Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question

From: Eric Chamberlain (eric_james_chamberlain_at_hotmail.com)
Date: 07/26/03 

Date: Fri, 25 Jul 2003 19:46:02 -0700

Search for RPC Dynamic ports in the knowledge base. It is a configurable
setting in the registry and allows you to limit the ports dynamically used
by RPC. Microsoft recommends 20 ports, I usually set a block of 100 IANA
unassigned ports. Then setup your IPSEC filters to leave those ports open
for the IP addresses that are allowed to connect.

"Bill Tomlinson" <BT@royce.biz> wrote in message
news:eSFXLZwUDHA.1952@TK2MSFTNGP11.phx.gbl...
> Mark,
>
> Thanks for your response.
>
> I think I understand what you are saying here.
>
> I am still confused about a particular situation that I have with my
> Anti-Virus Software (AVS).
>
> My AVS has built in to it a Central Administration Console (CAC), which is
> very effective in reducing trips to individual workstations and servers
for
> configurations, virus scans etc.. As part of this CAC it uses an
executable
> that is a service that is initiated during machine boot/startup and is
> assigned a random port from Winsock that it uses until the machine is
> re-booted again. This service is used to communicate with the other
servers
> in the network, and as such uses the concept of "discovery" to allow the
> console to manage other servers. Without this central console I will not
be
> able to manage other servers, and clients in a central fashion.
>
> Now I can see how you could allow for ANY client port or address in an
IPSec
> filter, to come into a specific server port, but in this case I do not
know
> the port that is being assigned to the service on the server until the
> Winsock has assigned it a port, and that port could change each time the
> server is re-booted.
>
> The engineers at the anti virus company have suggested to me that the
IPSec
> needs to be able to allow or block traffic to a service rather than a
> specific port in order to work in a practical manner.
>
> Do you know if the W2k Server's IPSec can be configured to allow or block
> services?
>
> Without this capability I don't see how you could effectively create an
> IPSec packet filter that would work without extensive effort to determine
> the port for each of these types of services each time you re-boot your
> server.
>
> It would appear that the concept of random port assignment is one born
from
> necessity, there are a finite number of ports 65,500 or so, and a
> potentially infinite amount of services or applications that need ports to
> communicate through.
>
> Thanks
>
> Bill
>
> "Mark Swift [MSFT]" <mswift@online.microsoft.com> wrote in message
> news:OuF9FFuUDHA.1928@TK2MSFTNGP12.phx.gbl...
> > Hi Bill,
> >
> > Good questions.
> >
> > You can't do what you want to do dynamically/temporarily. But you can
> create
> > an IPSec policy that should be sufficiently restrictive for your
purposes.
> >
> > This is your traffic profile:
> > Client's Source port is ANY
> > Client's IP Address is ANY
> > Server's port is a known fixed port (I'll pick 5400 as an example)
> > Server's IP Address is a known fixed IP address.
> > Application uses TCP as it's protocol.
> >
> > So the Client and Server can have the following policy:
> > Block All traffic
> > Permit Any IP Address port Any to Server's IP Address port 5400 protocol
> TCP
> >
> > This policy should be sufficiently restrictive on the Client (The peer
has
> > to be the Server, the peer's port has to be 5400 and the protocol has to
> be
> > TCP). Although the Server will be wide open all machines communicating
> with
> > TCP from all ports.
> >
> > Fixed Port Callback Delivery is not a generic Windows technique that can
> be
> > applied to any application. The Client/Server application vendor needs
to
> > add this functionality to their application.
> >
> > If you want to get more paranoid, and you know the exact time (or
window)
> > that the AV clients talk to the AV server, you could write a script that
> > sets the above policy during that window of time, then deletes the
policy
> > after the window. But you probably want the AV clients to be able to
talk
> to
> > the AV servers all the time in case of an attack.
> >
> > I hope this answers your questions or at least gets us closer :)
> >
> > --
> > Mark Swift
> > Microsoft/Windows/Networking/Secure Network Services/IP Security
> > Software Test Engineer
> >
>
> --------------------------------------------------------------------------
> --
> > ---------------------------------------
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm"
>
> --------------------------------------------------------------------------
> --
> > ---------------------------------------
> >
> >
> >
> > "Bill Tomlinson" <BT@royce.biz> wrote in message
> > news:OhT0PUtUDHA.1484@TK2MSFTNGP12.phx.gbl...
> > > Cherry,
> > >
> > > Thank you for your response.
> > >
> > > I am still confused about the "random" nature of port assignment that
> this
> > > anti-virus and other applications utilize in their programming.
> > >
> > > If an application calls the Remote Procedure Call and asks for any
> > available
> > > port above 1025, then how can I create an IPSec filter that blocks all
> > > traffic to ports that are not specifically configured, (such as those
> > above
> > > port 1025), and also allows these kinds of applications to function?
> The
> > > assumption here is that if you don't block all traffic to ports that
are
> > not
> > > specifically configured to allow traffic to pass, that the filter is
not
> a
> > > filter at all.
> > >
> > > I would like to re-state that this question concerns my Local Area
> > Network,
> > > and using IPSec to create a packet filter for the LAN. What I have
> heard
> > is
> > > that IPSec packet filtering in a LAN is not recommended because
> > applications
> > > such as my anti-virus product are designed to depend on "random" ports
> > being
> > > available on request, and this is in direct conflict with blocking all
> > ports
> > > that are not specifically configured ahead of time.
> > >
> > > The question could be restated as: "Are IPSec packet filters only
> > practical
> > > on the WAN side of your router?" OR "Is it recommended by Microsoft to
> > > secure your LAN using the IPSec rules/filters that are configured to
> > request
> > > or require negotiated secure connections without using IPSec packet
> > > filtering?"
> > >
> > > I have read about the "dynamic" block policy for a specific Protocol
and
> > > Port, but this also appears to be a CATCH-22. If the port is assigned
> > > randomly, and there could be multiple applications requesting a random
> > port
> > > via RPC, then how do you know which specific ports to configure
> statically
> > > or dynamically for these applications?
> > >
> > > I have read the white paper: "Instant Message Polling and Fixed Port
> > > Callback Delivery," in this paper the method of configuring Fixed Port
> > > Callback Delivery appears to be specifically programmed into SP1 of
> > Exchange
> > > 2000 and clients, does this imply that other software vendors could
also
> > > design these features into their products to allow for Fixed Port
> Callback
> > > Delivery, or is this a generic technique that can be applied to any
> > > application that needs random port assignments?
> > >
> > > What I am looking for is a IPSec rule that could allow a known
> application
> > > to request a random port, that could then be 'dynamically' "allowed"
for
> > > that connection's lifetime only, and then blocked again after the
> > connection
> > > is no longer in use (sounds a bit like fixed port callback to me).
> > >
> > > In my test network, I currently have no IPSec rules/filters 'assigned'
> and
> > I
> > > am concerned that using the IPSec Filtering (which by definition means
> > that
> > > there is no security negotiation, just blocking and allowing certain
> ports
> > > to function) with the recommended ports open, and blocking all others
> will
> > > cause these "randomly" assigned ports to be blocked, causing the
> > > applications to fail.
> > >
> > > I must be missing the point somewhere, is there any way you could
> explain
> > > how to determine a packet filter for ports that are assigned randomly
> for
> > me
> > > in more basic terminology?
> > >
> > > Thanks
> > >
> > > Bill
> > >
> > > "Cherry Qian (msft)" <cherryq@online.microsoft.com> wrote in message
> > > news:SwWHWzoUDHA.2144@cpmsftngxa06.phx.gbl...
> > > > Hi Bill,
> > > >
> > > > Thank you for the posting. As you indicated you would like to
> configure
> > a
> > > > W2k server IPSec Packet Filter for your LAN to handle an anti-virus
> > > > software application where the clients send "ping-packs" to the
server
> > on
> > > > any port above 1025 without unblocking all the ports above 1025.
> > > >
> > > > Fixed Port callback delivery is a restrictive delivery mechanism, in
> > which
> > > > the port values can range from 1025 to 65535. IPSec filtering rules
> can
> > > be
> > > > used to help protect Windows 2000-based computers from network-based
> > > > attacks from threats such as viruses and worms.
> > > >
> > > > To filter a particular protocol and port combination for both
inbound
> > and
> > > > outbound network traffic. It includes steps to determine if there
are
> > any
> > > > IPSec policies currently assigned to a Windows 2000-based computer,
> > steps
> > > > to create and assign a new IPSec policy, and steps to unassign and
> > delete
> > > > an IPSec
> > > >
> > > > Determine Whether an IPSec Policy Is Assigned
> > > > Create a Static Policy to Block Traffic
> > > > Add a Block Rule for a Specific Protocol and Port
> > > > Add a Dynamic Block Policy for a Specific Protocol and Port
> > > > IPSec Filtering Rules and Group Policy
> > > > Unassign and Delete an IPSec Policy
> > > > Apply Your New Filter Rule to All Protocols and Ports
> > > > Application of IPSec Filter Rules upon Computer Restart
> > > >
> > > > As for detailed step-by-step process, please refer to this knowledge
> > base
> > > > article:
> > > >
> > > > 813878 How to Block Specific Network Protocols and Ports by Using
> IPSec
> > > > http://support.microsoft.com/?id=813878
> > > >
> > > > Hope the above information and suggestion helps and answers your
> > question.
> > > > If anything is unclear, please let me know.
> > > >
> > > > Sincerely,
> > > >
> > > > Cherry Qian
> > > > MCSE2000, MCSA2000, MCDBA2000
> > > > Microsoft Partner Online Support
> > > >
> > > >
> > > > Get Secure! - www.microsoft.com/security
> > > >
> > > > ====================================================
> > > > When responding to posts, please Reply to Group via your newsreader
so
> > > > that others may learn and benefit from your issue.
> > > > ====================================================
> > > > This posting is provided AS IS with no warranties, and confers no
> > rights.
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Restrict ODBC through group policy
    ... IPSEC runs as a service on w2k and w2k3. ... can either Allow, Drop, or Authenicate connection attempts based on port ... IPSEC to secrue a web server that is exposed to the internet ... port 80 request. ...
    (microsoft.public.windows.server.security)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)
  • Re: cannot send mail from Windows mail
    ... When a username/password combination doesn't work in Windows Mail, ... I mean I dont use it but as outgoing address for my ISP account. ... youir username and password are correct for your mail server". ... Ask your home ISP if they support SMTP on a port other than 25. ...
    (microsoft.public.windows.vista.mail)