How to use IPsec filtering rules to filter network traffic

Windows XP comes with its own software firewall to enable you to control what information travels between your PCs and the Internet, but you can also control what enters and exits your PCs by using IPsec filtering rules to filter particular protocol and port combinations for both inbound and outbound network traffic.

IPsec filtering rules are implemented by creating and assigning an IPsec policy to your computer, but first you need to create and define your filtering rules, which control which protocols, ports and IP addresses are allowed or blocked. This is done by running the IP Security and Policy Management Snap-In in a Microsoft Management Console (MMC) and selecting the local computer. You can now add, edit and remove filters by right-clicking IP Security Policies in the left pane of the MMC console and selecting Manage IP Filter Lists and Filter Actions. The next step is to configure the IPsec Policy and to assign it. In the MMC console right-click IP Security Policies on Local Computer and select Create IP Security Policy in order to give the policy a name, add the various IP Filters and Filter Actions to the new Policy, and assign it to the computer.

An IPsec policy can contain several different filter rules and actions, making it very flexible. As well as controlling access to your computer, it can be used to block access to certain sites or applications, such as chat rooms. The IPsec protocol can also be used to provide data privacy, integrity and authenticity but it can't secure all types of network traffic – see the Microsoft Knowledge Base article 253169 for further details.

More information Submit your IPsec filtering questions to Michael Cobb via our Ask the Experts feature.

When using IPsec filter rules you need to have a clear understanding of the impact that blocking specific ports will have. For example, blocking port 135 to guard against the DCOM RPC vulnerability can impact the functionality of Active Directory and Microsoft Exchange, which also use port 135. It is important therefore to test your new filters to ensure that you have accomplished your intended goals. Microsoft Service Pack 2 for XP includes a command line tool IPseccmd.exe, which can be used to manage IPsec policy and filtering rules. For more information on how to use this tool see the Microsoft Knowledge Base article 813878.

About the Author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Exploring Microsoft's Network Access Protection policy options Screencast: How to use Wikto for Web server assessment How to avoid DLP implementation pitfalls Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex Windows XP and Server Security Microsoft to patch critical flaws in Office, SQL Server Microsoft patches critical Access, Excel flaws Inside MSRC: Microsoft addresses critical Snapshot Viewer flaw Microsoft to revamp patching, add exploitability index Vendors rally to repair dangerous DNS flaw Microsoft issues DNS, SQL Server updates Inside MSRC: Microsoft issues guidance on DNS server update Microsoft to issue Windows, SQL Server updates Microsoft warns of attacks against Microsoft Access zero-day flaw Microsoft security updates blocked by bug RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.