Don't Use The Provided Default Ipsec Policies

By Author: SUPHIE
Total Articles: 8
Comment this article

These policies are good example policies. However, most production policies combine factors from these policies and introduce others to meet the custom secure communication needs of the network. Default policies are overwritten during an upgrade and when policies are imported.

Accept unsecured communications on Internet facing connections. OnInternet facing connections, it is not a good idea to have an IPSec policy that will not accept any unsecured communications, nor one that will respond by always requiring IPSec. If you set up the IPSec policy to accept no unsecure communications, a successful DoS attack can occur. To ensure that a policy does not cause this problem, make sure the Accept Unsecured Communications, But Always Respond Using IPSec and Allow Unsecured Communications With Non-IPsec Aware Computer check boxes are cleared.

Don't assume interoperability with all computers and devices on networks. When designing IPSec policies, understand clients, servers, and other

devices on the network and their IPSec capabilities. Some might not be able to use

IPSec, or their IPSec implementation might ...
... not be compatible with Windows.

Learn how to use netsh. Netsh is a good tool for troubleshooting IPSec. It can

also be used to create, assign, and monitor IPSec Policies. Two modes exist: static

and dynamic. Use dynamic mode netsh IPSec commands to configure filters on

the fly.

Do not attempt to use IPSec to protect all communications on a network. The process is just too complex and fraught with opportunities for

error. The use of IPSec for some communications would seem to be the equivalent

to providing bank vaults for pocket change—it's rather unwieldy and more costly

than complete loss of the resource would be.

Configure IPSec protection for startup. The use of startup mode will ensure

that a problem with the network or with Group Policy will not leave the computer

vulnerable.