windowsvista网路架构、防火墙与ipsec的功能改进

windowsvista网路架构、防火墙与ipsec的功能改进内容摘要：

h Advanced Security” snapin –事先定義在管理工具集的主控台 –能夠遠端設定 –整合並簡化 IPsec 設定 • 新的命令列指令 sh advfirewall 彈性的例外設定 Active Directory user/puter accounts and groups Source and destination IP addresses (individual or range) Source and destination TCP/UDP ports Commadelimited list of ports (but not lowhigh range) IP protocol number Types of interfaces (wired, wireless, VPN/RAS) ICMP type and code Services (used by service profiling to limit access) Network Location • 自動偵測網路的變動 • Network profile service在連結時建立設定檔 – Interfaces, DC, authenticated machine, gateway MAC, „ • NPS在網路變動時會通知防火牆 – 防火牆在 200ms 內變更 Location 設定 • 未加入網域時，只有 public 或 private 兩種選擇 – 本機管理員才能定義私人網路的條件情形 Domain 當電腦加入網域並連結時；自動選擇 Private 當電腦連結到定義的私人網路 Public 所有其他網路 多網路介面的情形判斷 Examine all connected s Is an interface connected to a classified “public”? Set category to “public” Is an interface connected to a classified “private”? Set category to “private” All interfaces see domain controller? Host authenticate? Set category to “domain” Yes No Yes No Yes No 設定 Profile • 允許本機管理員建立規則 • 當 inbound 連線被阻隔時會出現通知訊息 規則種類 Program 允許特定程式的網路流 Port 允許特定 TCP or UDP 連接埠或連接埠清單 Predefined 允許 Windows網路功能的規則集合 (例如： file and printer sharing, work discovery, remote assistance, remote service administration, Windows collaboration, others) Custom 自行設定相關參數 Windows Firewall with Advanced Security •Profile設定 •規則設定 防火牆規則 DO Action = {Bypass | Allow | Block} IF: Protocol = X AND Direction = {In | Out} AND Local TCP/UDP port is in {Port list} AND Remote TCP/UDP port is in {Port list} AND ICMP type code is in {ICMP typecode list} AND Interface NIC is in {Interface ID list} AND Interface type is in {Int。