The final three parameters correspond to three check boxes in the GUI of an
IPsec filter action. The first check box is Accept unsecured communication,
but always respond using IPSec. Suppose you have an XP box with a basic
IPsec rule in place: This computer sends encrypted responses when it's asked
to do so, but it never initiates encryption. If that XP system tries to retrieve
Web content on your secured Web server, the Web server will accept the HTTP
request but respond in encrypted IPsec. At this point, the client either doesn't
understand IPsec and simply stops communicating, or it does understand and starts
replying via IPsec. Selecting this check box isn't necessarily a bad idea—in
fact, if you intend to equip your client systems with only the built-in IPsec
policy named Client (Respond Only), you'll have to select it—but I don't
like it. Plenty of Web applications stuff authentication details into the initial
HTTP request, so I'm uncomfortable with the possibility that even the first
communication to a secure Web server might travel in clear text. The inpass=no
parameter clears that check box and avoids any chance of clear text occurring
on the introductory communication.
The Allow unsecured communications with non-IPSec-aware computers check
box is a terribly bad idea. Essentially, it requests encrypted communications
from clients, but if they're unable to accommodate that request, the unsecure
communications are permitted anyway. Remember, folks, malicious users don't
need all your passwords; they need only one. The soft=no parameter clears
that check box.
Finally, the qmpfs=yes parameter modifies the way IPsec changes its
encryption/ signing keys. To thwart malicious users, IPsec regularly changes
cryptographic keys. (You can configure IPsec to rekey as often as you want.)
The new keys are mathematically related to the previous keys; therefore, if
a key is compromised, an intruder might be able to figure out the subsequent
keys. If you don't mind a slight performance slowdown, enable the Use session
key perfect forward secrecy check box. By doing so, you enable a different
approach to generating new keys. Instead of generating a key based on the previous
key, IPsec reauthenticates the two parties and lets the authentication mechanism—Kerberos,
in our case—generate a new key that's completely unrelated to the previous
keys.
Choosing qmpfs=yes reauthenticates with every key.
What's the Rule?
To create the rule, we'll combine the filter list, the filter action, and the
third item that we didn't need last month: authentication. IPsec supports three
approaches: a shared secret password (a terrible idea except in testing situations),
the built-in Kerberos infrastructure that connects every system in an Active
Directory (AD) forest, or an X.509 certificate exchange. Windows IPsec uses
Kerberos by default, and I'll use that for this example. The Netsh command to
build the rule looks like
netsh ipsec static add rule name="Encrypt 80"
policy="Require encryption on Web
"filterlist="80 in or out" filteraction="
force triple DES" Kerberos=yes desc="Secures Web traffic"
The Add Rule parameter is present because we're adding a rule. Next, the command
names the rule and names the policy that includes this rule. (You can't use
rules in more than one policy.) Then, the command names the filter list and
filter action. The Kerberos=yes parameter specifies Kerberos authentication,
and the command ends with a description. Now, you need only enable the policy,
as we did last month, or go to the GUI to get it going.
Microsoft on Tuesday announced that it would retire its $50-a-year security subscription product, Windows Live OneCare, and replace it with a free solution codenamed "Morro." Unlike OneCare, however, Morro will focus only on core anti-malware features and ...
Xbox 360 owners who logon to the system's Xbox Live system this morning will receive the most significant functional change yet to the console's user interface, or dashboard. Dubbed the New Xbox Experience, this new front-end features a completely new ...
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Register
