IPSec Question
Hi, I hope someone can answer this question for me, I'm finding it very confusing! If I set an IPSec rule to Mirrored, what does it actually do? My understanding of IPSec is that it filters packets of data, but how specific is it? For example, on Server A: Rule 1. An IPSec rule says to allow incoming connections to port 52 over TCP from IP address X. But it is NOT mirrored. Rule 2. Another rule blocks ALL outbound communication. TCP can't establish a connection without data going in both directions, obviously. So my question is: Would a TCP connection be allowed to be established from IP address X on port 52? Or, although packets from IP X would be passed through the filter, nothing would ever be sent back from Server A (because of Rule 2), preventing a TCP connection? I hope someone can help! All the books I've got don't indicate whether an IPSec filter only applies to attempts at establishing a connection or every single packet of data. Thanks for any help, I hope my question is clear! - Johnny
June 25th, 2009 7:41pm

IPsec can be used to filter, but that's really the job of the firewall. IPsec is designed to protect traffic while it is in transit, by providing authentication, integrity, and encryption services.When you create a rule that protects traffic going to IP address X port 52, mirroring the rule ensures that the return traffic is also protected the same way. The vast majority of the time, you will want to mirror your rules, or traffic is protected in only one direction.As to your last point - IPsec authenticates the identity of the peer computers only when establishing the connection. But IPsec then provides integrity, replay protection, and encryption to every packet in the data stream.I hope that answers your questions.Dave BishopSenior Technical WriterWindows Server Networking User Assistance TeamDave Bishop
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2009 8:33pm

Hi David, thanks so much for your reply! I understand that IPSec is primarily built for protecting traffic, but I wish to use it for packet filtering, too. I realise that packet filtering is available through TCP/IP's advanced settings, but using IPSec means I can apply it through group policies to lots of different machines as well. I think I understand your answer, but then you confused me with your last bit regarding encryption and integrity. I'm not using any authentication or signing in the majority of my policy's rules... And, as I understand it, blocking and permitting doesn't modify the data. Thanks for any clarification, - Johnny
June 25th, 2009 9:40pm

You can configure Windows Firewall on XP SP2 and all later versions of Windows by using Group Policy. I recommend you use that for block and allow actions instead of usingIPsec. For XP, go to Computer Configuration\Administrative Templates\Network\Network Connections\WIndows Firewall. You can set separate rules for the Domain profile and the Standard profile. The domain profile is active whenever the computer can directly connect to a domain controller for its joined domiain. Standard is used for all other times.For Vista and later, use Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security. You can set both inbound and outbound rules, and can create separate rules for Domain, Private, and Public network profiles. In Vista (as in XP), only one profile is active, no matter how many NICs are installed. In Windows 7, each network adapter has the profile appropriate for its network.The description I gave at the end of my previous response describes how IPsec works when you use it as designed - to protect traffic in transit. If you use it to block traffic, then all traffic is blocked - the initial connection attempt is blocked as well as any further packets that the remote host may try to send.My recommendation is that you don't use IPsec as a substitute firewall. You don't get anywhere near the flexibility. Use Windows Firewall instead. You can find all the documentation for both the Firewall and IPsec at http://technet.microsoft.com/en-us/library/cc732283(WS.10).aspx.Dave Bishop Senior Technical Writer Windows Server Networking User Assistance
Free Windows Admin Tool Kit Click here and download it now
June 25th, 2009 10:02pm

Hi Dave, thanks again for your answers. I should have made it absolutely clear that I have NO intention of using IPSec as a replacement for a Firewall! :) Rather, I would like to layer my security using a packet filter as well as a firewall. I should also mentioned that we ARE using IPSec to encrypt traffic (for our Remote Desktop connections), but also makes sense to block unwanted traffic at this layer, too -- AS WELL as at the application layer through Windows Firewall. (This is especially true because, due to circumstances beyond our control, we are unable to use a hardware firewall at this time... And relying on Windows Firewall as our only protection would seem (to me) reckless in the extreme!) So to get back to my original question, and to clarify your answer, if you wouldn't mind: If the rule says to allow a TCP connection from IP X to IP Y, and I DON'T set the rule as mirrored, a TCP connection COULD still be negotiated, provided it was initiated by IP X? Is that correct? Thanks again, - Johnny
June 26th, 2009 12:22pm

I've managed to do some tests on a non-critical system and it seems your original answer might be wrong ("IPsec authenticates the identity of the peer computers only when establishing the connection"). If the connection isn't mirrored then authentication doesn't appear to be possible. This would indicate that, although the connection is only authenticated once, the packet filtering does indeed work both ways: If the filter isn't mirrored then NO traffic is returned, no matter who instigated the connection. Also, just looking at my original post: It really makes no difference to my question whether I'm encrypting the data or not. As it happens I AM, but I've also reduced the scope so that the connection can only be established from one IP address, hence my original question.
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2009 4:43pm

If you don't mirror your rules, then you can't communicate in both directions. IPsec is not "stateful" in the way that Firewall is - if you have a rule from A to B without the B to A component, then IPsec on A will drop all traffic from B, even if it is the response to request sent by A. That's part of what makes IPsec so difficult to effectively use as a firewall. With Windows Vista and Windows 7, all IPsec rules are mirrored automatically - there's no option not to. That's how important it is that you mirror your rules. To best use IPsec as a host security layer that complements a firewall and adds an additional layer of defense, use Domain and Server Isolation. For a quick intro, see my guide "Step-by-Step Guide: Deploying Firewall Policies" that has a section for Domain Isolation, and another for Server Isolation. The guide is at http://technet.microsoft.com/en-us/library/cc732400.aspx. For complete Domain and Server Isolation documentation, including for Win XP, see http://technet.microsoft.com/en-us/network/bb545651.aspx. I hope that answers your questions!Dave Bishop Senior Technical Writer Windows Server Networking User Assistance
June 26th, 2009 5:46pm

Awesome! Thanks very much, that's precisely what I wanted to know. I'll check out those links, too. Thanks again, - Johnny Alphabetti Spaghetti - My lame blog
Free Windows Admin Tool Kit Click here and download it now
June 26th, 2009 6:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics