Connection Security Rules

Applies To: Windows 7, Windows Server 2008

About connection security

Connection security involves authenticating two computers before they begin communications and securing information being sent between two computers. Windows Firewall with Advanced Security incorporates the Internet Protocol security (IPsec) technology to achieve this by using key exchange, authentication, data integrity, and, optionally, data encryption.

Note

Unlike firewall rules, which operate unilaterally, connection security rules require that both computers communicating have a policy with connection security rules or another compatible IPsec policy.

Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec, you can create Computer Connection Security rules. However, the creation of a connection security rule does not allow the traffic through the firewall. You must create a firewall rule to do this, if the traffic is not allowed by the default behavior of the firewall. Connection security rules are not applied to programs or services; they are applied between the computers that make up the two endpoints.

Note

As a best practice, give the firewall rules unique names. Unique names make management using the netsh commands much easier.

Authentication

Authentication methods define the requirements for the way in which identities are verified before communications begin. The methods are attempted by each peer in the order they are listed. The two peers must have at least one common authentication method or communication will fail. Creating multiple authentication methods increases the chance that a common method between two computers can be found.

Key exchange

To enable secure communication, two computers must be able to gain the same shared key (session key), without sending the key across a network and compromising the secret.

The Diffie-Hellman algorithm (DH) is one of the oldest and most secure algorithms used for key exchange. The two parties publicly exchange keying information, which this version of Windows additionally protects with a hash function signature. Neither party ever exchanges the actual key; however, after their exchange of keying material, each can generate the identical shared key.

DH keying material exchanged by the two parties can be based on keying material, known as DH groups. The strength of the DH group is proportional to the strength of the key computed from the DH exchange. Strong DH groups combined with longer key lengths increase the degree of computational difficulty of determining the key.

Windows Firewall with Advanced Security uses the DH algorithm to provide the keying material for all other encryption keys. DH does not provide authentication. In the IPsec implementation of this version of Windows, identities are authenticated after the DH exchange takes place, providing protection against man-in-the-middle attacks.

You can configure key exchange settings on the IPsec Settings tab of the Windows Firewall with Advanced Security Properties dialog box.

Data protection

Data protection includes both data integrity and data encryption. Data integrity uses message hashes to ensure that information is not being changed while in transit. Hash message authentication codes (HMAC) sign packets to verify that the information received is exactly the same as the information sent. This is called integrity and it is critical when data is exchanged over unsecured media.

The hash is a cryptographic checksum or message integrity code (MIC) that each peer must compute to verify the message. For example, the sending computer uses a hash function and shared key to compute the checksum for the message, including it with the packet. The receiving computer must perform the same hash function on the received message and shared key and compare it to the original (included in the packet from the sender). If the message has changed in transit, the hash values are different and the packet is rejected.

Data encryption uses algorithms to conceal the information being transmitted. In this version of Windows, IPsec uses the United States Data Encryption Standard (DES) to provide confidentiality (data encryption). The DES algorithm was published in 1977 by the United States National Bureau of Standards. Because IPsec provides the ability to frequently regenerate keys during a communication, the entire data set will not be compromised if one DES key is broken.