What is an IP filter policy?

An IP filter policy is one of the three types of policies in IP security policy configuration files.

Use the IpFilterPolicy statement to define an IP filter policy.

Requirement: The IpFilterPolicy statement is required in order to define IP filters to the Policy Agent.

The IpFilterPolicy statement block consists of:

• A set of global configuration options

• An ordered list of IP filter rules (IpFilterRule statements)

The purpose of the global configuration options is to control global policy items, such as whether logging is active or whether on-demand Security Association negotiations are allowed, and so forth. These global options apply to all of the IP filter rules that are contained in the policy.

Each IP filter rule, in turn, contains data endpoints, traffic descriptions, and actions. When a packet entering or leaving the system matches the data endpoints and traffic description in an IP filter rule, the associated action is taken. If the action is an ipsec action, additional action statements are coded that define the parameters of the IPSec Security Association.

The IpFilterPolicy statement can contain a combination of references to IpFilterGroup statements and IpFilterRule statements and inline IpFilterRule statements.

Communication Server's integrated IP filtering is enabled for a stack when IPSECURITY is specified on the IPCONFIG statement of that stack's TCP/IP profile. When Communication Server's integrated IP filtering is enabled, IP packets are subject to the IP filters generated by the applicable IpFilterPolicy statement. IP filters are generated in the order specified on the IpFilterPolicy statement. If a reference to an IpFilterGroup statement is encountered, all the IP filters for that group are generated in the order referenced by the IpFilterGroup statement.

An IP filter policy can stand alone to provide IP filtering and IPSec protection with manual key management. Used in conjunction with the two other policies, it is also required to provide IPSec protection with dynamic key management (IKE). Because filtering is crucial to secure traffic on a host, an IP security policy that contains no IpFilterPolicy statement block or an empty IpFilterPolicy statement block is considered an error, leaving the default policy that is provided by the stack in effect.

A generated IP filter consists of a source and destination IP address specification, a service specification, an optional time period specification, a security action, and an optional local start action. The policy condition is formed by combining IP address information with port, protocol, security class, direction, and routing information from the IpService statement or the IpServiceGroup statement. An IpTimeCondition statement identifies when the generated IP filter is in effect. Security actions include the generic (permit, deny, or ipsec) action (IpGenericFilterAction), the manual VPN tunnel action (IpManVpnAction) and the dynamic VPN tunnel action (IpDynVpnAction).

IP filter rules in an IP filter policy are searched in the order listed. Because it is possible for a packet to match more than one rule, a search for a matching filter rule stops after the first match is found, even if there are additional matches further down in the list.