Server and Domain Isolation Using IPsec and Group Policy
Appendix B: IPsec Policy Summary
This appendix provides a concise listing of information about all policy settings for the isolation groups used in this solution. On This Page
General Policy ConfigurationThe following information is contained in all of the policies that are defined in this solution. Policy General Settings
Note High (2048) is supported only by Microsoft Windows Server™ 2003 and Windows XP SP2, and will be ignored by Windows 2000 and earlier versions of Windows XP. Windows 2000 and Windows XP SP1 and earlier IKE compatibility is ensured by using Medium (2).
Rule 1Filter List: "IPSEC - Cluster VIP Exemption List" Filter: My <-> Specific IP Address, Mirrored – Currently Empty Description: "IP addresses for all Cluster VIPs in the organization" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 2Filter List: "IPSEC - DHCP, Negotiation Traffic" Filter: My <-> Any, UDP, SRC Port 68 to DST Port 67, Mirrored Description: "Allows DHCP Negotiation traffic" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 3Filter List: "IPSEC - DNS Exemption List" Filter: Any <-> 192.168.1.21, Mirrored Any <-> 192.168.1.22, Mirrored Description: "IP Addresses for all DNS servers in the organization" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 4Filter List: "IPSEC - Domain Controller Exemption List" Filter: Any <-> 192.168.1.21, Mirrored Any <-> 192.168.1.22, Mirrored Description: "IP addresses for all DCs in organization" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 5Filter List: "IPSEC - WINS Exemption List" Filter: Any <-> 192.168.1.22, Mirrored Description: "IP Addresses for all WINS servers in the organization" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 6Filter List: "IPSEC - LOB Application Servers Exemption List" Filter: Any <-> 192.168.1.10, Mirrored Description: "IP Addresses for all LOB servers in the organization" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 7Filter List: "IPSEC - ICMP, All Traffic" Filter: My <-> Any, ICMP, Mirrored Description: "Allows ICMP traffic" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 8Filter List: "IPSEC - Exempt Addresses" Filter: Any <-> Specific IP Address, Mirrored – Currently Empty Description: "Specific IP addresses to be exempted from IPsec communication" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 9Filter List: "IPSEC - Exempt Subnets" Filter: My <-> Specific IP Subnet, Mirrored – Currently Empty Description: "Subnets to be exempted from IPsec communication" Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule 10Filter List: "IPSEC - Policy Version: (1.0.041001.1600)" Filter: 1.1.1.1 <-> 1.1.1.2, ICMP, Mirrored Description: "Not a real filter list. Used to identify IPsec policy version." Filter Action: IPSEC-Permit Authentication: Kerberos Tunnel: No Connection Type: ALL Rule Behavior ExplainedRule 1. This rule is required to exempt outbound communication to the cluster VIPs. This rule should not be included if there is no need for this server to communicate to the cluster VIPs. Rule 2. This rule permits non-IPsec Dynamic Host Configuration Protocol (DHCP) negotiation to be used. Rule 3. This rule permits non-IPsec communication to Domain Name System (DNS) systems in the exemption list. Rule 4. This rule permits non-IPsec communication to domain controller systems in the exemption list. Rule 5. This rule permits non-IPsec communication to Windows Internet Naming Service (WINS) systems in the exemption list. Rule 6. This rule permits non-IPsec communication to hosts in the exemption list. Woodgrove Bank created this filter list for their line of business application servers. Rule 7. This rule permits the use of non-IPsec Internet Control Message Protocol (ICMP) traffic. Rule 8. This rule permits non-IPsec communication to hosts in the exemption list. This rule is not to be included in the policies if the filter list is empty. Rule 9. This rule permits non-IPsec communication to subnets in the exemption list. This rule is not included in the policies if the filter list is empty. Rule 10. This rule is only used to track versioning information for the policy. The filter used to implement the filter list is a dummy filter that consists of two specific IP addresses that permit ICMP traffic. This dummy filter is required because one cannot add an empty filter list to a policy. Isolation Domain PolicyThis section provides the details of the filters, filter actions, policy, and Group Policy objects (GPO) used to create the Isolation Domain in the solution for Woodgrove Bank. Rule 11Filter List: IPSEC – Organizational Subnets Filter: Any <-> internal subnets, all traffic, mirrored Filter Action: "IPSEC – Secure Request Mode (Ignore Inbound, Allow Outbound)" Security Method Preference Order: ESP-null/SHA1, ESP-null/MD5, ESP-3DES/SHA1 then ESP-3DES/MD5 DO NOT Accept unsecured communications Allow unsecured communication with non-IPsec-aware hosts Authentication: Kerberos Tunnel: No Connection Type: ALL All other policy settings are the same as listed in the "General Policy Configuration" section earlier in this appendix. Rule Behavior ExplainedRule 11. This rule is the most general rule defined in the policy. It matches traffic destined to secure subnets and requests that IPsec be negotiated. It will not accept unsecured communication from non-IPsec-aware clients, but it can communicate with non-IPsec-aware clients if it initiates the communication. No Fallback Isolation Group PolicyThis section provides the details of the filters, filter actions, policy, and GPOs used to create the No Fallback isolation group in the solution for Woodgrove Bank. Rule 11Filter List: IPSEC – Organizational Subnets Filter: Any <-> internal subnets, all traffic, mirrored Filter Action: "IPSEC – Full Require Mode (Ignore Inbound, Disallow Outbound)" Security Method Preference Order: ESP-null/SHA1, ESP-null/MD5, ESP-3DES/SHA1 then ESP-3DES/MD5 DO NOT Accept unsecured communications DO NOT Allow unsecured communication with non-IPsec-aware hosts Authentication: Kerberos Tunnel: No Connection Type: ALL All other policy settings are the same as listed in the "General Policy Configuration" section earlier in this appendix. Rule Behavior ExplainedRule 11. This rule is the most general rule defined in the policy. It matches traffic destined to secure subnets and requires that IPsec be negotiated. It does not allow any communication with non-IPsec-aware clients. Boundary Isolation Group PolicyThis section provides the details of the filters, filter actions, policy, and GPOs used to create the Boundary isolation group in the solution for Woodgrove Bank. The boundary host is assumed not to be mobile and therefore can use subnets to define its network and should be secured almost as a Bastion Host in the Windows Server 2003 security guide. It must be highly protected against untrusted attack. Consequently, the IPsec policy should be merged with filters that reduce the attack surface where possible. Policy General Settings: IKE Main Mode Lifetime: 20 Minutes Rule 11Filter List: IPSEC – Organizational Subnets Filter: Any <-> internal subnets, all traffic, mirrored Filter Action: "IPSEC – Request Mode (Accept Inbound, Allow Outbound)" Security Method Preference Order: ESP-null/SHA1, ESP-null/MD5, ESP-3DES/SHA1 then ESP-3DES/MD5 Accept unsecured communications Allow unsecured communication with non-IPsec-aware hosts Authentication: Kerberos Tunnel: No Connection Type: ALL All other policy settings are the same as listed in the "General Policy Configuration" section earlier in this appendix. Rule Behavior ExplainedRule 11. This rule is the most general rule defined in the policy. It matches traffic destined to secure subnets and requests that IPsec be negotiated. It will accept traffic from non-IPsec-aware clients as well as initiate communication to said clients. Encryption Isolation Group PolicyThis section provides the details of the filters, filter actions, policy, and GPOs used to create the Encryption isolation group in the solution for Woodgrove Bank. Rule 11Filter List: IPSEC – Organizational Subnets Filter: Any <-> internal subnets, all traffic, mirrored Filter Action: "IPSEC – Require Encryption Mode (Ignore Inbound, Disallow Outbound)" Security Method Preference Order: ESP-3DES/SHA1, then ESP-3DES/MD5 DO NOT Accept unsecured communications DO NOT Allow unsecured communication with non-IPsec-aware hosts Authentication: Kerberos Tunnel: No Connection Type: ALL All other policy settings are the same as listed in the "General Policy Configuration" section earlier in this appendix. Rule Behavior ExplainedRule 11. This rule is the most general rule defined in the policy. It matches traffic destined to secure subnets and requires that Encrypted IPsec be negotiated. It does not allow any communication with non-IPsec-aware clients.
|
In This Article
|
