IPSec and TCP/IP filtering

[Guest]

Hello,

I would like to setup Win2000 machine to ONLY allow web pages to come
through but block all other traffic.

1. What ports need to be open to allow regular web pages to come through?
2. Do I need IPSec, TCP/IP filtering or both combined?
3. What are the steps in setting it up?

This is what I have done:

1. I have created a new security policy under "IP Security Policies on Local
Machine"
2. I have selected and activated this new policy under IPSec.
3. Under TCP/IP filtering, I selected
"Permit Only" (TCP Ports) no port is added
"Permit Only" (UDP Ports) no port is added
"Permit Only" (IP Protocols) (No protocol is added as I don't know
which one to add)

The result:

No web page is able to come through. Could anyone tell me what I did wrong?
And how to correctly set it up to achieve what I what?

Thanks in advance!
Eric

 

[Miha Pihler [MVP]]

Hi Eric,

I would recommend using only IPSec Filters.

You need to set up filter that will allow access to TCP port 80 and deny
everything else (you didn't allow TCP 80 to come in so what you got is
expected result).

 

[Karl Levinson, mvp]

I assume you're also going to want to allow access to TCP and UDP ports 53
for DNS. Allowing TCP port 443 allows access to https:// pages, which would
be necessary to log into certain web pages for example. You're going to
find that a small number of web pages out there use other non-standard ports
besides the ones above, and you may get requests to open up other ports.

I would say this is a pretty strict port filtering scheme you're setting up.
There won't be any email, network file sharing or printing with this setup.
One drawback to using IPSec filtering or TCP/IP Filtering features of
Windows is that the logging is pretty inadequate, so if something isn't
working, you may have a tricky time figuring out what is wrong or what port
you need to open up. Other third-party firewalls have logs that can make
this easier.

 

[Steven L Umbach]

Web pages use ports 80 or 443 for secure websites. However for what you want
to do I suggest that you use a software firewall such as the free for
personal use Zone Alarm. Ipsec is best used in conjunction with ESP/AH as
original intentions to protect network traffic or for special cases such as
where you need to manage local network traffic on a lot of computers via
Group Policy or where you may have remote access to a computer but are not
able to install any software on it. Keep in mind also that ipsec is not
stateful like current software/hardware firewalls are and has default
exemptions particularly in Windows 2000. Also I always recommend a perimeter
device to protect a network even if it is a cheap "internet router" as too
often I have seen host/software firewalls misconfigured or disabled leaving
the computer exposed.

Having said that in general to configure ipsec for filtering I start with a
block all rule for all traffic and then configure a rule with permit filter
action for the exceptions whether they be inbound, outbound, or both. The
first link below shows a lot of common ports used by Windows server
operating system which may help.

http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
http://www.securityfocus.com/infocus/1559