HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 26

IPsec Basics: IPsec Policy - Action-on-Match

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 26 highlights

• Source IP: 192.168.0.1 • Destination IP: 192.168.0.25 • IP Protocol Type: TCP • Source Port: 11125 • Destination Port: 23 This packet doesn't match Rule 1, Rule 2, or Rule 3. Therefore it falls to the Default Rule which matches everything. Let's work through another example. Let's say the packet that IPsec intercepted has the following values: • Source IP: 192.168.0.1 • Destination IP: 192.168.0.25 • IP Protocol Type: TCP • Source Port: 11125 • Destination Port: 9100 This packet would match Rule 2. At this point, no more rules are processed by IPsec since we have a match on Rule 2. We'll we've covered a part of IPsec Policy - Packet Matching. Now, what happens when we have a match? IPsec performs the requested operation in the Action-on-Match column. IPsec Basics: IPsec Policy - Action-on-Match From Table 1, we can see that there are three primary actions: Drop, Allow without IPsec Protection, and Require IPsec Protection. Referring back to Figure 22, we can see that the Drop action essentially discards the packet. This packet never makes it to the Ethernet layer. This setting is useful to prevent unauthorized networking traffic from applications. The "Allow without IPsec Protection" allows a packet to proceed to the Ethernet layer as if it were never intercepted. In short, it is transmitted on the wire normally without the protections of IPsec. There are some situations where this behavior is required. For instance, there may be a service such as WINS that has many different clients, some supporting IPsec and some that do not. A network administrator may decide it is easier to not protect this protocol to prevent issues with devices that do not support IPsec. The IPsec policy gives them this flexibility. The most interesting action on match is the "Require IPsec Protection" action. The drivers for the parameters associated with IPsec would be an Information Protection Policy subset of the overall company's Security Policy. An extremely basic example of an Information Protection Policy: "When printing or digitally sending confidential or secret data documents on the company network (Intranet), a well regarded networking security protocol should be used that implements confidentiality, authentication, and integrity with cryptographic algorithms deemed highly secure as of Summer 2008. This policy will be forced through Active Directory policy distribution and the designation of sensitive data printing and imaging devices with reduced employee accessibility." We can see how the proper implementation of this policy would have protected the documents from Jane in our "case-study" example. Let's see how we would translate the general policy into something specific that IPsec can understand. Let's expand on Rule 2 from Table 1 and focus in on the appropriate columns in the IPsec Policy. 26

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
26
Source IP: 192.168.0.1
Destination IP: 192.168.0.25
IP Protocol Type: TCP
Source Port: 11125
Destination Port: 23
This packet doesn’t match Rule 1, Rule 2, or Rule 3.
Therefore it falls to the Default Rule which
matches everything.
Let’s work through another example. Let’s say the packet that IPsec intercepted has the following
values:
Source IP: 192.168.0.1
Destination IP: 192.168.0.25
IP Protocol Type: TCP
Source Port: 11125
Destination Port: 9100
This packet would match Rule 2.
At this point, no more rules are processed by IPsec since we have a
match on Rule 2.
We’ll we’ve covered a part of IPsec Policy – Packet Matching.
Now, what happens when we have a
match?
IPsec performs the requested operation in the Action-on-Match column.
IPsec Basics: IPsec Policy – Action-on-Match
From Table 1, we can see that there are three primary actions: Drop, Allow without IPsec Protection,
and Require IPsec Protection.
Referring back to Figure 22, we can see that the Drop action
essentially discards the packet.
This packet never makes it to the Ethernet layer. This setting is useful
to prevent unauthorized networking traffic from applications.
The “Allow without IPsec Protection”
allows a packet to proceed to the Ethernet layer as if it were never intercepted.
In short, it is
transmitted on the wire normally without the protections of IPsec.
There are some situations where this
behavior is required.
For instance, there may be a service such as WINS that has many different
clients, some supporting IPsec and some that do not.
A network administrator may decide it is easier
to not protect this protocol to prevent issues with devices that do not support IPsec.
The IPsec policy
gives them this flexibility.
The most interesting action on match is the “Require IPsec Protection” action.
The drivers for the
parameters associated with IPsec would be an Information Protection Policy subset of the overall
company’s Security Policy. An extremely basic example of an Information Protection Policy: “When
printing or digitally sending confidential or secret data documents on the company network (Intranet),
a well regarded networking security protocol should be used that implements confidentiality,
authentication, and integrity with cryptographic algorithms deemed highly secure as of Summer
2008.
This policy will be forced through Active Directory policy distribution and the designation of
sensitive data printing and imaging devices with reduced employee accessibility.”
We can see how the proper implementation of this policy would have protected the documents from
Jane in our “case-study” example. Let’s see how we would translate the general policy into something
specific that IPsec can understand.
Let’s expand on Rule 2 from Table 1 and focus in on the
appropriate columns in the IPsec Policy.