Work tips to get rid of networking anxiety
Let's communicate safely with firewall and IPsec
Private Information Protection Law urged businesses for more security measures, but we still hear about the news like "100 customer Information Leaked".
Once an incident or an accident occurs, it leads to serious consequence for the company and affected individuals. PCs with important information need more than strict information management.
Given such circumstances, what is the advantage of deploying Vista and IPv6? IPv6 supports IPsec, which conducts protocol-level encryption and authentication. This can be used by Vista, of course.
In addition, firewall equipped with Vista supports IPv6 squarely, unlike that of Windows XP.
Vista has a firewall feature with IPv6 support. It can be used in the same way as IPv4 firewall. But in this article, we will talk about IPv6-specific way of using this firewall feature.
IPv6 and address filter
The basic idea of a firewall is to secure communication by restricting communication opponents or ports. With IPv4, it wasn't difficult to specify addresses.
But it is cumbersome to specify addresses for IPv6. Being cumbersome means more chances for mistakes. With Vista, multiple IPv6 addresses are assigned (called multihome), so it is not easy to know which address should be used for communication. There are also chances that addresses are not fixed, as with mobile or temporary address situations.
In this article, we will go over the way to apply filter by IP address, and introduce you to communication protection style specific to Vista's IPv6.
Using address filter
With Vista, you can take the existing style of firewall with XP and apply it to IPv6. First, you choose Windows Firewall in Control Panel and click on Change Settings.
This window is one that you got used to with XP. Choose Exceptions tab to add ports.
Then you see the window to add ports, so you enter the name and port number. This is the same as XP. The difference is when you click on scope change button.
You can see that IPv6 address is shown as an example of network address input. With XP, you had to use command line (netsh), but now you can make inputs through GUI.
For program-specific filtering, you can filter IPv6 addresses as shown above.
For more detailed settings, see "What IPv6 changes were made in Windows Vista beta 2? PART 2".
Vista-specific way?
As explained above, firewall setting for XP and IPv4 can be used naturally for Vista and IPv6. But as mentioned earlier, specifying IPv6 addresses directly involves many restrictions. So let me introduce you the technique of using IPsec. This technique uses IPsec authentication explained in PART 2.
For example, one of the ways to apply filtering when you want to access you office or home PC through dialup or other mechanisms from net cafe or customer site, is to fix the IPv6 address of your PC, and apply packet filtering on the receiver end. In fact, with OCN IPv6 service, you can use the same IPv6 address irrespective of service providers (aside from support issue). In addition, Vista has Teredo, another way to use IPv6 address. The two methods can coexist, with two IPv6 addresses on one PC.
Then which IPv6 address is used when communicating with outside? The answer is, it depends. This makes it difficult to apply filtering. Now, we can use IPsec authentication as a help.
Filtering setting using IPsec
This operation requires you to log in as an administrator. At Control Panel, choose administration tool - Windows firewall.
Conduct IPsec configuration as explained in PART 2. Then we conduct application-specific settings on receiver PC.
Specifically speaking, you select incoming filtering rules and you see rules on the right, so you choose the application to allow incoming traffic and change setting.
The above window shows the setting of allowing only IPsec traffic for incoming Network Projector communication. Choose the radio button that says "Allow only secured connection", and check Require Encryption.
Now, communication is not allowed if IPsec is not enabled in incoming connection. You have to be careful of the consistency between ordinary firewall setting and setting made here. Connection is denied if the traffic is subject to either of the two kinds of rules. So you have to check both settings when you fail to communicate.
Relationship between log setting and two firewalls
You can say perhaps that Vista has two kinds of firewalls. One is ordinary firewall, and the other is security-enhanced one just explained.
Thanks to this, several settings procedures are different from that of XP firewall. The biggest difference is log setting.
Log setting needs to be configured for Windows Firewall with Advanced Security. You can make configuration on a window shown after clicking Windows firewall property under Public Profile.
You should remember that setting in this window is linked to ordinary firewall setting. Then you have less trouble with firewall setting.
