Endpoint Protection

 View Only

Securing Windows 2000 Communications with IP Security Filters, Part 1 

Mar 21, 2002 02:00 AM

by Joe Klemencic

Securing Windows 2000 Communications with IP Security Filters, Part One
by Joe Klemencic
last updated March 21, 2002

With the release of Windows 2000, a new feature, IP Security, was added to allow for more granular control of IP-based traffic over the previous Windows NT4 packet filter option, TCP/IP Filtering. Originally, when the TCP/IP Filtering option was enabled, it was applied to all network adapters on the host system and could only affect the protocol used. For example, there was no provision to allow NetBIOS only from select hosts while allowing HTTP from any host.

The main premise behind the TCP/IP Filters is to allow specialized server configurations to be generically secured for only their intended traffic. Since NetBIOS cannot easily be disabled on a Windows NT4 server, one would implement TCP/IP Filters on their IIS installation to allow only HTTP traffic to the server and block all other types of traffic. The original TCP/IP Filters implementation only inspected inbound traffic originating from outside the host to be inspected. All traffic originating from the host was not inspected by the TCP/IP Filters.

The new IP Security feature included with Windows 2000 expands greatly on the original TCP/IP Filter, even though the legacy packet filter is still available for use in Windows 2000. The IP Security feature includes the ability to create specific traffic filters, specify the source and destination addresses, specify the protocol and service, inspect both inbound and outbound traffic, and encrypt the data streams using IPSEC. The original idea of the IP Security feature in Windows 2000 was to provide secure communications using IPSEC between hosts and services. An IP Security policy contains various filters and filter actions and, optionally, an authentication and encryption scheme. IP Security filters also have the ability to create a ‘tunnel’ between two defined endpoints.

Soon after the public beta release of Windows 2000, beta testers found a way to implement the Windows 2000 IP Security filters as a flexible packet filter system. This new usage method allows a host to selectively permit and deny traffic, much like personal firewall applications. Microsoft soon adopted support for this new use outside of their original intention by publishing usage documents. However, to this day, tools to monitor and troubleshoot such an implementation are still non-existent.

This article is the first of a two-part series that will describe the various methods of implementing Windows 2000 IP Security filters that are integrated with IPSEC communications. The series will attempt to describe the function of the features available, how to configure them and how to troubleshoot the installations. It will conclude with recommendations of how to implement each type of IP Security configuration in different scenarios. This article will offer an overview of IP security policies, including defining, testing, and expanding IP security policies.

Overview of IP Security Policies

Windows 2000 IP Security filters are defined (see figure 1) in the "IP Security Policies on Local Machine" view located under the "Computer Configuration Security Settings" in the Group Policy Editor snap-in for the Microsoft Management Console (MMC) application. Alternately, this snap-in can be launched directly by executing the GPEDIT.MSC application from the START menu.

This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.