21-21 configuration of IPSec Security Policies in the Network Security Series

Last Update:2014-11-03 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

1, UnderstandIPSecSecurity Policy

IPSec and Internet Protocol Security are an open standard in the network security industry. By using the encrypted security service, the confidentiality and security of network communication are ensured. IPSec works at the network layer and is transparent to users and applications. It can provide restricted access to servers and customize security configurations. IPSec has two working modes: Transmission Mode and tunnel mode. Transmission mode is used to protect the communication between the host and the host. It implements end-to-end communication. During transmission, the IP address header is not encrypted, but the data part is encrypted; the Tunneling mode is used to protect the communication between the host and the network or between the two networks, that is, to implement the VPN function. This mode encrypts the entire IP data packet and re-encapsulates the data packets.

In the win2003 system, IPSec needs to be configured in the Group Policy. Open the Group Policy Editor and configure IPSec in Computer Configuration \ Windows Settings \ Security Settings \ IP Security Policy.

The IPSec function is implemented through different IPSec policies. By default, three IPSec policies exist in windows ,.

650) This. width = 650; "style =" border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201411/3/70821_1414979018whtL.png "width =" 356 "Height =" 74 "/>

The three default IPSec policies do not need to be modified. In most cases, new IPSec policies are used to meet our requirements.

The following describes how to configure an IPSec security policy by using a client that only has a specified IP address to access the remote desktop service on the win2003 server.

2Restrict the access of the specified client to the Remote Desktop

When we enable the remote desktop service, we can easily manage remote servers, but it also brings some threats to servers. For server security, we can set security policies to restrict the IP addresses and networks connected to the remote desktop service.

Assume that the IP address of the server is 192.168.100.33. For server security, we only Allow Remote Desktop Connection at 192.168.100.34.

First, we need to create a policy in the IP policy,

Go to the IP Security Policy wizard as shown in, click Next-next (name the policy iprule), and select "yes"-"Next" when a warning is displayed ".

Click "finish" to view the newly created IP policy, and right-click "properties ".

The IPSec Security policy function is mainly implemented by IP Security rules. A default dynamic rule exists in the new policy, but is not enabled.

IP Security rules mainly include "IP Filter list" and "filter operation.

The filter is used to define the data type and filter out the data that meets the requirements. The filter operation is used to specify the operations on the filtered data.

Therefore, IP Security rules can be defined in two steps: first, define the IP Filter, and then define the operation on the filter.

Next, we need to define two security rules. One rule rejects any IP addresses from connecting to port 3389 of the local machine, and the other rule only allows the IP address 192.168.100.34 to connect to port 3389 of the server, in this way, an IP address is filtered at the top of the deny rule.

First, create a rule to deny any IP addresses from connecting to the server's port 3389.

Click Add to open the new rule wizard.

Next step:

Select "add" to create a filter:

Click "add" to bring up the IP Filter list.

Click "add"-"Next"-"Next", and select "any IP Address" in the source address bar"

Click "Next" and select my IP address as the destination address.

Click "Next" and select the TCP protocol for the IP protocol type.

Click "Next" and change the target port to 3389.

Click "Next", and then click "finish"-"OK ".

Click "OK", select the newly created IP address filtering list, and click "Next ",

The "ip" filter operation is displayed. Click "add"

Click "Next" to set the operation name for the filter,

Select "Block" and click "Next"

Click Finish ".

Click "finish", select "Block" on the filter panel, and click "Next"

Click "Next"-and then click "finish ".

Click "OK" and Right-click "iprule" to assign the policy you just created to take effect.

Note: Open the command line before assigning, enter services. msc, set IPSec service to automatic or manual, and enable the service.

Assignment policy:

After the above policy is created and assigned, no IP port can be connected to port 3389 of the server. Therefore, we need to create a rule to allow the specified IP address to access port 3389 of the server.

Double-click iprule to add rules in the property panel.

Click "Next" until, as shown in, to add an IP address filtering list.

Enter IP address filtering information.

Click "Next" and select the specified source address 192.168.100.34.

After specifying the source address, click "Next" and select the target address as my IP address, the Protocol is TCP, and the port is 3389.

Target address:

TCP protocol:

Port 3389:

Click "finish ".

Return to the security rule wizard, select the IP address filtering list that allows the specified IP address to access port 3389 of the server, and click "Next ".

Select "License" and then "Next ".

After setting the preceding settings, click Next to complete the operation and view the newly created policy.

During viewing, make sure that the allowed rules are above the blocking rules. Because the rule is executed in the order from top to bottom, the two rules can be used at the same time to restrict IP Access to the Remote Desktop of the server.

Click "OK", restart the rule, disable the assignment, and then re-assign. Now, all accesses to the remote desktop service are restricted.

We can use the above method to limit that only one CIDR block is allowed to access the Remote Desktop. You only need to select the source address as a CIDR block.

This article is from the "one pot of turbidity wine" blog. For more information, please contact the author!

21-21 configuration of IPSec Security Policies in the Network Security Series

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

21-21 configuration of IPSec Security Policies in the Network Security Series

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

21-21 configuration of IPSec Security Policies in the Network Security Series

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support