IPSec Packet Filtering

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use Windows Server 2003 IPSec to secure specific servers in your enterprise. IPSec can be configured to permit or block specific types of traffic based on source and destination address combinations and specific protocols and specific ports. You can use this feature of IPSec to block well-known ports of software so that even if a server is infected, it cannot be used to infect other computers or allow access via the well-known port.

For example, nearly all the systems illustrated in Figure 6.3 can benefit from packet filtering to restrict communication to only specific addresses and ports.

Figure 6.3   Filtering Packets by Using IPSec

Filtering Packets by Using IPsec

By blocking communication to specific ports of a server, it is more difficult for an intruder to access the server or for the server to be used to attack other computers. You can strengthen security by using IPSec filtering to control exactly the type of communication that is allowed between systems. For example, as illustrated in Figure 6.3:

  • The internal network domain administrator can assign a domain-based IPSec policy to block all traffic from the perimeter network.

  • A perimeter network domain administrator can assign a domain-based IPSec policy to block all traffic to the internal network.

  • The administrator of the computer running Microsoft® SQL Server™ on the internal network can create an exception to the domain-based IPSec policy to permit SQL protocol traffic to the Web application server on the perimeter network.

  • The administrator of the Web application server on the perimeter network can create an exception to the domain-based policy to permit SQL traffic to the computer running SQL Server on the internal network.

  • The administrator of the Web application server on the perimeter network can also block all traffic from the Internet, except requests to TCP port 80 (HTTP) and TCP port 443 (SSL), which are used by Web services. This provides additional security against traffic allowed in from the Internet in case the firewall was mis-configured or compromised by an attacker.

  • The domain administrator can block all traffic to the management computer, but allow traffic to the perimeter network.

You can also use IPSec with the NAT/Basic Firewall component of the Routing and Remote Access service or IP packet filtering to enhance IPSec permit or block filtering of inbound or outbound traffic.