在上一篇文章中,我给大家分享了如何使用Windows Defender防火墙防范木马病毒的威胁,接下来我将继续介绍Defender防火墙一个鲜为人知的高级功能,即在Windows主机之间构建安全的IPSec通道。
首先我们来熟悉一下V-P-N的概念,V-P-N是虚拟专用网络(virtual private network)的简称,它是一类网络加密技术的统称,一般常见的V-P-N有IPSec、OpenV-P-N、P-P-T-P、L-2-T-P等,其中IPSec比其它协议更流行,一般的网络安全设备(防火墙、路由器等)及操作系统都支持,Windows Defender防火墙只支持IPSec协议。
在网络安全防护体系中,V-P-N技术主要用来构建加密的通信通道,避免流量在穿越非信任网络时不被窃听。常见的非信任网络有:
- 云主机之间的通信网络
- 托管于IDC的服务器所处的网络
- 公司总部与分支机构之间的网络
- 家里电脑跟公司的服务器之间的网络
因为这些网络不在己方的控制范围之内,所以我们称之为非信任网络,当通信流量流经这些网络时将不可避免地受到安全威胁,而实施V-P-N则能有效地防范这些风险。
不多说,马上进入正题,下面的例子中有两个IP,192.168.30.11及192.168.30.15,我们需要对192.168.30.11访问192.168.30.15的445端口的流量进行加密,使其通过IPSec V-P-N通道进行通信。操作主要分三个步骤:
1、允许ESP、AH、IKE流量经过防火墙
IPSec严格意义上不是一种协议,而是几种协议构成的一种技术,主要包括ESP(协议号为50)、AH(协议号为51)及IKE(端口号为UDP500),所以为了保证IPSec正常工作,我们需要允许这些协议进出防火墙:
netsh advfirewall firewall add rule name="AllowESP" dir=out protocol=50 action=allownetsh advfirewall firewall add rule name="AllowESP" dir=in protocol=50 action=allownetsh advfirewall firewall add rule name="AllowAH" dir=out protocol=51 action=allownetsh advfirewall firewall add rule name="AllowAH" dir=in protocol=51 action=allownetsh advfirewall firewall add rule name="AllowIKE" dir=out protocol=udp remoteport=500 action=allownetsh advfirewall firewall add rule name="AllowIKE" dir=in protocol=udp remoteport=500 action=allow
2、配置IPSec策略
192.168.30.11与192.168.30.15两个IP的配置除了名称外其它都一样,配置参数主要包含enpoint指定、协议、认证方式及共享密码等:
netsh advfirewall consec add rule name="V_to_192.168.30.15" endpoint1=192.168.30.15 endpoint2=192.168.30.11 port1=445 port2=any protocol=tcp auth1=ComputerPSK auth1psk=This1s@key action=RequireInRequireOut
3、配置允许加密流量的防火墙规则
即限制192.168.30.11只能通过IPSec通道访问192.168.30.15的445端口:
192.168.30.11:
netsh advfirewall firewall add rule name="AllowV_to_192.168.30.15_445" dir=out protocol=TCP localip=192.168.30.11 remoteip=192.168.30.15 remoteport=445 security=authenc action=allow
192.168.30.15:
netsh advfirewall firewall add rule name="AllowV_from_192.168.30.11_445" dir=in protocol=TCP localip=192.168.30.15 remoteip=192.168.30.11 localport=445 security=authenc action=allow
结合上一篇文章的命令,192.168.30.11最终的配置为:
netsh advfirewall resetnetsh advfirewall set allprofiles state onnetsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutboundnetsh advfirewall firewall set rule name=all new enable=nonetsh advfirewall firewall add rule name="AllowDNS" dir=out protocol=UDP remoteip=dns action=allownetsh advfirewall firewall add rule name="AllowDHCP" dir=out remoteip=dhcp action=allownetsh advfirewall firewall add rule name="AllowDHCP" dir=in remoteip=dhcp action=allownetsh advfirewall firewall add rule name="AllowWindowsUpdate" dir=out program="C:WindowsSystem32svchost.exe" service=wuauserv protocol=tcp remoteport=443,80 action=allownetsh advfirewall firewall add rule name="Chrome" dir=out program="C:Program Filesz(x86)GoogleChromeApplicationchrome.exe" action=allownetsh advfirewall firewall add rule name="GoogleUpdateService" dir=out service=gupdate action=allownetsh advfirewall firewall add rule name="GoogleUpdatemService" dir=out service=gupdatem action=allownetsh advfirewall firewall add rule name="AllowESP" dir=out protocol=50 action=allownetsh advfirewall firewall add rule name="AllowESP" dir=in protocol=50 action=allownetsh advfirewall firewall add rule name="AllowAH" dir=out protocol=51 action=allownetsh advfirewall firewall add rule name="AllowAH" dir=in protocol=51 action=allownetsh advfirewall firewall add rule name="AllowIKE" dir=out protocol=udp remoteport=500 action=allownetsh advfirewall firewall add rule name="AllowIKE" dir=in protocol=udp remoteport=500 action=allownetsh advfirewall firewall add rule name="AllowV_to_192.168.30.15_445" dir=out protocol=TCP localip=192.168.30.11 remoteip=192.168.30.15 remoteport=445 security=authenc action=allownetsh advfirewall consec add rule name="V_to_192.168.30.15" endpoint1=192.168.30.15 endpoint2=192.168.30.11 port1=445 port2=any protocol=tcp auth1=ComputerPSK auth1psk=This1s@key action=RequireInRequireOut
192.168.30.15最终的配置为:
netsh advfirewall resetnetsh advfirewall set allprofiles state onnetsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutboundnetsh advfirewall firewall set rule name=all new enable=nonetsh advfirewall firewall add rule name="AllowDNS" dir=out protocol=UDP remoteip=dns action=allownetsh advfirewall firewall add rule name="AllowDHCP" dir=out remoteip=dhcp action=allownetsh advfirewall firewall add rule name="AllowDHCP" dir=in remoteip=dhcp action=allownetsh advfirewall firewall add rule name="AllowWindowsUpdate" dir=out program="C:WindowsSystem32svchost.exe" service=wuauserv protocol=tcp remoteport=443,80 action=allownetsh advfirewall firewall add rule name="Chrome" dir=out program="C:Program Filesz(x86)GoogleChromeApplicationchrome.exe" action=allownetsh advfirewall firewall add rule name="GoogleUpdateService" dir=out service=gupdate action=allownetsh advfirewall firewall add rule name="GoogleUpdatemService" dir=out service=gupdatem action=allownetsh advfirewall firewall add rule name="AllowESP" dir=out protocol=50 action=allownetsh advfirewall firewall add rule name="AllowESP" dir=in protocol=50 action=allownetsh advfirewall firewall add rule name="AllowAH" dir=out protocol=51 action=allownetsh advfirewall firewall add rule name="AllowAH" dir=in protocol=51 action=allownetsh advfirewall firewall add rule name="AllowIKE" dir=out protocol=udp remoteport=500 action=allownetsh advfirewall firewall add rule name="AllowIKE" dir=in protocol=udp remoteport=500 action=allownetsh advfirewall firewall add rule name="AllowV_from_192.168.30.11_445" dir=in protocol=TCP localip=192.168.30.15 remoteip=192.168.30.11 localport=445 security=authenc action=allownetsh advfirewall consec add rule name="V_to_192.168.30.11" endpoint1=192.168.30.15 endpoint2=192.168.30.11 port1=445 port2=any protocol=tcp auth1=ComputerPSK auth1psk=This1s@key action=RequireInRequireOut
以上的配置命令大家可以直接拷贝粘贴,只需改一下IP地址。相对图形配置界面,使用netsh配置要轻松得多。下图是最终的效果:
![2abbe5393536dca97518214e9389871d.png](https://i-blog.csdnimg.cn/blog_migrate/f225d6946fec3e10291b51984c688c54.jpeg)
以上就是使用Windows Defender构建IPSec V-P-N通道的方法,还是那句话,希望大家能举一反三活学活用。请留意我后续技术分享,我将尽可能地给大家分享网络信息安全知识,谢谢!