including the ESP trailer is encrypted to protect it from unauthorized access.

3. When ESP is used without AH, the Protocol field in the IP header contains a value of 50, because ESP supplies the header immediately following the IP header.

a. ESP has a Next Header field that contains a code identifying the protocol that generated the information in the IP datagram’s original Data field.

b. When both AH and ESP are used, the value in the IP header’s Protocol field is 51, pointing to the AH header.

(1) The AH header’s Next Header field then has a value of 50, pointing to the ESP header.

(2) The ESP header’s Next Header field contains the value for the protocol that generated the datagram’s original message.

|12| 4. Functions of the fields in the ESP message

a. Security Parameters Index (4 bytes). Contains an arbitrary value that identifies the security association for the datagram

b. Sequence Number (4 bytes). Provides the protocol’s antireplay service in the same manner as the AH Sequence Number field

c. Payload Data and Padding (variable). Contains the IP datagram’s original Data field

(1) This field also contains sufficient padding to ensure that the following Pad Length and Next Header fields are right-aligned on a 32-bit word.

d. Pad Length (1 byte). Specifies the number of bytes of padding appended to the Payload Data field

e. Next Header (1 byte). Identifies the protocol whose header immediately follows the ESP header

f. Authentication Data (variable). This field is optional. It contains an ICV based on all the fields ranging from the end of the beginning of the ESP header to the end of the ESP trailer, excluding the Authentication Data field.

(1) The receiving system uses the ICV to verify the packet’s integrity.

4. Transport Mode and Tunnel Mode

A. IPsec can function in two modes: transport mode and tunnel mode.

1. All the discussion of IPsec in this lesson so far has been specific to transport mode.

B. Transport mode provides security for computers on a local area network (LAN) or connected by private wide area network (WAN) links.

1. To function in transport mode, both of the end systems (the source and the destination of the packets) must support IPsec.

2. The intermediate systems (routers) do not have to support IPsec because they simply forward the packets in the normal manner, without decrypting them.

C. Tunnel mode is intended primarily for use on gateway-to-gateway connections, such as virtual private networking links, which require the greatest possible security.

|13| 1. The primary difference between tunnel mode and transport mode is the packet format.

a. In tunnel mode, IPsec completely encapsulates the original datagram.

2. The “inner” IP header is the header from the original datagram, which remains unchanged.

3. The ESP header and trailer surround the original datagram and are themselves preceded by a new, “outer” IP header.

a. This outer header gets the packet only from one end of the gateway connection to the other.

5. L2TP Tunneling

A. Tunneling is the process of creating a secure communications conduit through an inherently insecure network.

B. IPsec can form tunnels and encrypt the data passing through them.

C. Another protocol, such as the Layer 2 Tunneling Protocol (L2TP), can form the tunnel, while IPsec continues to provide the data encryption service.

Chapter 10, Lesson 3

Deploying IPsec

1. IPsec Components

|14| A. Administrative elements of the Windows 2000 IPsec implementation are

1. The IPsec policies that specify when and how network communications should be protected by using IPsec

2. The IP Security Policies console, a Microsoft Management Console (MMC) extension snap-in that you use to create and configure the policies

B. IPsec uses policies to store the configuration information for its various security services.

|15| C. Windows 2000 includes the following runtime components:

1. IPsec Policy Agent Service. Accesses the IPsec policy information stored in Active Directory or the local system registry and forwards the information to the IPsec driver

2. Internet Key Exchange (IKE). A protocol that IPsec uses to create a security association (SA) and agree on the keys that two systems will use to encrypt their data for transmission

a. The first phase of the IKE negotiation process establishes a secure, authenticated communications channel, called the Phase 1 SA, between the systems.

(1) This phase negotiates the encryption algorithm, hashing algorithm, and authentication method that the systems will use, followed by the authentication process itself.

b. The second phase establishes two Phase 2 SAs for the IPsec service, one inbound and one outbound.

(1) Negotiates the IPsec protocols to be used, the hash algorithm (MD5 or SHA1), and the encryption algorithm (DES or 3DES)

(2) Exchanges or refreshes authentication and encryption key material

3. IPsec Driver. Performs the actual encapsulation, encryption, and verification processes required for secure communications

a. The driver receives a list of IP filters from the IPsec policy that it uses to determine exactly what types of communications should be secured and how it should secure them.

b. The driver then monitors the network’s communications and compares them to the filter list.

c. When the driver detects outbound packets that match an entry in the filter list, it triggers the IKE key exchange process with the destination system.

d. The driver then adds the appropriate AH and/or ESP protocol headers to the packets and performs whatever encryption is needed.

|16| D. When all the IPsec components are in place, a typical communications exchange proceeds as follows:

1. The user on Computer A is working in an application that generates a message to be sent to Computer B.

2. The IPsec driver on Computer A compares the outgoing message’s destination IP address or protocol, or both, against the IP filter list in the currently active IPsec policy.

3. If policy specifies that communications between Computer A and Computer B should be secured, the IPsec driver instructs the IKE to commence negotiations with Computer B.

4. Computer B’s IKE receives a message from Computer A’s IKE requesting a secure negotiation.

|17| 5. The two computers negotiate a Phase 1 SA and two Phase 2 SAs, one inbound and one outbound.

6. Using the parameters agreed upon for the outbound Phase 2 SA, the IPsec driver on Computer A calculates an integrity signature for the outgoing data, encrypts it, and constructs the IPsec packets by adding the appropriate fields to the IP datagrams.

7. Computer A transmits the completed packets to Computer B, which passes them to its own IPsec driver.

8. Using the parameters of the inbound SA, Computer B’s driver decrypts the data and verifies the packet’s integrity by computing the signature and comparing it to the results in the packet.

9. The IPsec driver on Computer B passes the decrypted data to the TCP/IP stack, which in turn passes it up to the application that is the final destination of the message.

2. Deploying IPsec

A. The first step in deploying IPsec is to assess the needs of your users and determine exactly what communications need to be secured and how secure they need to be.

1. It is relatively easy to secure all communications with IPsec, using the maximum amount of protection available, but this increases the burden on your computers and your network.

a. Encryption is a highly processor-intensive task, and encrypting every packet greatly increases the number of processor cycles devoted to the networking process.

b. IPsec also increases the amount of network traffic in the form of additional headers added to every packet and the extra messages used to perform IKE negotiations.

B. IPsec configuration is extremely flexible. You can specify

1. Which pairs of computers or networks you want to use to secure communications

2. Whether the security should be mandatory or optional

3. Whether the computers should use AH protection only or add encryption using ESP as well

C. In most cases, the simplest deployment method is to select the specific computers or networks that you want to secure.

1. You do this by creating filters that use IP addresses to decide whether or not specific packets should be secured.

D. Consider what other Windows operating systems are used on your network.

1. Versions of Windows prior to Windows 2000 do not support IPsec, so if you run pre–Windows 2000 operating systems on your network, do not make the use of IPsec mandatory.

3. Running IPsec Policy Management

A. To deploy IPsec on a Windows 2000 network, you create policies by using the IP Security Policy snap-in.

1. By default, Windows 2000 includes the IP Security Policies On Local Machine snap-in in the Local Security Settings console.

|18| B. When you select IP Security Policies On Local Machine in the Local Security Settings console, you see three default policies:

1. Client (Respond Only). Configures the computer to use IPsec security only when another computer requests it

2. Secure Server (Require Security). Configures the computer to require IPsec security for all communications and to deny all connections to systems that do not support IPsec

3. Server (Request Security). Configures the computer to request the use of IPsec security from all other systems but not to require it

C. The default IPsec policies are all deactivated by default, as you can tell from the No in the Policy Assigned column in the detail pane.

1. You can activate a policy by selecting it and then selecting Assign from the Action menu or by clicking Assign This Policy on the console’s toolbar.

D. To configure the local system to use IPsec, you can

1. Activate one of the default policies as it is

2. Modify the properties of one of the default policies

3. Create new policies for your own use

E. To create a new policy on the local system:

1. Click Start, and then select Local Security Policy from the Administrative Tools program group to open the Local Security Settings console.

2. Select the IP Security Policies On Local Machine icon in the scope pane, and then select Create IP Security Policy from the Action menu to start the IP Security Policy Wizard.

3. Click Next to bypass the Welcome page and proceed to the IP Security Policy Name page.

4. Specify a name for the new policy in the Name box and add a description, if desired.

a. Click Next to proceed to the Requests For Secure Communication page.

5. If you want the computer to respond to requests for secure communications from other systems, select the Activate The Default Response Rule check box.

a. Click Next to proceed to the Default Response Rule Authentication Method page.

1. Specify the authentication method that you want the policy to use.

a. Choose one of the following options:

(1) Windows 2000 Default (Kerberos V5 Protocol)

(2) Use A Certificate From This Certificate Authority (CA)

(3) Use This String To Protect The Key Exchange (Preshared Key)

b. Click Next to proceed to the Completing The IP Security Policy Wizard page.

7. Select the Edit Properties check box to configure the new policy further after the wizard is completed.

a. Click Finish to close the wizard and create the new policy.

F. To create a policy in Active Directory:

1. Click Start, and then open the Active Directory Users And Computers console from the Administrative Tools program group.

a. To apply an IPsec policy to a site object, open the Active Directory Sites And Services console instead.

2. Select the domain, organizational unit, or site object to which you want to apply an IPsec policy, and then select Properties from the Action menu to open the Properties dialog box for the object.

3. Select the Group Policy tab in the Properties dialog box.

4. Select an entry in the group Policy Object Links list, and then click Edit to open the Group Policy console.

a. You can also create a new group policy by clicking Add.

5. In the console’s scope pane, expand the Computer Configuration, Windows Settings, and Security Settings headings and select the IP Security Policies On Active Directory icon.

a. The three default IPsec policies that you saw in the Local Security Settings console appear here as well.

6. Select Create IP Security Policy from the Action menu to start the same IP Security Policy Wizard as in the Local Security Settings console.

7. Complete the wizard by using the same steps that you used to create a new policy on the local system.

G. Configuring IPsec policies

|19| 1. IPsec policies are composed of three basic elements: rules, IP filter lists, and filter actions.

a. A rule is a combination of an IP filter list and a filter action that determines when and how security is to be used.

b. A filter list is a selection of IP addresses, protocols, or ports, or a combination of the three, that identifies the computers to which the rule is to be applied.

c. A filter action defines the type of security that is imposed when the rule is applied.

|20| 2. For example, the Server (Request Security) policy contains the IP Security rules shown on Slide 20.

a. The IP Filter List specifies that all IP traffic should have this rule imposed on it.

b. The Filter Action for the rule calls for the system to request (but not require) the use of IPsec security.

c. You can modify the IP Filter List to apply the rule only to specific IP addresses.

(1) You can modify the Filter Action to require security instead of only request it.

d. You can also configure other parameters to modify the security measures that the rule invokes.

H. To create a rule with the Security Rule Wizard:

1. Select an IPsec policy, and then select Properties from the Action menu to open the policy’s Properties dialog box.

2. In the Rules tab, click Add (ensuring that the Use Add Wizard check box is selected) to start the Create IP Security Rule Wizard.

3. Click Next to bypass the Welcome page and proceed to the Tunnel Endpoint page.

4. Click This Rule Does Not Specify A Tunnel, unless you are planning to use IPsec in tunnel mode.

a. Click Next to proceed to the Network Type page.

5. Specify whether you want the rule to apply to All Network Connections, Local Area Network Connections (LAN) connections only, or Remote Access connections only.

a. Click Next to proceed to the Authentication Method page.

6. Specify an authentication method for the rule.

a. Click Next to proceed to the IP Filter List page.

7. Select one of the default IP filter lists, or create one of your own by clicking Add.

a. Click Next to proceed to the Filter Action page.

8. Select one of the default filter actions, or create one of your own by clicking Add.

a. Click Next to proceed to the Completing The New Rule Wizard page.

9. Select the Edit Properties check box to configure the new rule after the wizard is completed.

a. Click Finish to close the wizard and create the new rule.

I. Creating a filter list

1. You can create filter lists and filter actions during the rule creation process or afterward by selecting a rule and clicking Edit to open its Properties dialog box.

2. The filter lists define which communications the rule should secure.

a. The IP Filter List page of the dialog box contains two default filters: All IP Traffic and All ICMP Traffic.

3. Unless you want to apply the rule to all the computer’s IP or ICMP traffic, you should create new filter lists or modify the existing ones.

4. When you click Add in the IP Filter List tab of a rule’s Properties dialog box or click Edit to modify an existing filter list, you see the IP Filter List dialog box.

5. You select the types of communications that you want to secure by adding entries to the Filters box.

6. The IP Filter Wizard automatically creates mirrored filters—that is, filters that apply to traffic moving in both directions.

7. If you want to create separate rules for the traffic traveling in each direction, you can

a. Use the wizard to create the filter and then modify it to disable the mirroring option

b. Manually create the filter without mirroring

8. When you create a filter without the wizard, you see a Filter Properties dialog box.

a. On the Addressing page, the Mirrored check box enables you to specify whether the filter should operate symmetrically.

9. You identify the computers involved in the communications you want to secure by specifying parameters for the source and destination systems. The available parameters are

a. My IP Address. Refers to the system’s current IP address, enabling you to secure all traffic originating from or directed to the system

b. Any IP Address. Refers to any valid IP address, enabling you to secure the traffic originating from or directed to any system on the network

c. A Specific DNS Name. Generates a Host Name box, in which you can specify the Domain Name System (DNS) name of any system on the network instead of its IP address

d. A Specific IP Address. Generates IP Address and Subnet Mask boxes, in which you can specify a particular host address whose traffic you want to secure

e. A Specific IP Subnet. Also generates IP Address and Subnet Mask boxes, in which you can specify a particular network address whose traffic you want to secure

10. On the Filter Properties dialog box’s Protocol page, you specify the type of traffic that you want to secure.

a. By default, the filter secures all traffic, but you can select a specific protocol to limit the security to certain applications.

b. When you select the TCP or UDP protocol, you can also specify the port numbers you want to secure.

1. After you have created the filter, it appears in the IP Filter List dialog box with a summary of the properties you specified.

a. You can create multiple filters in a list, all of which are applied when you select that filter list to be used by a rule.

J. Creating a filter action

1. After you have created a filter list, you have to create a filter action that specifies the type of security that the rule should apply to the traffic that conforms to the list.

|21| 2. The Filter Action page of the rule’s Properties dialog box lists three filter actions that are created by default:

a. Permit. Allows the traffic specified by the filter list to proceed without requesting security of any kind

b. Request Security (Optional). Causes the system to request security for the traffic specified by the filter list but enables it to proceed even if the other system does not support IPsec

c. Require Security. Requires security for the traffic specified by the filter list and refuses communications with systems that do not support IPsec

K. To create a filter action using the IP Security Filter Action Wizard:

1. Open the Properties dialog box for a rule, and then select the Filter Action tab.

2. Click Add, ensuring that the Use Add Wizard check box is selected, to start the IP Security Filter Action Wizard.

3. Click Next to bypass the Welcome page and proceed to the Filter Action Name page.

4. Specify a name for the new filter action policy in the Name box and add a description, if desired.

a. Click Next to proceed to the Filter Action General Options page.

5. Specify which action you want the rule to take for the systems that conform to the filter list.

a. Choose one of the following options:

(1) Permit. Causes the rule to allow any communication between the systems specified in the IP filter list to occur without IPsec security or negotiation of any kind

(2) Block. Causes the rule to prevent all security negotiation and all communication from occurring between the systems specified in the IP filter list

(3) Negotiate Security. Enables the systems specified in the IP filter list to negotiate a common set of security parameters

b. Click Next to proceed to the Communicating With Computers That Do Not Support IPsec page.

6. Specify whether you want to block all communications with computers that do not support IPsec or to permit unsecured communications when IPsec is unsupported.

a. Click Next to proceed to the IP Traffic Security page.

7. Specify the security method that the rule should use for communications between the systems that conform to the filter list.

a. Choose one of the following options:

(1) High (Encapsulated Secure Payload). Causes the data to be authenticated and encrypted and ensures that it arrives at its destination unmodified

(2) Medium (Authenticated Header). Authenticates the data and ensures that it arrives unmodified, but does not encrypt it

(3) Custom. By selecting this option and clicking Settings, you can specify which IPsec protocols to use, and which algorithms to use with each protocol.

b. Click Next to proceed to the Completing The IP Security Filter Action Wizard page.

8. Click Finish to create the new filter action and close the wizard.

L. When you have completed creating and configuring the rules, filter lists, and filter actions for your system, you are ready to activate them.

1. Be sure that the appropriate filter list is associated with each rule you plan to use.

2. Activate the rules you want to use for each policy by selecting the check boxes in the rules list of the policy’s Properties dialog box.

3. Activate your policies by assigning them, using the Assign button on the MMC toolbar or the Assign menu item.

4. Configuring IPsec for Tunnel Mode

A. Configuring IPsec to use tunnel mode is simply a matter of specifying the IP address of the tunnel endpoint when you are creating the rules on the computers that form the two ends of the tunnel.

B. When creating a tunnel, you should not use the mirror option to create your filter lists.

1. Instead, you must create two filter lists at each end of tunnel, one for inbound traffic and one for outbound traffic.