Re: IPsec - locking down Windows 2003

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/27/04

  • Next message: Robert Moir: "Re: Rewriting the MSGINA.DLL" 
    Date: Sat, 27 Mar 2004 08:06:08 -0700

    Lee,

    Understanding the exact effect of mirroring can be a
    little tricky. For the simple filtering you are after one
    can set it up without use of filtering if you are not
    concerned about controlling outbound traffic tightly

    comments inline below 

    -- 
Roger
"Lee Atkinson" <leeatkinsonlincs@hotmail.com> wrote in message
news:ab5f9e77.0403250703.5038a2c4@posting.google.com...
> Hi Roger
>
> My understanding of the mirrored attribute is that it allows the
> 'return packets'. Therefore, yes, I do not need to mirror the blocking
> of inbound packets.
>
OK, so assume you have a block all inbound rule
I ususally add a block all inbound protocol TCP and another for UDP
since I will be adding some other rules that are TCP or UDP specific
(even though this is supposedly unneeded, I do it to protect myself from
myself, given the "more specific rule rules" rule)
> However, I do need to mirror the acceptable inbound trafffic and
> outbound traffic.
not necessarily
If by the above you have blocked (unmirrored) inbound, then you so
far do not need to provide an allow rule for outbound.
So, if you allow inbound from any to TCP 80/443 to IPs where you
have bound web content (or all using My IP Address, but I use multiple
rules per IP where I have bound web servicing since I need another IP
with NetBIOS for access only by production services - the backup
in specific requires NetBT support)
this allow inbound TCP 80/443 does not need to be mirrored as the
rules already allow all outbound.
However, some outbound such as for DNS, NTP, SMTP will need
mirrored rules, since although originated on your box, the rules so
far have not allowed for return.  On these you can use mirrored rules
that specify the outside service host by IP/protocol/port (DNS often
needs to be more loose and provide for both TCP and UDP)
>
> But as well as allowing return traffic, would the mirror on the
> outbound rule allow newly intitated packets from the outside (as long
> as they were coming from the remote host's port 80)?
That is where you need to be careful with mirrored rules.
One can accidentally define circumstance like you mention all to
easily when using mirrored rules.  You really need to think it out.
>
> Many thanks
>
> Lee
  • Next message: Robert Moir: "Re: Rewriting the MSGINA.DLL"