Are you one of those people who, like me, thought that couldn’t be done? Well, read on, because it can!
What am I talking about? I wanted to create an IPsec policy that requiring a health certificate. That is, require that the IPsec peer presents a valid certificate which includes the System Health Authentication OID (used by NAP). Since that capability isn’t supported by the old IP Security Policies snap-in, I needed one of the new Connection Security Rules (that is, the new rule type included in the Vista and Server 2008 firewall).
But I also wanted that rule to be port-specific. While that capability is supported by the legacy IP Security snap-in, it’s not exposed by the Connection Security Rules GUI. Lame.
However, the underlying rules engine supports that combination, and the capabilities are exposed by the netsh.exe command-line. Cutting to the chase, here’s an example:
netsh.exe advfirewall consec add rule name=HRweb-Secure endpoint1=10.0.0.3 endpoint2=10.0.0.2 action=requireinrequireout port1=any port2=8000 protocol=tcp auth1=computercert auth1ca="DC=LOCAL, DC=NORTHWIND, CN=NORTHWIND-NORTHWINDDC-CA" auth1healthcert=yes
In summary, that command creates a new connection security rule with the following characteristics:
- The rule applies to traffic exchanged between two IPs, 10.0.0.3 and 10.0.0.2.
- Authentication is required on inbound and outbound traffic.
- The rule applies to traffic originating from any port, but only when destined for port 8000.
- Finally, both parties must present valid certificates issued by the specified CA, and the certs must contain the health OID.
As an aside, regarding the operating environment, the x.2 machine is a demo web server and x.3 is the client. But keep in mind that IPsec views them as peers.
Important caveat: that rule only gives you integrity, not privacy. That is, the resulting traffic is authenticated and has a cryptographic checksum, but it’s not encrypted. As I said, this is for a web server, and TLS is being used for encryption. Why bother with IPsec? The health OID! By requiring that, I’m ensured that any machine hitting the demo web site has been deemed compliant, based on the current network health policies.