Internet Protocol Security

Special IPSec Considerations

The following considerations help simplify administration of IPSec policies:

IP Filter Lists

Some recommendations for IP Filter Lists:

Try to use general filters if you want to cover a group of computers with only one filter. For example, in the Filter Properties dialog box, use Any IP Address or an IP subnet address rather than specifying a specific computer's source and destination IP address.
Define filters that allow you to group and secure traffic from logically associated segments of your network.
The order in which the filters apply is not related to the ordering displayed when viewing the IPSec policy. All filters are simultaneously retrieved by the IPSec Policy Agent during system startup, and are processed and sorted from most specific to least specific. There is no guarantee that a specific filter will be applied before a general filter until all the filters have been processed, and that may affect some communications behavior during system startup.

Filter Actions

Some recommendations for Filter Actions:

If you need to prevent communication with rogue computers, ensure that security is not negotiated for non-essential data or when peers are not IPSec-enabled, make use of Filter Actions such as blocking or pass-through policies.
When configuring custom security methods, only set the ESP confidentiality selection to None when a higher layer protocol will provide data encryption.
For remote communication scenarios (including IPSec tunneling), consider a list of security methods that specifies high levels of security, such as 3DES only, short key lifetimes (less than 50 MB), and Perfect Forward Secrecy for the master and session keys. This helps protect against known-key attacks.

Remote Access Communications

Some recommendations for remote access communications:

The list of authentication methods must include certificates, and at least one computer-level public key certificate must be configured on each peer (remote client or remote access server). Windows 2000 domain controllers can be configured to auto-enroll domain members in a certificate authority.
If you require the ability to remotely administer computers in your enterprise, you must add a rule to your active IPSec policy to prevent RPC TCP traffic from being blocked when it comes from the internal network. (This type of traffic is used by the remote access configuration tools in Windows 2000). For example:
- The IP Filter List in the rule should specify an outgoing address of the corporate subnet (the location of your administrative console), and an incoming address of the managed computer's internal IP address. The protocol type should be set to TCP.
- The Filter Action in the rule should have Accept unsecured communication and Allow communication with non-IPSec-enabled computers enabled.

SNMP

If a computer is running an SNMP service, you must add a rule to prevent SNMP messages from being blocked:

The IP Filter List should specify the source and destination addresses of the SNMP management systems and agents. The Protocol type should be set to UDP, to and from ports 161 and 162. This requires two filters: one for UDP, to and from port 161, and the other for UDP, to and from port 162.
Set the Filter Action to Permit, which blocks negotiation for security and passes through any traffic that matches the IP Filter List.

Security Gateways

For a security gateway, firewall, proxy server, router or any server that is an access point from the intranet to the outside world, special filtering must be enabled on that computer to ensure that packets secured with IPSec are not rejected. At a minimum, the following input and output filters must be defined for the Internet interface on the computer:

Input Filters

IP Protocol ID of 51 (0x33) for inbound IPSec Authentication Header traffic.
IP Protocol ID of 50 (0x32) for inbound IPSec Encapsulating Security Protocol traffic.
UDP port 500 (0x1F4) for inbound IKE negotiation traffic.

Output Filters

IP Protocol ID of 51 (0x33) for outbound IPSec Authentication Header traffic.
IP Protocol ID of 50 (0x32) for outbound IPSec Encapsulating Security Protocol traffic.
UDP port 500 (0x1F4) for outbound IKE negotiation traffic.

DHCP, DNS, and WINS Services; Domain Controllers

Before enabling IPSec for computers functioning as a DHCP, DNS, WINS server, or domain controller, determine if all the clients are also IPSec-capable. Otherwise, if IPSec policy is not configured to allow fall back to clear or to permit unsecured traffic to accommodate older clients, secure negotiation might erroneously fail, and access to these network services might be blocked.