JSI Tip 6534. The IPSec default exemptions can be used to bypass IPsec protection in some scenarios?
April 3, 2003
Microsoft Knowledge Base Article 811832 contains the following summary:
The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and Windows Server 2003 was not designed as a full-featured host-based firewall. It was designed to provide basic permit and block filtering by using address, protocol and port information in network packets. IPsec was also designed as an administrative tool to enhance the security of communications in a way that is transparent to the programs. Because of this, it provides traffic filtering that is necessary to negotiate security for IPsec transport mode or IPsec tunnel mode, primarily for intranet environments where machine trust was available from the Kerberos service or for specific paths across the Internet where public key infrastructure (PKI) digital certificates can be used.
The default exemptions to IPsec policy filters are documented in the Microsoft Windows 2000 and Microsoft Windows XP online help. These filters make it possible for Internet Key Exchange (IKE) and Kerberos to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic. For additional information about these filters, click the following article number to view the article in the Microsoft Knowledge Base:
253169 Traffic That Can--and Cannot--Be Secured by IPSec
About the Author
You May Also Like