Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question

From: Mark Swift [MSFT] (mswift_at_online.microsoft.com)
Date: 07/25/03


Date: Fri, 25 Jul 2003 12:14:08 -0700


Hi Bill,

Good questions.

You can't do what you want to do dynamically/temporarily. But you can create
an IPSec policy that should be sufficiently restrictive for your purposes.

This is your traffic profile:
Client's Source port is ANY
Client's IP Address is ANY
Server's port is a known fixed port (I'll pick 5400 as an example)
Server's IP Address is a known fixed IP address.
Application uses TCP as it's protocol.

So the Client and Server can have the following policy:
Block All traffic
Permit Any IP Address port Any to Server's IP Address port 5400 protocol TCP

This policy should be sufficiently restrictive on the Client (The peer has
to be the Server, the peer's port has to be 5400 and the protocol has to be
TCP). Although the Server will be wide open all machines communicating with
TCP from all ports.

Fixed Port Callback Delivery is not a generic Windows technique that can be
applied to any application. The Client/Server application vendor needs to
add this functionality to their application.

If you want to get more paranoid, and you know the exact time (or window)
that the AV clients talk to the AV server, you could write a script that
sets the above policy during that window of time, then deletes the policy
after the window. But you probably want the AV clients to be able to talk to
the AV servers all the time in case of an attack.

I hope this answers your questions or at least gets us closer :)

--
Mark Swift
Microsoft/Windows/Networking/Secure Network Services/IP Security
Software Test Engineer
----------------------------------------------------------------------------
---------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
----------------------------------------------------------------------------
---------------------------------------
"Bill Tomlinson" <BT@royce.biz> wrote in message
news:OhT0PUtUDHA.1484@TK2MSFTNGP12.phx.gbl...
> Cherry,
>
> Thank you for your response.
>
> I am still confused about the "random" nature of port assignment that this
> anti-virus and other applications utilize in their programming.
>
> If an application calls the Remote Procedure Call and asks for any
available
> port above 1025, then how can I create an IPSec filter that blocks all
> traffic to ports that are not specifically configured, (such as those
above
> port 1025), and also allows these kinds of applications to function?  The
> assumption here is that if you don't block all traffic to ports that are
not
> specifically configured to allow traffic to pass, that the filter is not a
> filter at all.
>
> I would like to re-state that this question concerns my Local Area
Network,
> and using IPSec to create a packet filter for the LAN.  What I have heard
is
> that IPSec packet filtering in a LAN is not recommended because
applications
> such as my anti-virus product are designed to depend on "random" ports
being
> available on request, and this is in direct conflict with blocking all
ports
> that are not specifically configured ahead of time.
>
> The question could be restated as:  "Are IPSec packet filters only
practical
> on the WAN side of your router?" OR "Is it recommended by Microsoft to
> secure your LAN using the IPSec rules/filters that are configured to
request
> or require negotiated secure connections without using IPSec packet
> filtering?"
>
> I have read about the "dynamic" block policy for a specific Protocol and
> Port, but this also appears to be a CATCH-22.  If the port is assigned
> randomly, and there could be multiple applications requesting a random
port
> via RPC, then how do you know which specific ports to configure statically
> or dynamically for these applications?
>
> I have read the white paper:  "Instant Message Polling and Fixed Port
> Callback Delivery," in this paper the method of configuring Fixed Port
> Callback Delivery appears to be specifically programmed into SP1 of
Exchange
> 2000 and clients, does this imply that other software vendors could also
> design these features into their products to allow for Fixed Port Callback
> Delivery, or is this a generic technique that can be applied to any
> application that needs random port assignments?
>
> What I am looking for is a IPSec rule that could allow a known application
> to request a random port, that could then be 'dynamically' "allowed" for
> that connection's lifetime only, and then blocked again after the
connection
> is no longer in use (sounds a bit like fixed port callback to me).
>
> In my test network, I currently have no IPSec rules/filters 'assigned' and
I
> am concerned that using the IPSec Filtering (which by definition means
that
> there is no security negotiation, just blocking and allowing certain ports
> to function) with the recommended ports open, and blocking all others will
> cause these "randomly" assigned ports to be blocked, causing the
> applications to fail.
>
> I must be missing the point somewhere, is there any way you could explain
> how to determine a packet filter for ports that are assigned randomly for
me
> in more basic terminology?
>
> Thanks
>
> Bill
>
> "Cherry Qian (msft)" <cherryq@online.microsoft.com> wrote in message
> news:SwWHWzoUDHA.2144@cpmsftngxa06.phx.gbl...
> > Hi Bill,
> >
> > Thank you for the posting.  As you indicated you would like to configure
a
> > W2k server IPSec Packet Filter for your LAN to handle an anti-virus
> > software application where the clients send "ping-packs" to the server
on
> > any port above 1025 without unblocking all the ports above 1025.
> >
> > Fixed Port callback delivery is a restrictive delivery mechanism, in
which
> > the port values can range from 1025 to 65535.  IPSec filtering rules can
> be
> > used to help protect Windows 2000-based computers from network-based
> > attacks from threats such as viruses and worms.
> >
> > To filter a particular protocol and port combination for both inbound
and
> > outbound network traffic. It includes steps to determine if there are
any
> > IPSec policies currently assigned to a Windows 2000-based computer,
steps
> > to create and assign a new IPSec policy, and steps to unassign and
delete
> > an IPSec
> >
> > Determine Whether an IPSec Policy Is Assigned
> > Create a Static Policy to Block Traffic
> > Add a Block Rule for a Specific Protocol and Port
> > Add a Dynamic Block Policy for a Specific Protocol and Port
> > IPSec Filtering Rules and Group Policy
> > Unassign and Delete an IPSec Policy
> > Apply Your New Filter Rule to All Protocols and Ports
> > Application of IPSec Filter Rules upon Computer Restart
> >
> > As for detailed step-by-step process, please refer to this knowledge
base
> > article:
> >
> > 813878 How to Block Specific Network Protocols and Ports by Using IPSec
> > http://support.microsoft.com/?id=813878
> >
> > Hope the above information and suggestion helps and answers your
question.
> > If anything is unclear, please let me know.
> >
> > Sincerely,
> >
> > Cherry Qian
> > MCSE2000, MCSA2000, MCDBA2000
> > Microsoft Partner Online Support
> >
> >
> > Get Secure! - www.microsoft.com/security
> >
> > ====================================================
> > When responding to posts, please Reply to Group via your newsreader so
> > that others may learn and benefit from your issue.
> > ====================================================
> > This posting is provided AS IS with no warranties, and confers no
rights.
> >
>
>


Relevant Pages

  • RE: Access to well-known ports on Win2K
    ... IPSEc does not provide security at the user level; ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > TCP/IP Filtering does not provide port level security at the ...
    (Focus-Microsoft)
  • Re: ipsecpol on Windows 2000
    ... To use IPSec to port filter a server, you cannot allow any TCP client services ... DNS needs TCP for any responses that won't fit into UDP. ...
    (Focus-Microsoft)
  • Re: [Win2k] Stopping sw from phoning home
    ... You can use an ipsec filttering policy that contains a rule that has a ... filter list with those IP addresses and a block filter action. ... below may also be of help in that it shows the basics of an ipsec filtering ... or a tool such as port reporter as shown in the link below. ...
    (microsoft.public.win2000.security)
  • Re: IPSEC not blocking specific IP address per Ethereal
    ... Use telnet to verify that port is open ... It may take a reboot to refresh the ipsec policy. ... > against those IPs but ethereal still shows their packets getting in past ... the filter against this IP is specific enough that IPSEC ...
    (microsoft.public.win2000.security)
  • Re: IPSEC not blocking specific IP address per Ethereal
    ... Use telnet to verify that port is open ... It may take a reboot to refresh the ipsec policy. ... > against those IPs but ethereal still shows their packets getting in past ... the filter against this IP is specific enough that IPSEC ...
    (comp.security.firewalls)