Security Tool netsh IPSec usage [ip Security Policy]

Source: Internet
Author: User
Tags ntfs permissions

Netsh ipsec usage

In the command line, use netsh ipsec static to configure the IPSEC Security Policy. The premise is that the IPSEC service is enabled.
An IPSEC consists of one or more rules. A rule consists of an IP Filter list and a corresponding filter action. The filter list and filter can be unique to the system, if no filter exists, you must create one filter and one filter is composed of one or more filters. Therefore, IPSEC must be configured step by step. A rule consists of a filter list and a filter action. In addition, the policy is stored in the policy. The policy is stored in the Policy List, which determines a step: Create an empty security policy, create a Filter list, and create a filter operation, these three steps do not require a specific sequence. You need to create a filter after the empty Filter list is created. The following describes how to add, modify, delete, and activate a Configuration Policy;

For more details, refer to Microsoft's technical resource library:

Netsh Commands for Internet Protocol Security (IPsec)

The connection is as follows: http://technet.microsoft.com/zh-cn/cc725926

Note: Pay attention to the Netsh Commands for Windows Firewall with Advanced Security. connection in the connection, which will help you more;

Export an IPsec Security Policy: Netsh ipsec static exportpolicy file = d: \ ExportSecurity. ipsec
Import an IPsec Security Policy: Netsh ipsec static importpolicy file = d: \ ImportSecurity. ipsec
1. Create a new policy
1.1 first create an empty Security Policy [Michael's security policy]
Netsh ipsec static add policy name = Michael's security policy
1.2 create a filter to "Block"
Netsh ipsec static add filteraction name = block action = block
1.3 create a Filter list "List of accessible terminals"
Netsh ipsec static add filterlist name = List of accessible Terminals
Netsh ipsec static add filter filterlist = List of accessible Terminals
Srcaddr = 203.86.32.248
Dstaddr = me dstport = 3389
Description = Department 1 Access protocol = TCP mirrored = yes
Netsh ipsec static add filter filterlist = List of accessible Terminals
Srcaddr = 203.86.31.0 srcmask = 255.255.255.0
Dstaddr = 60.190.145.9 dstport = 0
Description = Department 2 Access protocol = any mirrored = yes
1.4 create policy rules
Netsh ipsec static add rule name = accessible terminal policy rules
Policy = Michael's security Policy
Filterlist = List of accessible Terminals
Filteraction = block
2. Modify the policy
Netsh ipsec static set filter filterlist = List of accessible Terminals
Srcaddr = 220.207.31.249
Dstaddr = Me dstport = 3389 protocol = TCP
3. deletion policy
Netsh ipsec static delete rule name = accessible terminal policy rule policy = Michael's security policy
Netsh ipsec static delete filterlist name = List of accessible Terminals
4. activation is the most important step;
Netsh ipsec static set policy name = Michael's security policy assign = y
Here is an example of self-writing:Copy codeThe Code is as follows: echo creates a security policy
Netsh IPsec static add policy name = APU Security policy
Echo: creating a filter is a blocking operation.
Netsh IPsec static add filteraction name = block action = block
Echo allows you to create a filter.
Netsh IPsec static add filteraction name = allow action = permit
Echo creates a list of terminals that can be accessed by a filter.
Netsh IPsec static add filterlist name = List of accessible Terminals
Netsh IPsec static add filter filterlist = accessible terminal list srcaddr = 203.86.32.248 dstaddr = me dstport = 3389 description = Department 1 Access protocol = TCP mirrored = yes
Echo creates a list of terminals that can be accessed by a filter.
Netsh ipsec static add filter filterlist = accessible terminal list Srcaddr = 203.86.31.0 srcmask = 255.255.255.0 dstaddr = 60.190.145.9 dstport = 0 description = Department 2 Access protocol = any mirrored = yes
Echo create policy rules
Netsh ipsec static add rule name = accessible terminal Policy rule Policy = APU Security Policy filterlist = accessible terminal list filteraction = blocked
Echo activation policy
Netsh ipsec static set policy name = APU Security policy assign = y
Pause

OrCopy codeThe Code is as follows: Netsh ipsec static add policy name = default policy name
Pause
Netsh ipsec static add filteraction name = blocking action = block
Pause
Netsh ipsec static add filteraction name = allow action = permit
Pause
Netsh ipsec static add filterlist name = access list
Pause
Netsh ipsec static add filterlist name = blocked list
Pause
Netsh ipsec static add filter filterlist = access list 1 srcaddr = 203.86.32.248 dstaddr = me dstport = 3389 description = Department 1 Access protocol = TCP mirrored = yes
Pause
Netsh ipsec static add filter filterlist = access list 2 srcaddr = 203.86.31.0 srcmask = 255.255.255.0 dstaddr = 60.190.145.9 dstport = 0 description = Department 2 Access protocol = any mirrored = yes
Pause
Netsh ipsec static add rule name = accessible terminal Policy rule Policy = default Policy name filterlist = access list 1 filteraction = blocked operation
Pause
Netsh ipsec static add rule name = accessible terminal Policy rule Policy = default Policy name filterlist = access list 2 filteraction = blocked operation
Pause
Netsh ipsec static set policy name = default policy name assign = y
Pause

[The following is a reprinted article that has not been tested and can be found on Baidu.]Copy codeThe Code is as follows: REM ====================== start ======================
Netsh ipsec static ^
Add policy name = bim
REM adds two actions, block and permit.
Netsh ipsec static ^
Add filteraction name = Permit action = permit
Netsh ipsec static ^
Add filteraction name = Block action = block
REM first disables all access
Netsh ipsec static ^
Add filterlist name = AllAccess
Netsh ipsec static ^
Add filter filterlist = AllAccess srcaddr = Me dstaddr = Any
Netsh ipsec static ^
Add rule name = BlockAllAccess policy = bim filterlist = AllAccess filteraction = Block
REM allows unrestricted access to some IP addresses
Netsh ipsec static ^
Add filterlist name = UnLimitedIP
Netsh ipsec static ^
Add filter filterlist = UnLimitedIP srcaddr = 61.128.128.67 dstaddr = Me
Netsh ipsec static ^
Add rule name = AllowUnLimitedIP policy = bim filterlist = UnLimitedIP filteraction = Permit
REM opens some ports
Netsh ipsec static ^
Add filterlist name = OpenSomePort
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 20 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 21 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 80 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = OpenSomePort srcaddr = Any dstaddr = Me dstport = 3389 protocol = TCP
Netsh ipsec static ^
Add rule name = AllowOpenSomePort policy = bim filterlist = OpenSomePort filteraction = Permit
REM allows some ip addresses to access some ports
Netsh ipsec static ^
Add filterlist name = SomeIPSomePort
Netsh ipsec static ^
Add filter filterlist = SomeIPSomePort srcaddr = Me dstaddr = Any dstport = 80 protocol = TCP
Netsh ipsec static ^
Add filter filterlist = SomeIPSomePort srcaddr = 61.128.128.68 dstaddr = Me dstport = 1433 protocol = TCP
Netsh ipsec static ^
Add rule name = AllowSomeIPSomePort policy = bim filterlist = SomeIPSomePort filteraction = Permit

Preface:
IPSec stands for Internet Protocol Security. It provides two main functions: one is to protect the content of IP data packets, and the other is to prevent network attacks by filtering data packets and implementing trusted communication. This is undoubtedly good news for us when some important data needs to be protected or prevented from being monitored during transmission, because Windows 2000 has already built in this function, we no longer need other tools for this purpose.
Because the data is symmetric encrypted at the IP layer and the entire IP packet is encapsulated, you do not need to set separate security for each protocol in the TCP/IP protocol group, because the application uses TCP/IP to transmit data to the IP protocol layer, and the protection is implemented here. The corresponding IPSec configuration is relatively complex, but it is transparent to applications. Therefore, it is not required to be supported by applications. The following sections describe the concept, working process, and practical application of IPSec:
I. IPSec work process:
When the two computers are communicating, if the IPSec Policy has been set, the host will check this policy during communication. When the policy is applied to the host, there will be a negotiation process, this process is implemented through Security Association. After negotiation, an encrypted connection is established between the two computers based on the Policy configuration to encrypt data transmission. The driver transmits the decrypted data packet to the TCP/IP driver and then to the receiver application.
2. Go to the IPSec control page:
There are two ways to enable the function, the function is the same:
Start-run-Administrative Tools-Local Security Policy
MMC-Add/delete snap-in-add-IP Security Management Policy-OK
Iii. predefined policies:
By default, IPSec is not enabled and needs to be assigned. We can find that the system has defined three policies for us.
Secure Server: IPSec is required. If the peer does not use IPSec, the communication cannot be completed. Used for computers that always require secure communication.
Client: by default, IPSec is not used during communication. If the other party requires IPSec, IPSec can also be used. It is used for computers that cannot guarantee communication for most of the time.
Server: IPSec is used by default. However, if the other party does not support IPSec, you can also choose not to use IPSec. A computer that can guarantee communication for most of the time.
Policies can be assigned on a single computer or group policies in batches. It is worth noting that in order to achieve communication after negotiation, the same policy must be set and assigned at both ends of the communication.
Iv. IPSec working methods:
Transmission Mode (Security Configuration between computers): protects communication between two hosts, which is the default IPSec mode. The transfer mode only supports windows and provides point-to-point security.
Tunnel mode (Security Configuration between networks): The process of encapsulation, sending, and unblocking is called "Tunnel ". The general implementation method is completed on two routers. Use IPSec at both ends of the router to protect communication between the two routers. It is mainly used for wide-area networks and does not provide internal security for each network.
5. IPSec authentication method:
Kerberos V5: (default) if it is a member of a domain and a client of Kerberos V5 protocol, select this option. For example, a Windows 2000 computer in a domain.
Certificate: a trusted CA must be configured together.
Pre-shared key: both parties use a negotiated key when setting a policy.
The above three methods can be used as authentication methods. Generally, in daily work, Kerberos authentication is used between Windows 2000 computers in the domain, since there are not many CAs in China, generally the third method can be used in other cases. Both parties negotiate a piece of key, which will be involved in the second example.
6. IPSec Encryption mode:
Authentication Encryption technology:
SNA
MD5
Data Packet Encryption technology:
40-bit DES
56-bit DES
3DES: the most secure encryption method, which also consumes more system resources.
For more information about the above concepts.
VII. application:
There are many conceptual things mentioned above. The following describes the two functions of IPSec through two examples.
1. Protection of IP packet content: to protect the security of communication information between two hosts, we will use IPsec to establish a secure connection between the two computers. Pre-shared keys are used, and IPSec is used for communication encryption. There are two computers in this example. the IP address of the first computer is 192.168.0.1, And the IP address of the second computer is 192.168.0.2. If no special instructions are provided, the operation is performed on the first computer.
(1) Go to the IPSec control page, right-click "security server", and select Properties (the system has three built-in rules. You can take a look at the functions in detail, to demonstrate how to add a policy, we add the policy by ourselves ). Click "add.
(2) Go to the security rules wizard and click "Next.
(3) According to the actual situation, we implement secure communication between two hosts, not between networks. Therefore, select "this rule does not specify a tunnel ", therefore, we will adopt the transfer mode. Click "Next.
(4) On the network type selection page, you can select three methods. The concept should be well understood. Let's select "all network connections" and click "Next.
(5) enter the authentication method interface. The three authentication methods have been described above. We choose the third type: "This string is used to protect key exchange (pre-shared key )", then, enter the negotiated key in the dialog box, such as "hello ". Click "Next.
(6) go to the "IP Filter list" Page. Because we want to protect all communications, select "All IP addresses". Of course, you can also add a new filter list by yourself, in the second example, click "Next.
(7) go to the "filter operation" interface. According to the requirements mentioned above, we choose to require security settings. Here, the filter operation can also be added by ourselves, as will be mentioned in example 2, click "Next.
(8) Now that the security rule has been created, click "finish ".
(9) The port will arrive at the start. We will find that we have added new security rules. Except for the rules we created, we do not check the check boxes of other default rules.
(10) Finally, it is very important to assign the policy we created. Otherwise, the policy will not take effect on our own. Right-click "security server" and click "Assign ".
(11) at this time, we open a window and start to use the Ping command to check our communication status. In this example, the IP address of the second computer is 192.168.0.2. After we Ping 192.168.0.2-t, we will find that we have been "Negotiating IP Security". Why? At this time, we only set the IPsec Policy on the first computer, and the other end did not set the corresponding policies. The negotiation fails, so at this time, we must make the same settings and assign them to the computer at the other end.
(12) after setting and assigning the IP address on the computer 192.168.0.2, we found that the information had changed. After the IP address security negotiation passed, we received a response from 192.168.0.2.
(13) If we enable the IP Security Monitor, IPSecmon, we will find corresponding records in the window. "IP security settings are enabled on this computer" is displayed in the lower right corner ".
So far, the purpose required by Example 1 has been met. We have successfully created IPSec to ensure data security. At this time, if other computers that do not enable IPsec send Ping commands to this computer, no response will be received, for example (the IPSec Policy set by the computer 192.168.0.1 is not assigned ):
2. Data Packet Filtering: this function is also very useful for us. I remember many netizens asking how to shut down a computer port or how to prevent others from pinging my computer, firewall is a solution, but it requires additional fees and resources. You can filter through the advanced options in the TCP/IP attribute, but you can only set which ports to open and which ports to close. In fact, this requirement can be fully implemented by IPSec. Some may ask, what is the firewall doing? As mentioned above, compared with professional firewalls, using Ipsec configuration is relatively troublesome and not suitable for general users. In addition, the current firewall has already integrated many other functions, in addition, hardware firewalls consume less system resources.
The following example describes how to use IPSec to filter data packets and Disable ICMP, that is, how to disable the Ping response information. In fact, ICMP (8, 0) is used ), here I will not go into details about ICMP. I will go into practice (in this example, there are two computers, the IP address of the first computer is 192.168.0.1, And the IP address of the second computer is 192.168.0.2. If there are no special instructions, the operation is performed on the second computer .) :
(1) Go to the IPSec control interface. Because the filtering policies and operations we need are not suitable in the built-in system, we can add them by ourselves. Right-click "IP Security Policy" and select "manage IP Filter tables and filter operations ".
(2) Select the list of IP address filters and click "add.
(3) Name the IP Filter list, such as "ICMP". You can also enter the corresponding description in the "Description" information. Click "add.
(4) go to the "IP Filter wizard" and click "Next.
(5) Select "Source Address" and select "my IP Address", that is, the local host, 192.168.0.2. Click "Next.
(6) Select "target address" and select "any IP Address". If you have configured a firewall, you will find that this step is exactly the same as that of the firewall. Click "Next.
(7) Select "protocol type" and select "ICMP ". At this time, we will find that there are many protocol types for you to choose from, including TCP and UDP. Click Next.
(8) At this time, the IP Filter is created. You can click "finish. At this time, it is worth noting that because I chose ICMP, But if I chose TCP at this time, the port selection will appear later, and the inbound and outbound ports will be set.
(9) Next we will add a filter operation that meets our needs. here we need to create a blocking operation. First, click "add:
(10) enter the "IP Security filter operation wizard" and click "Next.
(11) Let's name this operation. Here I start with "Deny". You can also add some description information to the description. Click "Next.
(12) Select actions, and select "Block ". Click "Next.
(13). In this way, the "IP Security filter operation" is added. Click Finish.
(14) The following work is to create a new IP Security Policy and use the Filter list and operations we have created above. Back to our first step, click "create IP Security Policy" this time ". At this time, we enter the "IP Security Policy wizard" and click "Next.
(15) Let's name this IP Security Policy. My name is "blocked ICMP". You can also add the description information as appropriate. Click "Next.
(16) Select "Activate default response rules" and click "Next.
(17) Select the default value and click "Next.
(18) Click "finish ".
(19) configure the policy. Click "add.
(20) go to the "Create IP Security rule wizard" and click "Next.
(21). Similar to Example 1, we select "this rule does not specify a tunnel" as required ". Click "Next.
(22) Select "all network connections" and click "Next.
(23) Select "default" and click "Next.
(24) Select the newly created filter "ICMP" and click "Next.
(25) Select the newly created operation "deny" and click "Next.
(26) So far, we have completed the entire setup process. Click Finish.
(27) Finally, we need to remind you that we need to assign new policies.
(28) The following figure shows the changes before and after the policy is assigned. After the rule is assigned to the computer 192.168.0.2, we will not receive an ICMP response from the computer 192.168.0.1.
The preceding three steps are used to filter data packets: Create an IP Filter list and an IP Filter, and create an IP Security Policy. However, not every rule requires so many operations, such as IP Filter Operations. You can use this "deny" operation next time you block a port operation.
VIII. Conclusion
Through the above introduction, we can find that using IPSec can really do a lot of things. If we know the ports of other services, such as terminal services and FTP services, you can use IPSec to protect data communication. Now, you may wish to do this as soon as possible. Who knows if you are listening for your information?
If you encounter problems during use, you may try to troubleshoot the following issues. Check whether IPSec Policy settings have been made for both ends; check whether the policy has been assigned; check the system and security log related records; Use the monitor, that is, IPSecmon in command line mode. In the end, I wish you a smooth operation and make full use of the functions of this good tool for Windows 2000!
------------------------------------------
KUKA: ipsec is a very useful thing. Many friends who host servers often worry about security issues. In fact, as long as you make good use of IPSEC, NTFS permissions can completely solve most security problems to a certain extent.

In actual use, we export the rules with the ipsec extension and then import them.

Copy codeThe Code is as follows:
Netsh ipsec static importpolicy ThecSafe. ipsec
Netsh ipsec static set policy name = "classic network dedicated security policy" assign = y

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.