Configure an IPSec Security Policy

Remoting was used in a recent project, which is said to be out of security considerations. However, the development efficiency is relatively low and complicated. Another security issue is that the machine on which remoting is located can directly access the database, while the app server can only perform operations on the database through remoting, in other words, only the remoting machine is allowed. Other machines cannot directly access the database.

You need to configure it on the server. Although it is convenient to use firewall, I have seen one before.ArticleI mentioned that the built-in IPSec for Windows can also be implemented. So I searched immediately, but it is a pity that most of the articles I found do not have any images, even if they are incomplete. For convenience, I spent some time configuring them, and record the entire process, so that you can refer to it next time.

First, enable the IPsec service on the server. As shown in:

Then, go to the management tools on the Control Panel to open the Local Security Policy. As shown in:

On the displayed page, select "IP Security Policy, on the local computer", right-click, and select "create IP Security Policy ". As shown in:

In the IP Security Policy wizard, create a "port 3306" policy because it is used by MySQL. As shown in the following figure:

After creation, return to "IP Security Policy, on the local computer" and select "manage IP Filter table and filter operation. As shown in:

Create an IP Filter, as shown in.

First, specify the source IP address, that is, the IP address of the database you are allowed to access. As shown in:

Create the target address, that is, the address of the server itself. As shown in:

Select the protocol type. As shown in:

In the select Protocol IP port, as shown in:

Then add the IP Filter operation. Because the IP address has been added before, you need to add a behavior to regulate the IP address operation to allow or prevent the IP address from accessing the server. As shown in:

Similarly, first add the filter operation name, as shown in:

Set the action of the filter operation to allow, as shown in.

After these settings, you can create a rule, that is, an IP policy corresponds to a filter. You can create an IP address to allow this IP policy to access the server, you can also create an IP policy to prevent it from accessing the server, so that you can implement secure IP Access Control. As shown in:

Select the IP address Filter list, as shown in:

Perform the IP address filter operation, as shown in:

Okay. So far, we have established an IP policy that allows 192.168.0.3 to access port 3306 of the server. Then we set an IP policy, stop all IP addresses from accessing port 3306 of the server. In this way, port 3306 of the server is only accessible to 192.168.0.3. As shown in:

Now all the policies have been created, but the last step is to make the policies work, that is, to assign them. As shown in:

Now, security access control is implemented. Although it is troublesome, no additional firewall is required. It can also be used in some situations where the security level is not high. If the security requirement is high, we still use professional firewall software and hardware.