Configuring Port range in IPsec

[Guest]

We would like to add a rule to the IPsec config with the following
specification
Ports from 10000-20000 are open for all connections from segment 10.4.90.*
Ports from 0-10000 are closed for all connections from segment 10.4.90.*

I don`t see anything in the configuration possibilities indicating that we
can specify a port range and a specify a segment.

How can I configure this roule in IPsec or some whereelse on windows 2000
advanced server ?

 

[Steven L Umbach]

You can not configure a port range in a single filter entry for an ipsec
policy. You can either use an IP address or subnet when creating a filter
entry for an ipsec rule. --- Steve

 

[Herb Martin]

You can not configure a port range in a single filter entry for an ipsec
policy. You can either use an IP address or subnet when creating a filter
entry for an ipsec rule. --- Steve

It's one of the serious weaknesses of the IPSec
filter rules.

I wrote a "generator" in Perl which builds the
IPSec rules from a table (sort of) because at
least one of my machines runs close to a 1000
rules/filter sets.

Even this is not a full solution because at a 1000
rules it can significantly impact the machines
performance for up to an hour when the rules are
re-applied.

Better would be for the filters to accept such
information and handle it efficiently.

 

[Steven L Umbach]

That is interesting. Do you know how many filters can fit into a rule and
how many rules can fit into a policy?? Some user a while back said he had so
many filters in a rule that it would not accept any more. I suggested he add
a new rule with the same filter action but never heard back from him to know
whether that worked or not. I personally never plan to add that may to find
out. --- Steve

 

[Herb Martin]

That is interesting. Do you know how many filters can fit into a rule and
how many rules can fit into a policy?? Some user a while back said he had so
many filters in a rule that it would not accept any more. I suggested he add
a new rule with the same filter action but never heard back from him to know
whether that worked or not. I personally never plan to add that may to find
out. --- Steve

I have reached no limits -- unless you are thinking
of my complaint where at about 1000 rules it was
eating up my CPU to invoke the thing -- once it was
running it was fine.

This may have been (quietly) fixed in some service
pack/hotfix.

--
Herb Martin

 

[Steve Riley [MSFT]]

Remember that IPsec is really about creating authenticated and (optionally)
encrypted security associations between a pair of computers. Given that primary
design goal, it appears that port ranges aren't something that's required.

I'm guessing that you'd like port ranges for simple block/allow rules --
using the IPsec engine as a packet filter. Is that right? Or do you have
a need for security associations with port ranges?

Steve Riley
(e-mail address removed)

 

[David Beder [MSFT]]

It sounds like you want a firewall and not really looking to use IP
security. IPSec is intended to validate traffic between two trusted peers,
either for all traffic, or maybe for select traffic used by a client/server
application. The Windows implementation does not support ranges (yet?) and
it is near impossible to create/apply a policy with individual filters for
each port (what did you want for ports 20k-64k?) both tcp and udp.

 

[Herb Martin]

Remember that IPsec is really about creating authenticated and (optionally)
encrypted security associations between a pair of computers. Given that primary
design goal, it appears that port ranges aren't something that's required.

I disagree -- that may have been the original intention,
but it allows for three actions: Pass, Block, or negotiate
actual IPSec services.

The BLOCK and PASS are not only useful without
the IPSec they are better than any other built-in (and
ubiquitous) Windows blocking mechanism.

I'm guessing that you'd like port ranges for simple block/allow rules --

For me you are largely correct.

using the IPsec engine as a packet filter. Is that right? Or do you have
a need for security associations with port ranges?

Someone might -- IPSec is vastly underutilized
by the majority of admistrators.

 

[Steven L Umbach]

I was responding to the original poster of this thread and asking Herb if he
ever topped out the list being curious. I personally have no need to built
larger filter lists. However it could be handy to be able to do such. For
instance there could be several secured servers in a domain that have an
ipsec require policy and static IP addresses and you have a group of
computers in an OU that you only want those computers to be able to access
the servers using ipsec in the 192.168.1.40 - 192.168.1.60 range. So you
want to create an ipsec policy with negotiate filter action and destination
address of 192.168.1.40 - 192.168.1.60. You of course would have to create
21 entries in the filter list for the rule for the ipsec policy. Maybe not
a big deal but would take some time and could be more prone to error. ---
Steve

 

[Herb Martin]

........... You of course would have to create
21 entries in the filter list for the rule for the ipsec policy. Maybe not
a big deal but would take some time and could be more prone to error. ---

Right you are.

Exactly why I wrote the Perl script.

I just describe who can talk to who on
which ports and the script builds all that
junk.

I have somewhere between 500-1000 rulesets
(now I think but I haven't counted it lately) and
although I can write all that IPSec, it is much
less error prone and easy to update to include
new exceptions etc if I just add an entry or
two to the Perl script and re-regenerate the
IPSecCMD or Pol stuff.

 

[Steve Riley [MSFT]]

It's our implementation that allows for three actions, not all do. We still
prefer that people use real host firewalls for block/allow; but there are
some instances where slamming an IPsec block policy on a machine might be
more effective (like to slow down the spread of a worm).

People have been requesting port ranges in the IPsec engine for a while,
but it's almost always in the context of simple block/allow rules, not in
the context of rules that negotiate security associations. Steve Umbach makes
a good point in his post about the 21 servers, but that's an IP address range,
not a port range.

We'd really be curious in hearing from people who can describe security association
scenarios where port ranges are useful.

Steve Riley
(e-mail address removed)

 

[Herb Martin]

It's our implementation that allows for three actions, not all do. We still
prefer that people use real host firewalls for block/allow; but there are
some instances where slamming an IPsec block policy on a machine might be
more effective (like to slow down the spread of a worm).

Also because it is free and built-in, supported by
Microsoft rather than another third party doodad
to add on.

People have been requesting port ranges in the IPsec engine for a while,
but it's almost always in the context of simple block/allow rules, not in
the context of rules that negotiate security associations. Steve Umbach makes
a good point in his post about the 21 servers, but that's an IP address range,
not a port range.

Address ranges would be nice too but
most of time the classical masks(*) work out.

 

[Guest]

The purpose of this filtering is to setup a secured network for backups.
So batch programs has to pass this filter without authentifications in order
to backup their data. Server has 3 network cards and one of them needs to be
secured.

Would it be better to use certificate based authentification ?

 

[Steve Riley [MSFT]]

third party doodad

Herb, have you been drinking too much MS koolaid? Save some for me, my
inventory is getting low and they've cut back on the distribution here...
hehehehehe

Steve Riley
(e-mail address removed)

 

[Herb Martin]

Herb, have you been drinking too much MS koolaid? Save some for me, my
inventory is getting low and they've cut back on the distribution here...
hehehehehe

No, I am just cheap (and honest) so I don't like
buying stuff that I get (e.g., already paid for,) for
free.

<grin>

I am OS and Language agnostic, but I make most
of my money from Microsoft systems and by helping
their customers and employees.