Re: TCP/IP Filtering

From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/22/02 

From: "Karl Levinson [x y] MVP" <levinson_k@excite.com>
Date: Tue, 22 Oct 2002 09:49:26 -0400

"dave" <dave@netmedic.net> wrote in message
news:955c01c27970$199701a0$36ef2ecf@tkmsftngxa12...
> Matt,
>
> Thanks, but i want to use the OS and see what we can
> accomplish.

IMHO you're SEEING what you can accomplish with the OS: great difficulty in
setting up filters, due to no ability to log traffic.

If you really want to use the OS to do this filtering [which I think is a
mistake, especially if you're running into problems like this], start with
IPsec filtering, NOT the TCP/IP filtering feature. [But note that again
there's no logging or alerting, which makes problems during setup hard to
solve.] Perhaps you're already doing this, but if not, try running a
sniffer such as the Network Monitor feature in Control Panel, Add remove
programs, add remove windows components, or Ethereal or Windump, to be able
to see the traffic and ports being used..

Generally, TCP and UDP connections use two port numbers, not just one... a
well known server port on one end as well as a dynamically chosen ephemeral
port number on the client side usually above 1023. If your filters are
blocking based on the ephemeral port number, the filter needs improving or a
different technology should be used.

For what it's worth, I agree with the other poster about using third party
software such as www.sygate.com Sygate adds the ability to log traffic
more or less like a sniffer, identify which executable is listening on which
port, alert you for certain events, and gives much better granularity of
control when setting up filters than the TCP/IP Filtering feature.

See below for more info and links about both TCP/IP Filtering and IPsec
filters:

WINDOWS TCP/IP FILTERING FEATURE -
One way to control incoming network connections to your Windows 2000 / XP /
NT / .NET computer or server is to use the Windows TCP/IP Filtering feature.
Windows' TCP/IP Filtering blocks IP ports on your computer from being
accessed. This is fairly simple to do because it is less configurable than
other filtering methods. [For example, connections cannot be blocked per IP
address, just per port number.]

Because it is easy to configure, there are some limitations. According to
one website, the TCP/IP filtering feature only blocks TCP and UDP and is
probably not suitable for blocking ICMP [e.g. ping and traceroute] or other
protocols. This feature supposedly does not block the computer from
initiating new connections with other computers. You can only enter the
ports you want to allow, and all other ports are blocked. [In other words,
you cannot enter just the ports you want to block, and you must know all the
ports you need to allow.]

Also, TCP/IP Filtering does not allow certain features such as logging or
alerting. [Logging is particularly useful when troubleshooting why a certain
network or Internet software program will not work.]

Novice PC users or users who desire logging and alerting may want to
consider using the Windows XP ICF or a third party hardware or software
firewall.
You can enable or configure TCP/IP Filtering in Windows 2000 by clicking on
Start, Settings, Control Panel, Network and Dial-Up Connections, select the
interface you want to filter, select Properties, General, Internet Protocol
(TCP/IP), Properties, Advanced, Options, TCP/IP Filtering, Properties.

More information on configuring TCP/IP Filtering is available in the
following article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798

IPSEC POLICY FILTERS -
Advanced Windows 2000 / XP / .NET users and network administrators can
consider using IPsec policy filters. IPsec filters permit a moderate to
advanced PC user or network administrator to create rules blocking certain
IP communications based on source, destination, protocol, TCP or UDP service
port number, etc.
These filters can be easily migrated to multiple machines in a networked
environment using Group Policy or script files. However, IPsec filters do
not allow certain features such as logging or alerting. [Logging is
particularly useful when troubleshooting why a certain network or Internet
software program will not work.]

The level of security you achieve with IPsec filters depends on your level
of technical skill. It may help if you are already familiar with how to
configure firewalls and other network security issues. It is possible to
accidentally set up weak IPsec filters, in which case your computer could
possibly still be vulnerable to certain types of intrusion.
Novice PC users, users who are having problems configuring IPsec filters, or
users who desire logging and alerting may want to consider using the Windows
XP ICF or a third party hardware or software firewall.

Information on how to configure IPsec Policy filters in Windows 2000 [and
Windows XP?] is available in the following articles:

http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guide for Windows 2000 IPSec]
http://www.systemexperts.com/tutors/HardenW2K101.pdf
http://www.microsoft.com/TechNet/prodtechnol/winxppro/proddocs/sag_IPSecsecp
lan.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313190
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301284

In addition to filtering traffic, IPsec rules can also be defined to enable
encryption to secure communications between computers or servers.
Information on this is available by searching the links below:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q252735 - IPsec
tunneling & encryption
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308208 - Setting up
a VPN server
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q253169 - Traffic
that cannot be secured by IPsec encryption
http://support.microsoft.com

Relevant Pages

  • Re: Port Ranges in IPSec
    ... You could do something like this with 3Com's Embedded Firewall. ... All of the filtering is done in hardware, which stops anyone from bypassing the firewall. ... it allows you to setup a filter that utilizes port ranges. ... > As far as I'm concerned, IPSec port filtering is useful for stopping casual ...
    (Focus-Microsoft)
  • RE: TCP/IP Filtering problem on W2KAS
    ... IPSec, you could send bad security negotiations to this port to cause a DoS, ... Bypassing Windows 2000 IPSec port filtering is trivial. ... Using IPSec to Lock Down a Server ...
    (Focus-Microsoft)
  • Re: TCP/IP Filtering Question
    ... Steve's advice to use IPSec is excellent and far to few ... Ipsec filtering will not block multicast and broadcast traffic, ... > For what you are doing you might want to try ipsec filtering policy using> permit and block fitter actions instead on that router computer. ... If you do> not want the same ipsec policy applied to both adapters, then configure the> actual IP address of the network adapter you want to filter instead of "my ...
    (microsoft.public.win2000.networking)
  • Re: TCP/IP Filtering Question
    ... Herb Martin ... >>> For what you are doing you might want to try ipsec filtering policy ... >>> actual IP address of the network adapter you want to filter instead of ... Ipsec filtering will not block multicast and broadcast ...
    (microsoft.public.win2000.networking)
  • RE: TCP/IP Filtering problem on W2KAS
    ... These are definitely legitimate security concerns of the Win2K ... I have employed this technique to bypass IPSec port ... Port filtering with IPSec leaves you vulnerable because only the source port ...
    (Focus-Microsoft)
Loading