Re: IPSec Filter Question

From: Brian Komar (bkomar@komarconsulting.com)
Date: 08/14/02 

From: Brian Komar <bkomar@komarconsulting.com>
Date: Tue, 13 Aug 2002 23:27:27 -0500

In article <DnG19.82712$Og3.22041502@e3500-atl1.usenetserver.com>,
nospam@please.com says...
> Hello everyone.
>
> I have an internal webserver running on Win2k Pro. I have set the port to
> serve up on 785. I want to use IPSec filters to not only block all access to
> this server (except from one box), but also to encrypt all of the
> communications between the webserver and the one computer.
>
> I was able to one or the other, but not both at the same time.
>
> Here is a summary of what I am trying to say-
> 1. Block everyone except 10.0.0.15
> 2. Only allow 10.0.0.15 to connect to 785 and nothing else
> 3. Use IPSec to encrypt the traffic between the two
>
> Both are Win2k Pro boxes.
>
> This should be possible, right? Am I overlooking something simple? Any help
> would be appreciated.
>
> Thank you.
>
>
>
>
Hi Mark, you will need to rules:

Filter 1:
Source IP: 10.0.0.15
Source Port: TCP Any

Target IP: My IP Address
Target Port: TCP 785

- Filter Action: Negotiate and encrypt with ESP(SHA1,3DES) or whatever
ESP variation you want to use.
- Mirror the rule.

Filter 2:
Use the default All IP Traffic filter
Filter Action: Add the block action
Mirror the rule

It does not matter which rule you create first, this is because filter 1
is more specific than filter 2, and will take precedence.

The only other issue is how are the computers authenticating the IPSec
SA. If they are both 2k and domain members, use Kerberos
authentication. If not, or unsure, use shared secret initially to test
the IPSec filters and filter actions.

You will also have to create IPSec filters for the 10.0.0.15 computer
that will encrypt data sent to the Web server.

Filter 1:
Source IP: 10.0.0.15
Source Port: TCP Any

Target IP: The IP Address of the Web Server
Target Port: TCP 785

- Filter Action: Negotiate and encrypt with ESP(SHA1,3DES) or whatever
ESP variation you want to use.
- Mirror the rule.

Filter 2:
Use the default All IP Traffic filter
Filter Action: Permit
Mirror the rule

This ensures that the client only uses IPSec when connecting to the Web
Server. Alternatively, if the Web server allows IPSec connections to
initially connect without security, you could just assign the Client
(Respond Only) IPSec policy to the 10.0.0.15 computer

HTH,
Brian

Relevant Pages

  • Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question
    ... an IPSec policy that should be sufficiently restrictive for your purposes. ... Client's Source port is ANY ... then how can I create an IPSec filter that blocks all ...
    (microsoft.public.win2000.security)
  • Re: ipsecpol on Windows 2000
    ... To use IPSec to port filter a server, you cannot allow any TCP client services ... DNS needs TCP for any responses that won't fit into UDP. ...
    (Focus-Microsoft)
  • Re: [Win2k] Stopping sw from phoning home
    ... You can use an ipsec filttering policy that contains a rule that has a ... filter list with those IP addresses and a block filter action. ... below may also be of help in that it shows the basics of an ipsec filtering ... or a tool such as port reporter as shown in the link below. ...
    (microsoft.public.win2000.security)
  • Re: IPSEC not blocking specific IP address per Ethereal
    ... Use telnet to verify that port is open ... It may take a reboot to refresh the ipsec policy. ... > against those IPs but ethereal still shows their packets getting in past ... the filter against this IP is specific enough that IPSEC ...
    (comp.security.firewalls)
  • Re: IPSEC not blocking specific IP address per Ethereal
    ... Use telnet to verify that port is open ... It may take a reboot to refresh the ipsec policy. ... > against those IPs but ethereal still shows their packets getting in past ... the filter against this IP is specific enough that IPSEC ...
    (microsoft.public.win2000.security)