Re: IPSec Security
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 01:52:30 -0600
I was proposing that he allow only inbound file and print sharing to 172
from whatever networks he wanted in the permit rule that would of course not
include 192. My understanding is that mirroring only allows return traffic
for the filter entry so in this case the traffic permitted from any port to
port 139 on the server would be also be permitted from port 139 on the
server to any port on the client computer. --- Steve
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:enxkrPkIGHA.1876@xxxxxxxxxxxxxxxxxxxxxxx
> To hinder the browsing behavior on the machine that is not to be
> browsed the registry value Hidden dword 1 and Announce dword 0
> could help. If I am recalling correctly these are in the
> services/lanmanserver
> perhaps lanmanserver/parameters key of HKLM.
>
> I do not see how the proposed filter rules would accomplish what
> the poster is afer, as the two mirrored rules outlined seem to only
> disallow SMB and direct hosting from/to/with any IP except for
> the desired subnet (the 192.168 . . .) and with that would allow
> both ways. What did I miss here ??
>
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:%23%23bydNjIGHA.3408@xxxxxxxxxxxxxxxxxxxxxxx
>> On the computers on network 172.18.6.100 create an ipsec policy that has
>> a mirrored rule for filter action block for the ports you mention for all
>> IP addresses and then create a rule for the allowed subnets with a permit
>> filter action. For computers on 172.18.6.100 you would want to use
>> destination ports as SMB 13x ports, protocols as needed, and 445 and
>> destination address as "my IP" . The link may help in setting up ipsec
>> filtering policy. Note that this may not stop "browsing" which is largely
>> broadcast based but should prevent access to the share from blocked
>> networks. Of course share/NTFS permissions should also be configured as
>> to not allow unauthorized users/groups access. --- Steve
>>
>> http://www.securityfocus.com/infocus/1559
>>
>> <bucrepus> wrote in message news:OvpnONSIGHA.2696@xxxxxxxxxxxxxxxxxxxxxxx
>>> For the sake of simplicity, I have 2 xp stations and 1 win2003 server as
>>> router with 2 NICS. (actually have numerous machines on each side
>>> subnet)
>>> XP station1 on 172.18.6.100 and XP 2 on 192.168.0.100. One server nic
>>> 172.18.6.1 and the other 192.168.0.1. I want to be able to copy / browse
>>> files from XP1 to XP2, but NOT allow XP2 to browse / see any machines on
>>> XP1's side. I have tried using IPSec to block the SMB 13x ports and 445,
>>> but
>>> cant seem to get the right combo. Any ideas? in other words, I dont want
>>> anyone on XP2 to be able to go to the run box and type \\XP1 or
>>> \\172.18.6.100 and get a browse window or share list. (One way copy /
>>> list)
>>> Thanks
>>> Bucrepus
>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: IPSec Security
- From: Roger Abell [MVP]
- Re: IPSec Security
- References:
- IPSec Security
- From: bucrepus
- Re: IPSec Security
- From: Steven L Umbach
- Re: IPSec Security
- From: Roger Abell [MVP]
- IPSec Security
- Prev by Date: Re: IPSec Security
- Next by Date: Re: IPSec Security
- Previous by thread: Re: IPSec Security
- Next by thread: Re: IPSec Security
- Index(es):
Relevant Pages
|
