Considerations for developing IPSec security policies

Caution Against Ping with IPSec security policy

The use of IPSec security policy "ping" is a common method, after a simple step of IPSec security policy configuration, you can achieve the effect of ping. This method is relatively simple to configure, and IPSec security policy is a feature that is built into the Windows system and does not require additional installation and is therefore popular with many users. But here I would like to remind you to use the IPSec security policy "ping", or use caution.

Why do you say that? First, let's look at how IPSec security policy is "anti ping," by creating a new IPSec policy to filter out all of the native ICMP packets. This can be a valid "ping", but it will also leave a hangover.

Because the ping command is closely related to the ICMP protocol (Internet control and Message protocal), there are 11 message formats in the application of the ICMP protocol, in which the ping command uses the "Echo" in the ICMP protocol Request "message to work. However, IPSec security policy does not use the Kill method when pinging, all ICMP messages are filtered out, especially in many useful other formats of the message is also filtered out. Therefore, in some special applications of LAN environment, the phenomenon of packet loss is easy to affect the user's normal office, so I suggest that everyone should be cautious with the IPSec security policy "ping".

Use third party firewall tools to prevent

We already know the deficiencies of the IPSec security Policy "ping", in order to ensure that the local machine sent packets through the network is correctly transmitted to the target host, you can use other more effective methods, such as using the network firewall "ping".

For the general Internet users, the use of personal network Firewall "Ping" is the simplest way. Applying this method to "ping" does not require complex settings, so you can easily achieve the purpose of "ping" if you properly configure the "anti ping" rule that is built into your firewall. Personal network firewalls are more types, almost all can effectively achieve "ping", such as Skynet Personal firewall, rising personal network Firewall, Windows Firewall (or ICF), and so on, the following author to the personal network of rising firewall as an example, describes how to configure the firewall to achieve "ping" purpose.

Running rising personal network Firewall main program, in the main window click the "settings → set rules" option, pop-up "rising personal network Firewall rule Settings" window, in the list of rules must select the "Default ICMP inbound" rule, and then double-click this rule, pop-up Rule Properties dialog box (Figure 1), Here you can make detailed parameter settings, select the "System" option in the "Category" box, choose "Receive" in the "direction" box, and be sure to select the "ICMP" protocol used by the ping command in the "Protocol" box, and select the "No" option in the Action box. Note The choice of ICMP message types, switch to the ICMP Type tab, select the Echo request item in the Type Drop-down list box, and then click the Modify button to save the settings. So rising personal network firewall can be filtered out, ping command used the name "Echo Request" ICMP message, and other useful ICMP message can be safely passed. After the above settings, the use of personal network firewall to effectively "ping" purpose.

Using the Routing and Remote Access component

For LAN users, the personal network firewall is difficult to meet their needs, then you need to use the enterprise-class network Firewall "Ping", such as ISA 2004, but for some small LAN, these enterprise-class firewalls are too expensive and difficult to accept, in fact, using Windows 2000/ The "Routing and Remote Access" component of the server's operating system for servers 2003 solves this problem, and the component is built into the Windows system and does not require additional purchases.

Let me take a Windows Server 2003 system as an example of how to use the Routing and Remote Access component to ping. As you all know, the Routing and Remote Access component has built-in routing table management, VPN services, IP packet filtering, and so on, by default, the Windows Server 2003 system does not have the Routing and Remote Access service enabled, so you first enable it manually. In a Windows Server 2003 gateway server, go to the control Panel → admin tools window, run the Routing and Remote Access tool, right-click the "local" server in the main Routing and Remote Access window, and select the "Configure and Enable Routing and Remote Access" option in the pop-up menu. Next, click the Next button in the Routing and Remote Access Server Setup Wizard dialog box, select the Custom configuration option, click Next, select the LAN router option in the next window, and then click the "Finish" button.

In the main Routing and Remote Access window, expand the IP routing → general option in turn. Then in the "General" box, right click on the Internet network card (Figure 2), select the "Properties" option, and then click the "Inbound Filter" button in the Properties dialog box, pop-up "Inbound Filter" dialog box, select " Receive all packets except those that meet the following options next click the "New" button, the "Add IP Filter" dialog box (see Figure 3), select the "ICMP" protocol in the Protocol Drop-down list box, enter "8 and 0" in the ICMP type and ICMP code columns respectively, and then click " OK button. Where the ICMP type "8", ICMP code "0" message is the ping command "Echo Request" message, and finally click the "OK" button to complete the "Anti ping" setting.

I have introduced several different "ping" methods, applicable to different network environment, if you are interested, may wish to try.

Figure 1 Set rising Personal firewall

Figure 2 Network adapter selected for connectivity

Figure 3 Adding an IP filter