Restricting Ports Using IP Security

Restricting Ports Using IP Security
IP Security (IPSec) is a broad security mechanism meant to overcome many of the security limitations of IP. Because all network activity in Windows XP and Windows 2000 uses IP by default, IPSec provides an important service for all network connections, incoming as well as outgoing. IPSec uses a filtering model to recognize specific IP traffic; recognized traffic can be blocked, permitted, or permitted after securing it with authentication, encryption, or both.

Because it supports authentication and encryption, IPSec is often associated with virtual private networks (VPNs) and wireless local area networks—situations in which eavesdropping is possible and must be foiled. But IPSec can be used to secure any network connection.

Unlike TCP/IP filtering, which merely determines which IP packets to allow into your computer, IPSec negotiates a security association between two computers (sometimes referred to as end-to-end security.) The security actions take place on each computer through the negotiated link. Although TCP/IP filtering is a part of IPSec, IPSec encompasses other security protocols, including packet filtering. The packet filtering that IPSec uses has more flexibility than the filtering discussed earlier in this chapter.

A combination of configuration settings for all the associated protocols in IPSec is called a rule, or a filter rule. An IPSec policy is a collection of one or more rules. You can enable only one IPSec policy at a time, but the policy might have several rules. Each rule is made up of five components:

Filter List. Consists of one or more packet filtering definitions for filtering on protocol, source address/port/mask, and destination address/port/mask. Filter lists are named and stored for use in multiple rules. You can configure only one filter list per rule. A sample filter for closing port 139 is shown here. Although this example shows only one filter in the list, you can include as many filters as needed.

Filter Action. Provides direction on what the filter does with connections matching the filter criteria: permit, block, or negotiate a secure connection.
Authentication Methods. Offers a selection of user authentication methods: Kerberos, certificate, or code/key. Kerberos V5 protocol uses domain user accounts. Therefore, if the computers you are connecting are not in the same domain or in mutually trusted domains, you must use one of the other authentication methods. You can require that the computer attempting a connection have a server certificate from a selected certification authority (CA). You select the CA from your Trusted CA list. You can also use an alphanumeric key. If you use a preset key, both computers must have exactly the same key configured.
Tunnel Setting. Determines whether a connection can use a virtual private network. If you want the rule to allow a VPN connection, you configure the IP address of the requesting computer. Note that you can configure only one tunneling connection per rule. To allow multiple computers to request a VPN connection, you must create a rule for each computer and select each rule for the active policy.
Connection. Determines the connections to which this rule should be applied: all, dial-up, or network.
You might use a single filter or filter action in more than one rule. For example, if you want incoming SMTP and FTP communications to be encrypted, you need to set up a rule for SMTP and a rule for FTP that both use the same filter action. You can create reusable lists of filters and filter actions that facilitate setting up multiple rules with common elements.