JSI Tip 4554. How do I use IPSec IP filter lists?
December 13, 2001
Microsoft Knowledge Base Article 313190 contains the following summary:
You can secure network communications on Windows 2000-based computers if you use Internet protocol security (IPSec). IPSec is applied to communications based on IPSec policies. You can use IPSec policies to determine when you should use IPSec secure communications between computers. You can also use IPSec policies to control the packets that are allowed into and out of a computer's network interface.
IPSec policies are based on two elements:
• | IP filter lists-and- |
• | IP filter actions |
An Internet protocol (IP) filter list is a list of protocols and folders. For example, you can create a filter list entry that allows all computers to gain access to TCP port 80 on the local interface. Another entry in the same filter list might allow access to TCP port 25 on the local interface, and a third filter list entry might allow access to User Datagram Protocol (UDP) port 53 on the local interface.
If a packet that arrives on the computer interface has a matching entry on the filter list, IPSec Policy Agent applies a filter action that you assign to the filter list. For example, if you assign a Block filter action to the above filter list. When you do this, any packet that is destined for TCP port 80, TCP port 25, or UDP port 53 is blocked. However, if you assign a Permit filter action to the above filter list, the packets that are destined for TCP port 80, TCP port 25, or UDP port 53 is allowed.
You can use IPSec filter lists and filter actions as an effective method of access control on all interfaces. Note that IPSec policies are applied to all interfaces on a multiple-homed computer. There is no procedure that you can use to allow selective application of IPSec policies to a particular interface.
Windows 2000 includes the following two default IP filter lists:
• | All ICMP traffic-and- |
• | All IP traffic |
There are three default filter actions:
• | Permit-and- |
• | Request Security (Optional)-and- |
• | Require Security |
About the Author
You May Also Like