A security filter ties security protocols to a particular network address. The filter contains the source and destination addresses involved (using a netmask for either specific hosts or networks), the protocol used, and the source and destination ports allowed for TCP and UDP traffic. For example, you can define a filter (as you will see later in this chapter) that specifies exactly what kind of IPSec negotiations you're willing to allow when a machine in your domain contacts a machine in the microsoft.com domain. Recall that IPSec connections have two sides: inbound and outbound. That means that for each connection, you need to have two filters: one inbound and one outbound. The inbound filter is applied when a remote machine requests security on a connection, and the outbound filter is applied before sending traffic to a remote machine.
Let's say that you want to create a rule to allow any machine in the chellis.net domain to use IPSec when talking to any computer in the microsoft.com domain. For this to work, you need the following four filters:
■ A filter for the chellis.net domain for outbound packets with a source of *.che11is .net and a destination of *.microsoft.com. (You can use DNS names and wildcards in filters.)
■ A filter for the chellis.net domain for inbound packets, this time with a source of *.microsoft.com and a destination of *.che11is.net.
■ An inbound filter in the microsoft.com domain that specifies a source of *.che11is .net and a destination of *.microsoft.com.
■ An outbound filter in the microsoft.com domain that specifies a source of *.microsoft .com and a destination of *.che11is.net.
If any of these filters are missing or misconfigured, the IPSec negotiation process will fail and IPSec won't be used. If they're all there, when you try to establish an FTP connection from hawk.che11is.net to exchange.microsoft.com, the outbound filter on your domain will fire and it will trigger IPSec to request a security negotiation with Microsoft's machine. If everything goes well and the filters are OK, you'll end up with two IPSec SAs on your machine and the connection will be secured.
You normally group filters into filter lists for ease of management. Because you can store any number of individual filters in a filter list, you can easily build rules that enforce complicated behavior and then distribute those rules throughout your network as necessary.
Was this article helpful?
Here's your chance to learn the secret formula that only the top webmaster's know about, that helps them easily dominate any keyword term. Discover How To Unravel The Mysteries Of Googles Search Engine Rankings, and Stay One Step Ahead Of The Rest In The keywords War!