Also play IPSec at the command line

In the wider application of the Internet today, an important problem is the security of computer communication. As a network system administrator, a basic responsibility is to ensure that the data in the network transmission, can not be unauthorized access to, view or modify, in the middle of the same time to ensure that the data can be encrypted transmission. How do you do that?

In the Win2K network, we can secure the network through IPSec. The full name of IPSec is internetprotocolsecurity, and the translation into Chinese is Internet Protocol security. It has two main functions: one is to protect the content of IP packets, the other is to filter through the packet and implement trusted communications to defend against network attacks. This is good news for us when there are important data that need to be protected in the process of transmission or to prevent eavesdropping.

Because it is a symmetric encryption of the data at the IP layer and encapsulates the entire IP packet, there is no need to set separate security for each protocol in the TCP/IP protocol group, because the application uses TCP/IP to pass data to the IP protocol layer and protect it here. The corresponding IPSec configuration is relatively complex, but transparent to the application and therefore does not require the application to support it.

Win2K operating systems support previous versions of Ipsec,win2k, such as Win98 and Winnt do not support IPSec. In a Win2K network, IPSec can be used to secure the network, whether it is a LAN or a WAN. The articles we've seen are all about configuring IPSec under the graphical interface, because there are more steps, so it's easy to go wrong and not as efficient, so can we configure IPSec at the command line? The answer is yes, today we'll talk about how to configure IPSec at the command line.

One: basic knowledge

Before you start the article it is necessary to learn some basic knowledge in order to better read the following article.

1, the process of the work of IPSec:

Two computers in the communication, if the policy has been set up IPSec, the host in the communication will check this strategy, the strategy applied to the host will have a negotiation process, the process through securityassociation to achieve. After negotiation, according to policy configuration, the two computers establish an encrypted connection between the data for encrypted transmission. The driver transmits the decrypted packet to the TCP/IP driver and then transmits it to the receiving end application.

2. How IPSec works:

⑴ Transfer mode: Protects communication between two hosts, which is the default IPSec mode. The transfer mode only supports the Win2K operating system, providing peer-to-peer (point-to-point) security.

⑵ tunnel mode: encapsulation, sending and unpacking process called "tunnel". The general implementation method is done on two routers. Configure the use of IPSec at both ends of the router to secure communication between the two routers. Mainly used in the WAN, do not provide the internal security of each network.

3. Authentication Methods for IPSec:

⑴KERBEROSV5: This is the default authentication method, if it is a member of a domain and a client of the KERBEROSV5 protocol, select this one. For example, a Win2K computer in a domain.

⑵ Certificate: A CA that needs to configure trusts together.

⑶ preshared key: The two sides use a common negotiated key when setting the policy.

All of the above three methods can be used as authentication methods, generally in the daily work, if it is the Win2K computer in the domain to use the Kerberos authentication method. In other cases, a third approach can generally be used to negotiate a key between the two parties.

4, the encryption mode of IPSec:

⑴ Authentication Encryption technology: Includes SNA and MD5

⑵ Packet encryption technology: including 40-bitdes, 56-bitdes

⑶3des: The most secure encryption method, the corresponding will also consume more system resources.

Some of the other knowledge about IPSec can be achieved by means of search engines, and this is no longer unfolding.

Second: The Gift of Microsoft

Configure IPSec at the command line, we need Third-party software IPSecPol (can be found on the CD), it is our lovely Microsoft's free support Tools.

Why do we have to use the IPSecPol tool? If we need to have a large number of IP security policy needs to be configured, the general graphical interface model is time-consuming and laborious, and the use of ipsecpol, we can use the script to implement, combined with batch processing, as long as the user input a few parameters can be in a short time to complete the huge work. More importantly, it can configure policies in real time, and do you like to work on the command line and are you starting to be interested in it?

Let's take a look at its parameters, as follows:

Ipsecpol[\\computername][-?] [-ffilterlist] [-nnegotiationpolicylist] [-ttunneladdress] [-aauthmethodlist] [-u] [-soft] [{-dialup-lan}] [ -1ssecuritymethodlist] [ -1kphase1rekeyafter] [ -1P] [-confirm] [-wtype:domain] [-ppolicyname:pollinterval] [-rrulename] [-X] [-y] [-O]

Here we explain some of the commonly used parameters:

-ffilterlist: Filter list, the format of this list should be the following: A.b.c.d/mask:port=a.b.c.d/mask:port:protocol, The a.b.c.d on the left represents the source IP, the target ip,mask on the right is the subnet mask, port is the ports, and the Protocol is the protocol type. For example, my IP is 166.111.30.30, and I want to filter the packets from the IP address that are 166.111.40.40 to my TCP port 7626 request. So this filter list should be like this:

166.111.40.40/255.255.252.0:7626=166.111.30.30/255.255.252.0:7626:tcp

Of course here we can also use wildcard characters, with * on behalf of any IP address, with 0 for my own IP address, we can also use the + symbol, such as 0+*:139:tcp for filtering their own host and any source of IP TCP port 139 packets; *+0:139: TCP represents the filtering of packets sent by any source IP to its own host tcp129 port.

-wtype:domain: This is where the policy is written, it can be the registry, the type is Reg, or it can be stored in a directory, and the type is DS. Our general choice is reg;

-ppolicyname:pollinterval: This is the name of the strategy, such as "blockrpcattackvectors";

-rrulename: This is the name of the rule, such as "Blockoutboundtcp445rule";

-X: Activates (assigns) The IP security policy that you just configured.

-Y: Does not assign a configured IP Security policy.

-O: Deletes the security policy that you just set.

We generally use the parameters are just a few, other people can refer to the Help file.

Three: Concrete examples

Let's say the example, we combine the "shockwave" worm to explain. "Shockwave" uses ports with Tcp135, 4444 ports, Udp69 ports, and also sends ICMP packets. In addition, the ports associated with rcpdcom are Tcp135, 445, 139, 593 ports, Udp135, 137, 138, 445 ports.

If we want to guard against the "Shockwave" worm, we need to filter the connection from the outside to the above indicated port, in order not to affect the network speed, but also prohibit ICMP packets. If we're infected, and we want to prevent the host from sending data to the outside, so we create the policy, the policy name is: Antiblaster, then the order we want is as follows:
　　

The following are the referenced contents: Ipsecpol-wreg-p "Antiblaster"-R "Blockinboundtcp135rule"-f*+0:135:tcp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockoutboundtcp135rule"-f0+*:135:tcp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockinboundtcp4444rule"-f*+0:4444:tcp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockoutboundtcp4444rule"-f0+*:4444:tcp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockinboundudp69tftprule"-f*+0:69:udp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockoutboundudp69tftprule"-f0+*:69:udp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockinboundicmprule"-f*+0:0:icmp-nblock Ipsecpol-wreg-p "Antiblaster"-R "Blockoutboundicmprule"-f0+*:0:icmp-nblock

　　
Finally, we have to activate this security policy, the command is: Ipsecpol-wreg-p "Antiblaster" –x

More to the point, the connection to the RPC-related ports is prohibited, so that the commands we run are as follows:
　　

The following are the referenced contents: Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundudp135rule"-f*+0:135:udp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundtcp135rule"-f*+0:135:tcp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundudp137rule"-f*+0:137:udp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundudp138rule"-f*+0:138:udp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundtcp139rule"-f*+0:139:tcp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundtcp445rule"-f*+0:445:tcp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundudp445rule"-f*+0:445:udp-nblock Ipsecpol-wreg-p "Blockrpcattack"-R "Blockinboundtcp593rule"-f*+0:593:tcp-nblock

　　
Then use the command ipsecpol-wreg-p "Blockrpcattack" –x to activate the security policy. The above only filtered the incoming connection request, if it is filtered out, then as long as the * and 0 interchange, the inbound changed to outbound on it.

If the "shock wave" has passed, we do not need such a security strategy to do, of course, you can also delete in the MMC (console), you can also use the command line to implement, such as we want to remove the shock wave of the strategy, the specific command is:

Ipsecpol-wreg-p "Antiblaster" –y//do not assign this policy with the-y argument first

Ipsecpol-wreg-p "Antiblaster" –o//and then deleted with the-o parameter

We can write a batch to achieve such a function, this batch can be found in the CD, in the future to set the strategy, as long as the port changes can be, that is, save time, efficiency has greatly improved.

Article on the introduction here, if you have a better method or experience, you can communicate with me, the inadequacy of the article also please correct me.