Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question

From: Mark Swift [MSFT] (
Date: 07/25/03

Date: Fri, 25 Jul 2003 12:14:08 -0700

Hi Bill,

Good questions.

You can't do what you want to do dynamically/temporarily. But you can create
an IPSec policy that should be sufficiently restrictive for your purposes.

This is your traffic profile:
Client's Source port is ANY
Client's IP Address is ANY
Server's port is a known fixed port (I'll pick 5400 as an example)
Server's IP Address is a known fixed IP address.
Application uses TCP as it's protocol.

So the Client and Server can have the following policy:
Block All traffic
Permit Any IP Address port Any to Server's IP Address port 5400 protocol TCP

This policy should be sufficiently restrictive on the Client (The peer has
to be the Server, the peer's port has to be 5400 and the protocol has to be
TCP). Although the Server will be wide open all machines communicating with
TCP from all ports.

Fixed Port Callback Delivery is not a generic Windows technique that can be
applied to any application. The Client/Server application vendor needs to
add this functionality to their application.

If you want to get more paranoid, and you know the exact time (or window)
that the AV clients talk to the AV server, you could write a script that
sets the above policy during that window of time, then deletes the policy
after the window. But you probably want the AV clients to be able to talk to
the AV servers all the time in case of an attack.

I hope this answers your questions or at least gets us closer :)

Mark Swift
Microsoft/Windows/Networking/Secure Network Services/IP Security
Software Test Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at"
"Bill Tomlinson" <> wrote in message
> Cherry,
> Thank you for your response.
> I am still confused about the "random" nature of port assignment that this
> anti-virus and other applications utilize in their programming.
> If an application calls the Remote Procedure Call and asks for any
> port above 1025, then how can I create an IPSec filter that blocks all
> traffic to ports that are not specifically configured, (such as those
> port 1025), and also allows these kinds of applications to function?  The
> assumption here is that if you don't block all traffic to ports that are
> specifically configured to allow traffic to pass, that the filter is not a
> filter at all.
> I would like to re-state that this question concerns my Local Area
> and using IPSec to create a packet filter for the LAN.  What I have heard
> that IPSec packet filtering in a LAN is not recommended because
> such as my anti-virus product are designed to depend on "random" ports
> available on request, and this is in direct conflict with blocking all
> that are not specifically configured ahead of time.
> The question could be restated as:  "Are IPSec packet filters only
> on the WAN side of your router?" OR "Is it recommended by Microsoft to
> secure your LAN using the IPSec rules/filters that are configured to
> or require negotiated secure connections without using IPSec packet
> filtering?"
> I have read about the "dynamic" block policy for a specific Protocol and
> Port, but this also appears to be a CATCH-22.  If the port is assigned
> randomly, and there could be multiple applications requesting a random
> via RPC, then how do you know which specific ports to configure statically
> or dynamically for these applications?
> I have read the white paper:  "Instant Message Polling and Fixed Port
> Callback Delivery," in this paper the method of configuring Fixed Port
> Callback Delivery appears to be specifically programmed into SP1 of
> 2000 and clients, does this imply that other software vendors could also
> design these features into their products to allow for Fixed Port Callback
> Delivery, or is this a generic technique that can be applied to any
> application that needs random port assignments?
> What I am looking for is a IPSec rule that could allow a known application
> to request a random port, that could then be 'dynamically' "allowed" for
> that connection's lifetime only, and then blocked again after the
> is no longer in use (sounds a bit like fixed port callback to me).
> In my test network, I currently have no IPSec rules/filters 'assigned' and
> am concerned that using the IPSec Filtering (which by definition means
> there is no security negotiation, just blocking and allowing certain ports
> to function) with the recommended ports open, and blocking all others will
> cause these "randomly" assigned ports to be blocked, causing the
> applications to fail.
> I must be missing the point somewhere, is there any way you could explain
> how to determine a packet filter for ports that are assigned randomly for
> in more basic terminology?
> Thanks
> Bill
> "Cherry Qian (msft)" <> wrote in message
> news:SwWHWzoUDHA.2144@cpmsftngxa06.phx.gbl...
> > Hi Bill,
> >
> > Thank you for the posting.  As you indicated you would like to configure
> > W2k server IPSec Packet Filter for your LAN to handle an anti-virus
> > software application where the clients send "ping-packs" to the server
> > any port above 1025 without unblocking all the ports above 1025.
> >
> > Fixed Port callback delivery is a restrictive delivery mechanism, in
> > the port values can range from 1025 to 65535.  IPSec filtering rules can
> be
> > used to help protect Windows 2000-based computers from network-based
> > attacks from threats such as viruses and worms.
> >
> > To filter a particular protocol and port combination for both inbound
> > outbound network traffic. It includes steps to determine if there are
> > IPSec policies currently assigned to a Windows 2000-based computer,
> > to create and assign a new IPSec policy, and steps to unassign and
> > an IPSec
> >
> > Determine Whether an IPSec Policy Is Assigned
> > Create a Static Policy to Block Traffic
> > Add a Block Rule for a Specific Protocol and Port
> > Add a Dynamic Block Policy for a Specific Protocol and Port
> > IPSec Filtering Rules and Group Policy
> > Unassign and Delete an IPSec Policy
> > Apply Your New Filter Rule to All Protocols and Ports
> > Application of IPSec Filter Rules upon Computer Restart
> >
> > As for detailed step-by-step process, please refer to this knowledge
> > article:
> >
> > 813878 How to Block Specific Network Protocols and Ports by Using IPSec
> >
> >
> > Hope the above information and suggestion helps and answers your
> > If anything is unclear, please let me know.
> >
> > Sincerely,
> >
> > Cherry Qian
> > MCSE2000, MCSA2000, MCDBA2000
> > Microsoft Partner Online Support
> >
> >
> > Get Secure! -
> >
> > ====================================================
> > When responding to posts, please Reply to Group via your newsreader so
> > that others may learn and benefit from your issue.
> > ====================================================
> > This posting is provided AS IS with no warranties, and confers no
> >