TCP/IP Filtering Question

[Guest]

I have a Windows 2000 Server acting as a router between two different
networks (10.29.x.x and 10.22.x.x). I want to configure network 10.29.x.x to
be only able to get to the server/router through port 443. I have tried
enabling TCP/IP filtering on that network's NIC accepting only port 443,
however, all this has done is block the PCs from getting an IP address from
the DHCP server. Once I give the workstation a static IP in the 10.29.x.x
range all traffic goes right through NIC and ignores the TCP/IP filters.
Thanks for any help.

 

[Steven L Umbach]

For what you are doing you might want to try ipsec filtering policy using
permit and block fitter actions instead on that router computer. If you do
not want the same ipsec policy applied to both adapters, then configure the
actual IP address of the network adapter you want to filter instead of "my
address". Ipsec filtering will not block multicast and broadcast traffic,
kerberos, IKE, or RSVP traffic by default if that is a concern, though a
registry mod can change most of that. Ipsec can also manage traffic in both
directions. The link below explains more. ---- Steve

http://www.securityfocus.com/infocus/1559

 

[Herb Martin]

For what you are doing you might want to try ipsec filtering policy using
permit and block fitter actions instead on that router computer.

Follow Steven's advice (or use RRAS filters if this is
on a router).

Steve's advice to use IPSec is excellent and far to few
people realize how well IPSec works and how general
it is APART from doing the actual IPSec-Encryption.

Block and Pass are quite effective.

If you do

not want the same ipsec policy applied to both adapters, then configure the
actual IP address of the network adapter you want to filter instead of "my
address". Ipsec filtering will not block multicast and broadcast traffic,
kerberos, IKE, or RSVP traffic by default if that is a concern, though a
registry mod can change most of that. Ipsec can also manage traffic in both
directions. The link below explains more. ---- Steve

 

[Guest]

The idea behind what I'm trying to do is to implement the open source SSL
Explorer on the Windows 2000 Server, which would supply secure communications
to workstations with a SSL VPN tunnel. Since the VPN is SSL, it only needs
access to port 443. By shutting down all TCP/IP ports, except 443, this will
allow users to have a secure gateway into the other network through the
Windows server. The main goal is to avoid IPSec. Does anyone have any other
ideas? Thanks.

 

[Steven L Umbach]

Ipsec "filtering" simply uses the ipsec policy with permit and block filter
actions to create a packet filtering firewall on your network adapter. I was
not referring to use ipsec to encrypt the traffic. The advantage of ipsec
policy is that it is built in, takes affect right after assigning, and does
not require a reboot. --- Steve

 

[Steven L Umbach]

Thanks Herb, I learned everything I know from you - including my bad habbits
--- Steve

 

[Herb Martin]

Thanks Herb, I learned everything I know from you - including my bad habbits
--- Steve

Just so you don't pick up my careless typing habits.
<GRIN>

 

[Herb Martin]

The idea behind what I'm trying to do is to implement the open source SSL
Explorer on the Windows 2000 Server, which would supply secure communications
to workstations with a SSL VPN tunnel. Since the VPN is SSL, it only needs
access to port 443.

If you are using Win2000+ as your router you might just
(about as) easily just use the actual IPSec facilities.

By shutting down all TCP/IP ports, except 443, this will
allow users to have a secure gateway into the other network through the
Windows server. The main goal is to avoid IPSec. Does anyone have any other
ideas? Thanks.

Your GOAL is to avoid the built-in IPSec in favor of
something add-on?

As for using the SSL then we were answering your
question about blocking all other traffic (pairs) using
IPSec FILTERS -- not IPSec itself.

IPSec filters have three behaviors:

1) BLOCK
2) PASS
3) NEGOTIATE (actual IPSec)

This is a much better filtering method than the trivial and
near useless NIC filters.

If you really MUST AVOID IPSec (Filters) then use the
RRAS filters (which are actually even better.)

 

[Guest]

OK Thanks. I didn't realize you could do that with IPSec. I will try it and
post again.

 

[Herb Martin]

OK Thanks. I didn't realize you could do that with IPSec. I will try it and
post again.

Did we mention that IPSec filters are tedious to build?

Most experts at IPSec PREFER the command line to the
GUI, and I got so tired of both (tedious syntax) that I
finally wrote a Perl script to GENERATE my IPSec
commands.

 

[Guest]

Yes they are very tedious and and fairly complicated. All I'm looking to
achieve is allowing only Port 443 from network to the Windows 2000 Server,
which is acting as a router between 2 networks. A little more help would be
greatly appreciated.

 

[Herb Martin]

Yes they are very tedious and and fairly complicated. All I'm looking to
achieve is allowing only Port 443 from network to the Windows 2000 Server,
which is acting as a router between 2 networks. A little more help would be
greatly appreciated.

Well, something like that is fairly trivial.

All BLOCK with wildcards, 443 PASS with destination / source.

Destination and source can be masked sets.

 

[Steve Riley [MSFT]]

See my article here: http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx

Steve Riley
(e-mail address removed)