Block Ping Traffic with IPSec

How can I configure a Windows 2000/XP/2003 computer to block Ping packets?
Windows 2000/XP/2003 machines have a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol that’s designed to protect individual TCP/IP packets traveling across your network by using public key encryption. In a nut shell, the source PC encapsulates the normal IP packet inside of an encrypted IPSec packet. This packet then remains encrypted until it arrives at the destination PC.

This is not the place for a more detailed intro to the IPSec features, but know that besides encryption, IPSec will also let you protect and configure your server/workstation with a firewall-like mechanism.
How can you protect your computer with IPSec? Simply by creating a policy element that will tell the computer to block all the specific IP traffic that is configured by those rules.

Block PING on a single computer

To block all PING traffic to and from a computer you need to create an IPSec policy that will block all ICMP traffic.
Check to see if the computer responds to PING requests by pinging it:
 
To configure a single computer follow these steps:
Configuring IP Filter Lists and Filter actions

1. Open an MMC window (Start > Run > MMC).
2. Add the IP Security and Policy Management Snap-In.

3. In the Select which computer this policy will manage window select the local computer (or any other policy depending upon your needs). Click Close then click Ok.

4. Right-click IP Security Policies in the left pane of the MMC console. Select Manage IP Filter Lists and Filter Actions.

5. You do not need to configure a specific IP Filter for ICMP (the protocol used by PING) because such a filter already exists by default – All ICMP Traffic.

 
However you might want to configure a more specific IP Filter for ICMP. For example, lets say you wish to prevent a server from answering all PINGS except for specific PINGs sent by a specific computer used by the Help Desk department. In that case you should add a new IP Filter and use your defined source and Destination IP Addresses, and the ICMP protocol. See Block Web Browsing but Allow Intranet Traffic with IPSec for examples on how to create IP Filters.

6. In the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Manage Filter Actions tab. Now we need to add a filter action that will block our designated traffic, so click Add.

7. In the Welcome screen click Next.
8. In the Filter Action Name type Block and click Next.

9. In the Filter Action General Options click Block then click on Next.

10. Back in the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Close button. You can add Filters and Filter Actions at any time.

 
Next step is to configure the IPSec Policy and to assign it.
Configuring the IPSec Policy

1. In the same MMC console right-click IP Security Policies on Local Computer and select Create IP Security Policy.

2. In the Welcome screen click Next
3. In the IP Security Policy Name enter a descriptive name, such as “Block PING”. Click Next

4. In the Request for Secure Communication window click to clear the Active the Default Response Rule check-box. Click Next

5. In the Completing IP Security Policy Wizard window, click Finish.

6. We now need to add the various IP Filters and Filter Actions to the new IPSec Policy. In the new IPSec Policy window click Add to begin adding the IP Filters and Filter Actions.

7. In the Welcome window click Next.
8. In the Tunnel Endpoint make sure the default setting is selected and click Next.

9. In the Network Type windows select All Network Connections and click Next.

10. In the IP Filter List window select “All ICMP Traffic” (or any other IP Filter configured in step #5 at the beginning of this article). If, for some reason, you did not previously configure the right IP Filter, then you can press Add and begin adding it now. When done, click Next.

11. In the Filter Action window select “Block”. Again, if you did not previously configure the right Filter Action, you can now press Add and begin adding it now. When done, click Next.

12. Notice how the IP Filter has been added.

 
Again, you can add any combination of IP Filters and Filter Actions you like.
Notice that you cannot change their order like in other full-featured firewalls. Even so, this configuration works perfectly as you will soon discover.
The next phase is to assign the IPSec Policy.
Assigning the IPSec Policy

1. In the same MMC console, right-click the new IPSec Policy and select Assign.

 
Done, you can now test the configuration by trying to surf to restricted and unrestricted websites.

Blocking more than one computer

Blocking of more than one computer can be done in 2 ways:

• Exporting and Importing IPSec Policies
• Configuring IPSec Policies through GPO

Either way, both methods can be used to prevent a number of computers from using ICMP (or for any other IPSec Policy).

Related articles

You may find these related articles of interest to you:

• Block Web Browsing but Allow Intranet Traffic with IPSec
• Block Web Browsing with IPSec
• Configuring IPSec Policies through GPO
• Exporting and Importing IPSec Policies
• Secure IPSec Policy Agent