Administering IPSec

IPSec policies, rather than applications programming interfaces (APIs) or operations systems, are used to configure IPSec security services. The policies provide variable levels of protection for most traffic types in most existing networks. IPSec policies can be configured to meet the security requirements of a user, group, application, domain, site, or global enterprise. Microsoft Windows 2000 provides an administrative interface called IPSec Policy Management to define IPSec policies for computers at the Active Directory level for any domain members, or on the local computer for non–domain members.

IPSec policies can be applied to computers, sites, domains, or any organizational units created in Active Directory. IPSec policies should be based on an organization's written (and unwritten) guidelines for secure operations. Through the use of security actions, called rules , one policy can be applied to heterogeneous security groups of computers or to organizational units.

There are two storage locations for IPSec policies:

• Active Directory

• The local registry for stand-alone computers and computers which are not joined to the domain (when the computer is temporarily not joined to a trusted Microsoft Windows 2000 domain, the policy information is cached in the local registry).

Each policy should apply to a scenario considered in an organization's established security plan. Special configuration settings might apply if policies are assigned to a DHCP server, Domain Name System (DNS), Windows Internet Name Service (WINS), Simple Network Management Protocol (SNMP), or remote access server.

On This Page

Creating an IPSec policy
To assign the policy
IPSec Policy Agent Service

Creating an IPSec policy

Microsoft Windows 2000 offers three basic preinstalled security policies, ranging from unsecured to tightly secured. However, security administrators will probably want to create their own policy to suit their particular security needs and requirements. One way to do this is by using the IP Security Policy Wizard. The IP Security Policy Wizard can be used to set the following:

Filters: IPSec uses IP packet filtering methodology as the basis for determining whether communication is allowed, secured, or blocked, according to the IP address ranges, protocols, or even specific protocol ports.

IPSec provides access control by enabling an administrator to designate specific filters and filter actions in an IPSec policy. Two types of access control are provided: simple IP packet filtering and successful authentication. Additionally, permit and block actions allow control over the type of IP packets a computer may send or receive or the addresses with which a computer may communicate.

IPSec Driver: The IPSec driver, using the IP Filter List from the active IPSec policy, watches for outbound IP packets that must be secured and inbound IP packets that need to be verified and decrypted.

As shown in the following diagram, the IPSec driver receives the IP filter list from the IPSec policy agent. The IPSec driver watches all outgoing IP packets on the computer for a match with the stored IP filter list. Outbound packets initiate the negotiation for security when a match occurs. The IPSec driver notifies Internet Key Exchange (IKE) to begin security negotiations.

Rules: Rules govern how and when an IPSec policy protects communication. A rule provides the ability to trigger and control secure communication based on the source, destination, and type of IP traffic.

Each rule contains a list of IP filters and a collection of security actions that take place upon a match with that filter list:

• Filter actions

• Authentication methods

• IP tunnel settings

• Connection types

Each policy can contain one rule, or multiple rules, all of which can be active simultaneously. For example, security administrators might want to have one policy for a site router, but require different security actions for intranet and Internet communications. One policy can be used for the router by creating multiple rules, one for each possible communication scenario.

Default rules are provided with IPSec, encompassing a variety of client and server-based communications. These can be used as is, or modified to meet specific requirements.

IP Packet Filtering: An IP address identifies a computer system's location on the network. Each IP address is separated internally into two parts, a network ID and a computer ID:

• The network ID identifies a single network within a larger TCP/IP network (that is, a network of networks). This ID is also used to identify each network uniquely within the larger network.

• The computer ID for each device (such as a workstation or router) identifies a system within its own network.

Multihomed computers have multiple IP addresses, one for each network adapter.

Filters: A rule provides the ability to trigger security negotiations for communication based on the source, destination, or type of IP traffic using a process called IP packet filtering. This provides a way to define precisely the IP traffic that will be secured, blocked, or passed through (unsecured).

Each filter within an IP Filter List describes a particular subset of network traffic to be secured, both for inbound and outbound traffic:

• Inbound filters apply to traffic received, allowing the receiving computer to match the traffic with the IP filter list. Inbound filters respond to requests for secure communication or match the traffic with an existing Security Association (SA) and process the secured packets.

• Outbound filters apply to traffic leaving a computer toward a destination and trigger a security negotiation that must take place before traffic is sent.

A filter must be available to cover any traffic for which the associated rule is applied. For example, if Computer "A" always wants to exchange data securely with Computer "B":

• In order to send secured data to Computer B, Computer A's IPSec policy must have a filter for any outbound packets going to Computer B.

• In order to receive secured data from Computer A, Computer B's IPSec policy must have a filter for any inbound packets from Computer A.

A filter contains the following parameters:

• The source and destination address of the IP packet. These can be configured from a very detailed level, such as a single IP address, to a global level that encompasses an entire subnet or network.

• The protocol over which the packet is being transferred. This defaults to cover all protocols in the TCP/IP protocol suite. The filter can be configured to an individual protocol level to meet special requirements including custom protocol numbers, however, this is not included in the evaluated configuration.

  Note: IPSec policies configured to apply to the Transport Mode of communication only is included in the Evaluation Configuration.

• The source and destination port of the protocol for TCP and UDP. This also defaults to cover all ports but can be configured to apply to only packets sent or received on a specific protocol port.

Filter Actions: The filter action sets the security requirements for the communication. These requirements are specified in a list of security methods contained in the filter action, including which algorithms, security protocols, and key properties are to be used.

A filter action can also be configured with the following policies:

• Pass-through policy. This does not provide for secure communication. IPSec simply ignores traffic in this case. This is appropriate for traffic that cannot be secured because the remote computer is not IPSec-enabled, traffic that is not sensitive enough to require protection, or traffic that provides its own security.

• Blocking policy. This stops communication from a certain address or group of addresses.

• Negotiating Policy. A policy that negotiates for security but still enables communication with non-IPSec-enabled computers. A filter action can be configured to use fall back to clear. If there is a need to configure a filter action like this, limit the IP filter list to a minimal scope. However, it should be used with extreme caution. Any communications affected by that policy could result in data being sent without protection if negotiation fails for any reason. If the initiator of an IKE negotiation receives a reply from the responder, then the negotiation does not allow fallback to clear.

Some recommendations for filter actions:

• If there is a need to prevent communication with rogue computers, ensure that security is not negotiated for nonessential data or when peers are not IPSec-enabled—make use of filter actions such as blocking or pass-through policies.

• When configuring custom security methods, only set the ESP confidentiality selection to None when a higher layer protocol will provide data encryption.

• For remote communication scenarios (including IPSec tunneling), consider a list of security methods that specifies high levels of security, such as 3DES only, short key lifetimes (less than 50 MB), and perfect forward secrecy for the master and session keys. This helps protect against known-key attacks.

IP Filter Lists: Here are some recommendations for IP filter lists:

• Try to use general filters if there is a need to cover a group of computers with only one filter. For example, in the Filter Properties dialog box, use Any IP Address or an IP subnet address rather than specifying a specific computer's source and destination IP address.

• Define filters that allow grouping and securing traffic from logically associated segments of the network.

• The order in which the filters apply is not related to the ordering displayed when viewing the IPSec policy. All filters are simultaneously retrieved by the IPSec Policy Agent during system startup, and are processed and sorted from most specific to least specific. There is no guarantee that a specific filter will be applied before a general filter until all the filters have been processed, and that may affect some communications behavior during system startup.

Create an IPSec policy on a Domain Controller as follows:

1. Open Windows Explorer; click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.

2. Expand Security Settings, right-click IP Security Policies on Active Directory, and then click Create IP Security Policy. The IP Security Policy Wizard appears.

   

   

3. Click Next.

4. Type the name of the policy, and click Next.

5. Clear the Activate the default response rule check box, and then click Next.

   

6. Make sure the Edit Properties check box is selected (it is by default), and then click Finish.

7. In the Properties dialog box for the policy just created, ensure that the Use Add Wizard check box in the lower-right corner is selected, and then click Add to start the Security Rule Wizard.

   

8. Click Next to proceed through the Security Rule Wizard.

   

9. Select This rule does not specify a tunnel, (selected by default) and then click Next.

   

10. Select the radio button for All network connections, (selected by default) and click Next.

    

11. For the Authentication Method select Windows 2000 Default (Kerberos V5 Protocol) and click Next.

    

12. Select an IP filter list and click Next.

    

13. Select a filter action and click Next.

    

14. To edit the security rule check the Edit properties box and clock Finish.

    

To assign the policy

1. Open Windows Explorer; click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy.

2. Expand Security Settings, click on IP Security Policies on Active Directory.

3. Right-click on the policy to assign and choose Assign from the menu.

   

4. This changes the Policy Assigned field in the details box to Yes.

   

IPSec Policy Agent Service

The purpose of the policy agent is to retrieve IPSec policy information and pass it to the other IPSec mechanisms that require that information to perform security services, as shown here.

IPSec Policy Agent

The policy agent is an IPSec service residing on each Windows 2000 computer, appearing in the list of system services. The policy agent performs the following tasks:

• Retrieves the appropriate IPSec policy (if one has been assigned) from Active Directory if the computer is a domain member or from the local registry if the computer is not joined to a domain.

• Sends the active IPSec policy information to the IPSec driver.

Retrieval of the policy occurs at system start time, at the interval specified in the IPSec policy (if the computer is joined to a domain), and at the default Winlogon polling interval (if a joined to a domain). If IPSec policy information is centrally configured for computers which are domain members, the IPSec policy information is stored in Active Directory and cached in the local registry of the computer to which it applies.

• If the computer is temporarily not connected to the domain and has cached policy information, when the computer reconnects to the domain any new policy information for that computer overrides the old, cached policy information.

• If a computer is a stand-alone computer, or is a member of a domain that is not using Active Directory for policy storage, IPSec policy is stored in the local registry.

The policy agent starts automatically at system start time. If there are no IPSec policies in the directory service or registry, or if the policy agent cannot connect to the directory service, the policy agent waits for policy to be assigned or activated.