Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question
From: Eric Chamberlain (eric_james_chamberlain_at_hotmail.com)
Date: 07/26/03
- Next message: Eric Chamberlain: "Re: locking down command.com"
- Previous message: Eric Chamberlain: "Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question"
- In reply to: Bill Tomlinson: "Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question"
- Next in thread: Cherry Qian: "Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jul 2003 19:47:53 -0700
I forgot to add, that I wrote a script that can make the registry changes:
http://calnetad.berkeley.edu/documentation/technical/configuration_files/rpc_ports_reg/index.html
"Bill Tomlinson" <BT@royce.biz> wrote in message
news:eSFXLZwUDHA.1952@TK2MSFTNGP11.phx.gbl...
> Mark,
>
> Thanks for your response.
>
> I think I understand what you are saying here.
>
> I am still confused about a particular situation that I have with my
> Anti-Virus Software (AVS).
>
> My AVS has built in to it a Central Administration Console (CAC), which is
> very effective in reducing trips to individual workstations and servers
for
> configurations, virus scans etc.. As part of this CAC it uses an
executable
> that is a service that is initiated during machine boot/startup and is
> assigned a random port from Winsock that it uses until the machine is
> re-booted again. This service is used to communicate with the other
servers
> in the network, and as such uses the concept of "discovery" to allow the
> console to manage other servers. Without this central console I will not
be
> able to manage other servers, and clients in a central fashion.
>
> Now I can see how you could allow for ANY client port or address in an
IPSec
> filter, to come into a specific server port, but in this case I do not
know
> the port that is being assigned to the service on the server until the
> Winsock has assigned it a port, and that port could change each time the
> server is re-booted.
>
> The engineers at the anti virus company have suggested to me that the
IPSec
> needs to be able to allow or block traffic to a service rather than a
> specific port in order to work in a practical manner.
>
> Do you know if the W2k Server's IPSec can be configured to allow or block
> services?
>
> Without this capability I don't see how you could effectively create an
> IPSec packet filter that would work without extensive effort to determine
> the port for each of these types of services each time you re-boot your
> server.
>
> It would appear that the concept of random port assignment is one born
from
> necessity, there are a finite number of ports 65,500 or so, and a
> potentially infinite amount of services or applications that need ports to
> communicate through.
>
> Thanks
>
> Bill
>
> "Mark Swift [MSFT]" <mswift@online.microsoft.com> wrote in message
> news:OuF9FFuUDHA.1928@TK2MSFTNGP12.phx.gbl...
> > Hi Bill,
> >
> > Good questions.
> >
> > You can't do what you want to do dynamically/temporarily. But you can
> create
> > an IPSec policy that should be sufficiently restrictive for your
purposes.
> >
> > This is your traffic profile:
> > Client's Source port is ANY
> > Client's IP Address is ANY
> > Server's port is a known fixed port (I'll pick 5400 as an example)
> > Server's IP Address is a known fixed IP address.
> > Application uses TCP as it's protocol.
> >
> > So the Client and Server can have the following policy:
> > Block All traffic
> > Permit Any IP Address port Any to Server's IP Address port 5400 protocol
> TCP
> >
> > This policy should be sufficiently restrictive on the Client (The peer
has
> > to be the Server, the peer's port has to be 5400 and the protocol has to
> be
> > TCP). Although the Server will be wide open all machines communicating
> with
> > TCP from all ports.
> >
> > Fixed Port Callback Delivery is not a generic Windows technique that can
> be
> > applied to any application. The Client/Server application vendor needs
to
> > add this functionality to their application.
> >
> > If you want to get more paranoid, and you know the exact time (or
window)
> > that the AV clients talk to the AV server, you could write a script that
> > sets the above policy during that window of time, then deletes the
policy
> > after the window. But you probably want the AV clients to be able to
talk
> to
> > the AV servers all the time in case of an attack.
> >
> > I hope this answers your questions or at least gets us closer :)
> >
> > --
> > Mark Swift
> > Microsoft/Windows/Networking/Secure Network Services/IP Security
> > Software Test Engineer
> >
>
> --------------------------------------------------------------------------
> --
> > ---------------------------------------
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm"
>
> --------------------------------------------------------------------------
> --
> > ---------------------------------------
> >
> >
> >
> > "Bill Tomlinson" <BT@royce.biz> wrote in message
> > news:OhT0PUtUDHA.1484@TK2MSFTNGP12.phx.gbl...
> > > Cherry,
> > >
> > > Thank you for your response.
> > >
> > > I am still confused about the "random" nature of port assignment that
> this
> > > anti-virus and other applications utilize in their programming.
> > >
> > > If an application calls the Remote Procedure Call and asks for any
> > available
> > > port above 1025, then how can I create an IPSec filter that blocks all
> > > traffic to ports that are not specifically configured, (such as those
> > above
> > > port 1025), and also allows these kinds of applications to function?
> The
> > > assumption here is that if you don't block all traffic to ports that
are
> > not
> > > specifically configured to allow traffic to pass, that the filter is
not
> a
> > > filter at all.
> > >
> > > I would like to re-state that this question concerns my Local Area
> > Network,
> > > and using IPSec to create a packet filter for the LAN. What I have
> heard
> > is
> > > that IPSec packet filtering in a LAN is not recommended because
> > applications
> > > such as my anti-virus product are designed to depend on "random" ports
> > being
> > > available on request, and this is in direct conflict with blocking all
> > ports
> > > that are not specifically configured ahead of time.
> > >
> > > The question could be restated as: "Are IPSec packet filters only
> > practical
> > > on the WAN side of your router?" OR "Is it recommended by Microsoft to
> > > secure your LAN using the IPSec rules/filters that are configured to
> > request
> > > or require negotiated secure connections without using IPSec packet
> > > filtering?"
> > >
> > > I have read about the "dynamic" block policy for a specific Protocol
and
> > > Port, but this also appears to be a CATCH-22. If the port is assigned
> > > randomly, and there could be multiple applications requesting a random
> > port
> > > via RPC, then how do you know which specific ports to configure
> statically
> > > or dynamically for these applications?
> > >
> > > I have read the white paper: "Instant Message Polling and Fixed Port
> > > Callback Delivery," in this paper the method of configuring Fixed Port
> > > Callback Delivery appears to be specifically programmed into SP1 of
> > Exchange
> > > 2000 and clients, does this imply that other software vendors could
also
> > > design these features into their products to allow for Fixed Port
> Callback
> > > Delivery, or is this a generic technique that can be applied to any
> > > application that needs random port assignments?
> > >
> > > What I am looking for is a IPSec rule that could allow a known
> application
> > > to request a random port, that could then be 'dynamically' "allowed"
for
> > > that connection's lifetime only, and then blocked again after the
> > connection
> > > is no longer in use (sounds a bit like fixed port callback to me).
> > >
> > > In my test network, I currently have no IPSec rules/filters 'assigned'
> and
> > I
> > > am concerned that using the IPSec Filtering (which by definition means
> > that
> > > there is no security negotiation, just blocking and allowing certain
> ports
> > > to function) with the recommended ports open, and blocking all others
> will
> > > cause these "randomly" assigned ports to be blocked, causing the
> > > applications to fail.
> > >
> > > I must be missing the point somewhere, is there any way you could
> explain
> > > how to determine a packet filter for ports that are assigned randomly
> for
> > me
> > > in more basic terminology?
> > >
> > > Thanks
> > >
> > > Bill
> > >
> > > "Cherry Qian (msft)" <cherryq@online.microsoft.com> wrote in message
> > > news:SwWHWzoUDHA.2144@cpmsftngxa06.phx.gbl...
> > > > Hi Bill,
> > > >
> > > > Thank you for the posting. As you indicated you would like to
> configure
> > a
> > > > W2k server IPSec Packet Filter for your LAN to handle an anti-virus
> > > > software application where the clients send "ping-packs" to the
server
> > on
> > > > any port above 1025 without unblocking all the ports above 1025.
> > > >
> > > > Fixed Port callback delivery is a restrictive delivery mechanism, in
> > which
> > > > the port values can range from 1025 to 65535. IPSec filtering rules
> can
> > > be
> > > > used to help protect Windows 2000-based computers from network-based
> > > > attacks from threats such as viruses and worms.
> > > >
> > > > To filter a particular protocol and port combination for both
inbound
> > and
> > > > outbound network traffic. It includes steps to determine if there
are
> > any
> > > > IPSec policies currently assigned to a Windows 2000-based computer,
> > steps
> > > > to create and assign a new IPSec policy, and steps to unassign and
> > delete
> > > > an IPSec
> > > >
> > > > Determine Whether an IPSec Policy Is Assigned
> > > > Create a Static Policy to Block Traffic
> > > > Add a Block Rule for a Specific Protocol and Port
> > > > Add a Dynamic Block Policy for a Specific Protocol and Port
> > > > IPSec Filtering Rules and Group Policy
> > > > Unassign and Delete an IPSec Policy
> > > > Apply Your New Filter Rule to All Protocols and Ports
> > > > Application of IPSec Filter Rules upon Computer Restart
> > > >
> > > > As for detailed step-by-step process, please refer to this knowledge
> > base
> > > > article:
> > > >
> > > > 813878 How to Block Specific Network Protocols and Ports by Using
> IPSec
> > > > http://support.microsoft.com/?id=813878
> > > >
> > > > Hope the above information and suggestion helps and answers your
> > question.
> > > > If anything is unclear, please let me know.
> > > >
> > > > Sincerely,
> > > >
> > > > Cherry Qian
> > > > MCSE2000, MCSA2000, MCDBA2000
> > > > Microsoft Partner Online Support
> > > >
> > > >
> > > > Get Secure! - www.microsoft.com/security
> > > >
> > > > ====================================================
> > > > When responding to posts, please Reply to Group via your newsreader
so
> > > > that others may learn and benefit from your issue.
> > > > ====================================================
> > > > This posting is provided AS IS with no warranties, and confers no
> > rights.
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Eric Chamberlain: "Re: locking down command.com"
- Previous message: Eric Chamberlain: "Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question"
- In reply to: Bill Tomlinson: "Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question"
- Next in thread: Cherry Qian: "Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
