Adding IP Security policies away from the threat of system ping vulnerabilities

People who know the network must be familiar with the most basic network command of Ping, which is a very useful TCP/IP tool. It can send a small packet to the address you provide, and then listen to whether the machine has a "reply". You can use the computer's Internet address, such as ping 192.78.222.81, or use the machine name, such as Ping MyComputer. When you use Ping, the Ping utility sends an ICMP (Internet control Management Protocol, short-of-the-Internet Management Protocol) to answer requests to each other to verify that another computer is on the network, Analyze each other's name and IP address. In short, ping can tell you which machines are currently active on the network.

However, this ping can also bring serious consequences for Windows systems, that is, ping intrusion is an ICMP intrusion, the principle is to ping a large number of packets so that the computer's CPU utilization is high and crashes, Typically, a large number of requests are made to the computer continuously for a period of time, causing the CPU to be processed less. We can actually use the appropriate settings or firewalls to make the other person unable to ping their computer.
Here is how to configure the system IP Security policy to prevent others from pinging their own host, the following steps:

First, add IP Security Policy

The first thing we need to do is add the IP Security Policy Unit to the console and add the following steps:

1) Click "Start" → "run", then enter "MMC" in the "Run" window and return, this will open the "Console 1" window (1);

2) in the window shown in Figure 1, click "File" → "Add/Remove Snap-in" → "add", this will open the "Add/Remove Snap-in" window, we are in the list under this window double-click "IP Security Policy Management" (2);

3) This will pop up the "Select Computer Domain" window, where we select "Local Computer", then click the "Finish" button, then click "Close" → "OK", and then return to the "Console 1" main interface, we will find that "console to node" under the "IP Security Policy, on the local computer" (3) Item, you can now indicate that the IP Security policy entry has been added to the console.

ii. Creating IP Security Policies

After we have added the IP Security policy, we will also create a new IP Security policy, with the following steps:

(1) In Figure 3, right-click on the "IP Security Policy, Local machine" option, execute the "Create IP Security Policy" command, the IP Security Policy wizard window will open;

(2) Click "Next" button, the request to specify the IP Security Policy Name and Description Wizard page, we can enter a policy description under "description", such as "Prohibit Ping" (4);

(3) Click "Next" and then in the page that appears, make sure the "activate default corresponding rule" item is selected and click "Next";

(4) in the "Default response Rule Authentication Method" dialog box that appears, we select the "This string is used to protect the key exchange (preshared key)" option, and then type a string (such as "Disable Ping") in any of the following text boxes (5);

(5) Click Next, the completion of the IP Security Policy Wizard page window will appear, and finally click the Finish button to complete the creation of IP Security policy.

Third, edit IP Security Policy properties

After the IP security policy is created, you will see the new IP Security policy item that you just created in the console, as well as edit and modify its properties as follows:

(1) In the console double-click on the new IP Security policy created, the new IP Security Policy Properties window will pop up (6);

(2) Click the "Add" button, the "Security Rule Wizard" window will pop up, click "Next" then go to the "Tunnel endpoint" page, click "This rule does not specify a tunnel";

(3) Click "Next" the "Network Type" page will appear, in which we click on the "All network Connections" item, so that all the computers can not ping the host (7);

(4) Click "Next", the "authentication Method" page will appear, we continue to select the "This string is used to protect the key exchange (preshared key)" entry, and then enter in the following input box "Prohibit ping" text (8);

(5) Click Next, and then click the Add button on the IP Filter list page that opens, and the IP Filter List window (9) opens.

(6) Click the "Add" button in the "IP Filter List" window, the IP Filter wizard window will pop up, we click "Next", the "IP Communication Source" page will pop up, where the "source address" is "My IP Address" (10);

(7) Click "Next" button, we set "target address" to "Any IP address" in the page that pops up, the computer of any IP address cannot ping your machine (11);

(8) Click "Next" and then in the "IP protocol type" page that appears, set "Select protocol type" to "ICMP" (12);

(9) Click next → finish, at which point you will see the filter you just created in the IP filter list, select it and click Next, and in the filter actions page that appears, set the filter action to the Require Security option (13);

10) Click "Next", then click "Finish" → "OK" → "close" button, save the relevant settings back to the console.

Iv. assigning IP Security Policies

Once the security policy has been created, it does not take effect immediately, and we need to make it work with the "Assign" function. You can enable this policy by right-clicking the new IP Security Policy item in the Console root node and then executing the Assign command in the popup context menu (14).

At this point, the host already has the ability to deny any other machine ping its own IP address, but still can ping itself locally. After such a setting, all users (including administrators) cannot ping this server on other machines. Since then you will never have to worry about being ping threatened!

Adding IP Security policies away from the threat of system ping vulnerabilities