Re: IP filtering

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/12/04 

Date: Wed, 11 Feb 2004 23:52:59 -0700

"HammY" <ipfilter@mahame.co.uk> wrote in message
news:18A5103B-9BA0-4B53-8C46-5B4DA8AA2179@microsoft.com...
> I have an Internet-VPN setup using IPsec and company owned PCs will be
using a combination of non-company LAN , broadband and dialup Internet
access. I am happy that while the IPsec-VPN client is running that the PC
is isolated from the Internet, but system will likely be "online" without
the VPN-Client running :(
>
> We wish to deny all direct Internet access and only permit access to
company service through the VPN-tunnel.
> Is the IP filtering (IPsecurity ?) facility in Windows capable of limiting
IP connections to only IPsec, preferably to a single destination. I have
looked at Personal Firewalls but not found one that can be restrictive.
>
> To complicate matters, we wahnt the same XP system to have full IP
contivity to company LAN and WAN while directly connected to a company LAN.
>
> So, if Windows TCP/IP filtering can do it, can this only be invoked only
when a condition fails e.g. when a repetative DNS query to company internal
DNS fails - invoke the filters. A reboot would be okay.
>
> Any help and suggestions welcome.
>
> John Hamilton
> Edinburgh (UK)
>

I am not aware of an off-the-shelf setting that does the kinds of
things that you indicate in your last paragraph - basically tweaking
the network settings when some triggers and detected. It could be
set to happen without too much coding . . .

However, IPsec can be used to allow full communications within
your LAN and not otherwise. This seems to make the detect and
tweak of your last paragraph unneeded.

The problems that I see in what you have outlined are
- whether MS IPsec will get along well with this IPsec/VPN
   that you are using
- how you will allow people to get their network connection
  from an ISP and tunnel over those IPs within your VPN if you
  also are going to use IPsec to refuse use of the internet. It would
  seem that they will have to use not just any provider as an ISP
  but only ones that offer VPN services for you. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA

Relevant Pages

  • Re: windows 2003 server routing and remote access setup
    ... or by computer) level permissions for using the outbound connections only ... connected to the internet. ... ...and permit VPN for external users that you want to access your LAN. ... Your server needs to have access to both ...
    (microsoft.public.windows.server.general)
  • ipsec and/or netfilter problem
    ... It's a LAN ... The server has 3 NIC's: eth0 which is connected to the internet with my ... My goal with ipsec is to secure all the LAN traffic (both ethernet and ...
    (Linux-Kernel)
  • Re: Unable to access internet thru LAN
    ... I can access the internet from A. ... Computers A & B are connected via ethernet LAN. ... Network Setup Wizard specifying that A is connected directly to the internet ... The local area connections on both A & B are configured ...
    (microsoft.public.windowsxp.network_web)
  • Re: Problem with IPSEC
    ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ... Turn off IPSEC. ... yes ipsec filters are weighted such that a specific rule ...
    (microsoft.public.windows.server.security)
  • RE: Sometimes IE cant access any websites!
    ... Bojidar, You should check your" Internet Connections", by right clicking IE ... If you know the proxy settings of your LAN you can set ...
    (microsoft.public.windowsxp.general)