Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question

From: Bill Tomlinson (BT_at_royce.biz)
Date: 07/26/03 

Date: Fri, 25 Jul 2003 16:41:27 -0700

Mark,

Thanks for your response.

I think I understand what you are saying here.

I am still confused about a particular situation that I have with my
Anti-Virus Software (AVS).

My AVS has built in to it a Central Administration Console (CAC), which is
very effective in reducing trips to individual workstations and servers for
configurations, virus scans etc.. As part of this CAC it uses an executable
that is a service that is initiated during machine boot/startup and is
assigned a random port from Winsock that it uses until the machine is
re-booted again. This service is used to communicate with the other servers
in the network, and as such uses the concept of "discovery" to allow the
console to manage other servers. Without this central console I will not be
able to manage other servers, and clients in a central fashion.

Now I can see how you could allow for ANY client port or address in an IPSec
filter, to come into a specific server port, but in this case I do not know
the port that is being assigned to the service on the server until the
Winsock has assigned it a port, and that port could change each time the
server is re-booted.

The engineers at the anti virus company have suggested to me that the IPSec
needs to be able to allow or block traffic to a service rather than a
specific port in order to work in a practical manner.

Do you know if the W2k Server's IPSec can be configured to allow or block
services?

Without this capability I don't see how you could effectively create an
IPSec packet filter that would work without extensive effort to determine
the port for each of these types of services each time you re-boot your
server.

It would appear that the concept of random port assignment is one born from
necessity, there are a finite number of ports 65,500 or so, and a
potentially infinite amount of services or applications that need ports to
communicate through.

Thanks

Bill

"Mark Swift [MSFT]" <mswift@online.microsoft.com> wrote in message
news:OuF9FFuUDHA.1928@TK2MSFTNGP12.phx.gbl...
> Hi Bill,
>
> Good questions.
>
> You can't do what you want to do dynamically/temporarily. But you can
create
> an IPSec policy that should be sufficiently restrictive for your purposes.
>
> This is your traffic profile:
> Client's Source port is ANY
> Client's IP Address is ANY
> Server's port is a known fixed port (I'll pick 5400 as an example)
> Server's IP Address is a known fixed IP address.
> Application uses TCP as it's protocol.
>
> So the Client and Server can have the following policy:
> Block All traffic
> Permit Any IP Address port Any to Server's IP Address port 5400 protocol
TCP
>
> This policy should be sufficiently restrictive on the Client (The peer has
> to be the Server, the peer's port has to be 5400 and the protocol has to
be
> TCP). Although the Server will be wide open all machines communicating
with
> TCP from all ports.
>
> Fixed Port Callback Delivery is not a generic Windows technique that can
be
> applied to any application. The Client/Server application vendor needs to
> add this functionality to their application.
>
> If you want to get more paranoid, and you know the exact time (or window)
> that the AV clients talk to the AV server, you could write a script that
> sets the above policy during that window of time, then deletes the policy
> after the window. But you probably want the AV clients to be able to talk
to
> the AV servers all the time in case of an attack.
>
> I hope this answers your questions or at least gets us closer :)
>
> --
> Mark Swift
> Microsoft/Windows/Networking/Secure Network Services/IP Security
> Software Test Engineer
>
> -------------------------------------------------------------------------- 

--
> ---------------------------------------
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm"
> --------------------------------------------------------------------------
--
> ---------------------------------------
>
>
>
> "Bill Tomlinson" <BT@royce.biz> wrote in message
> news:OhT0PUtUDHA.1484@TK2MSFTNGP12.phx.gbl...
> > Cherry,
> >
> > Thank you for your response.
> >
> > I am still confused about the "random" nature of port assignment that
this
> > anti-virus and other applications utilize in their programming.
> >
> > If an application calls the Remote Procedure Call and asks for any
> available
> > port above 1025, then how can I create an IPSec filter that blocks all
> > traffic to ports that are not specifically configured, (such as those
> above
> > port 1025), and also allows these kinds of applications to function?
The
> > assumption here is that if you don't block all traffic to ports that are
> not
> > specifically configured to allow traffic to pass, that the filter is not
a
> > filter at all.
> >
> > I would like to re-state that this question concerns my Local Area
> Network,
> > and using IPSec to create a packet filter for the LAN.  What I have
heard
> is
> > that IPSec packet filtering in a LAN is not recommended because
> applications
> > such as my anti-virus product are designed to depend on "random" ports
> being
> > available on request, and this is in direct conflict with blocking all
> ports
> > that are not specifically configured ahead of time.
> >
> > The question could be restated as:  "Are IPSec packet filters only
> practical
> > on the WAN side of your router?" OR "Is it recommended by Microsoft to
> > secure your LAN using the IPSec rules/filters that are configured to
> request
> > or require negotiated secure connections without using IPSec packet
> > filtering?"
> >
> > I have read about the "dynamic" block policy for a specific Protocol and
> > Port, but this also appears to be a CATCH-22.  If the port is assigned
> > randomly, and there could be multiple applications requesting a random
> port
> > via RPC, then how do you know which specific ports to configure
statically
> > or dynamically for these applications?
> >
> > I have read the white paper:  "Instant Message Polling and Fixed Port
> > Callback Delivery," in this paper the method of configuring Fixed Port
> > Callback Delivery appears to be specifically programmed into SP1 of
> Exchange
> > 2000 and clients, does this imply that other software vendors could also
> > design these features into their products to allow for Fixed Port
Callback
> > Delivery, or is this a generic technique that can be applied to any
> > application that needs random port assignments?
> >
> > What I am looking for is a IPSec rule that could allow a known
application
> > to request a random port, that could then be 'dynamically' "allowed" for
> > that connection's lifetime only, and then blocked again after the
> connection
> > is no longer in use (sounds a bit like fixed port callback to me).
> >
> > In my test network, I currently have no IPSec rules/filters 'assigned'
and
> I
> > am concerned that using the IPSec Filtering (which by definition means
> that
> > there is no security negotiation, just blocking and allowing certain
ports
> > to function) with the recommended ports open, and blocking all others
will
> > cause these "randomly" assigned ports to be blocked, causing the
> > applications to fail.
> >
> > I must be missing the point somewhere, is there any way you could
explain
> > how to determine a packet filter for ports that are assigned randomly
for
> me
> > in more basic terminology?
> >
> > Thanks
> >
> > Bill
> >
> > "Cherry Qian (msft)" <cherryq@online.microsoft.com> wrote in message
> > news:SwWHWzoUDHA.2144@cpmsftngxa06.phx.gbl...
> > > Hi Bill,
> > >
> > > Thank you for the posting.  As you indicated you would like to
configure
> a
> > > W2k server IPSec Packet Filter for your LAN to handle an anti-virus
> > > software application where the clients send "ping-packs" to the server
> on
> > > any port above 1025 without unblocking all the ports above 1025.
> > >
> > > Fixed Port callback delivery is a restrictive delivery mechanism, in
> which
> > > the port values can range from 1025 to 65535.  IPSec filtering rules
can
> > be
> > > used to help protect Windows 2000-based computers from network-based
> > > attacks from threats such as viruses and worms.
> > >
> > > To filter a particular protocol and port combination for both inbound
> and
> > > outbound network traffic. It includes steps to determine if there are
> any
> > > IPSec policies currently assigned to a Windows 2000-based computer,
> steps
> > > to create and assign a new IPSec policy, and steps to unassign and
> delete
> > > an IPSec
> > >
> > > Determine Whether an IPSec Policy Is Assigned
> > > Create a Static Policy to Block Traffic
> > > Add a Block Rule for a Specific Protocol and Port
> > > Add a Dynamic Block Policy for a Specific Protocol and Port
> > > IPSec Filtering Rules and Group Policy
> > > Unassign and Delete an IPSec Policy
> > > Apply Your New Filter Rule to All Protocols and Ports
> > > Application of IPSec Filter Rules upon Computer Restart
> > >
> > > As for detailed step-by-step process, please refer to this knowledge
> base
> > > article:
> > >
> > > 813878 How to Block Specific Network Protocols and Ports by Using
IPSec
> > > http://support.microsoft.com/?id=813878
> > >
> > > Hope the above information and suggestion helps and answers your
> question.
> > > If anything is unclear, please let me know.
> > >
> > > Sincerely,
> > >
> > > Cherry Qian
> > > MCSE2000, MCSA2000, MCDBA2000
> > > Microsoft Partner Online Support
> > >
> > >
> > > Get Secure! - www.microsoft.com/security
> > >
> > > ====================================================
> > > When responding to posts, please Reply to Group via your newsreader so
> > > that others may learn and benefit from your issue.
> > > ====================================================
> > > This posting is provided AS IS with no warranties, and confers no
> rights.
> > >
> >
> >
>
>

Relevant Pages

  • Re: Assistance Setting up IP Filtering in a 2003 Routing Remote Access Server
    ... and music streaming servers use port 80 for streaming. ... How can I filter out this non work related traffic? ... Routing server: Windows 2003 server standard w/two NICs on external to ... Workstation Internet Access: ...
    (microsoft.public.windows.server.networking)
  • Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question
    ... capabilities of IPSec and Packet Filters. ... > filter for a service that changes port number every time it is started. ... > should ask them if can be configured to use a fixed port of your choosing. ... > any port on the server. ...
    (microsoft.public.win2000.security)
  • Re: Explain this one- ITs BAAACCCCKKK!
    ... very slowly, when the main server was very slow or didn't work), cept for a ... specific slowdowns is if Comcast was trying to filter port 80 traffic, ... or that users were somehow overusing port 80. ... You can watch the signal levels ...
    (alt.internet.wireless)
  • Re: ipsecpol on Windows 2000
    ... To use IPSec to port filter a server, you cannot allow any TCP client services ... DNS needs TCP for any responses that won't fit into UDP. ...
    (Focus-Microsoft)
  • Re: TCP/IP Filtering - cant browse Internet
    ... Using the port filter on the interface usually does not work because it does ... not allow for port redirection on outbound connections. ... As long as no one ever uses this server as a workstation (i.e. browsing the ...
    (microsoft.public.win2000.security)