Here are some best practices to follow when creating IPsec policies for Windows hosts. Most of these came from Jason Fossen. the author of the SANS 505 Windows Security course.
- Heavy use of IPSec can affect CPU utilization. Adjust IPSec security to lower settings if possible when CPU utilization becomes an issue. Additional CPU resources or IPSec-offload cards may also be used.
- The built-in IPSec policies should be deleted. All policies should be created from scratch.
- Give each Policy, Rule, Action, and Filter a descriptive and standardized name and brief description.
- Create multiple IPSec rules within a policy instead of creating one large rule with complex filters.
IP Filter Lists
- Select mirroring whenever possible when creating filter lists to simplify rules and make filters easier to understand.
- When creating filter actions be aware that filter lists process from most-specific to least-specific.
- Always use custom security methods when creating filter actions so that the settings are always known.
- When “block” is used in a filter action it does not return ICMP unreachable to the client like “reject” in a firewall.
Internet Key Exchange (IKE) Phase I and II
- IPSec Phase I and Phase II can be configured to use MD5 instead of SHA1 in order to lower CPU utilization with only a slight loss in overall security. HMAC-MD5 is not as vulnerable as raw MD5.
- IPSec Phase I should use 3DES and Diffie-Hellman group “Medium(2)” or higher. All offerings with DES and DH groups less than “Medium(2)” should be removed and not just moved to the bottom of the list.
- IPSec Phase I should be configured to rekey and re-authenticate based on time, not number of sessions
- “Allow fallback to unsecured communications if a secure connection can not be established” should not be used as it causes the policy to “fail open” and may defeat the purpose of implementing IPSec. However, the setting may need to be turned on temporarily to allow a new host to receive the policy. For example, when adding a new Domain Controller if all DC-to-DC traffic is being encrypted.
- Use certificates or Kerberosv5 instead of preshared keys whenever possible. The preshared key is stored as cleartext in the registry. When IPSec policies are applied with Group Policy, authenticated users can read the preshared key by default
- Domain members on the intranet should be configured to authenticate with Kerberos v5. Non-domain members and hosts across the Internet should use certificates for authentication.