IPSec on webserver

[rolf]

Hi all,

Im using IPsec to help lock down a webserver. I have a simple block
rule for all UDP and TCP traffic then various rules to allow sql server
trafic from 'allowed' IPs, terminal services and https, http traffic
plus ftp. Most of the ruleset I originally copied from here;

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

The webserver is not part of any domain and is hosted remotely.

At the local office the intranet runs behind a public IP. That IP is
given access through the IPsec policy. It does work but periodically
the connection takes 5-10 seconds to authenticate. Without the IPsec
policy enabled it is instantaneous.

The local intranet is on a domain with AD and DHCP etc. DNS resolving
is done via the router, no netbios is used.

Is there something I should do at the intranet end to 'help' this speed
issue...?

Any help greatly appreciated as Im having no luck.

PS Ive also tried reducing the number of rules (there were only 6 or so
anyways), everything is set to authenticate using kerbos.

 

[Miha Pihler [MVP]]

Hi,

As long as server is not part of domain it won't be able to use Kerberos as
authentication and it will either use certificates or pre-shared secret
depending on your configuration. Kerberos only works in domain.

What is your goal with these filters? Just filtering traffic or also
encrypting it between server and your network?

 

[rolf]

Thanks for the reply. The goal is to prevent unauthorised traffic, not
to encrypt the traffic. Like a firewall basically. I just want to hide
all ports except those public ones, such as html port 80, and to
restrict other ports via IP address, such as msSQL, remote desktop etc.

Thank you

 

[karl levinson, mvp]

Hi all,

Im using IPsec to help lock down a webserver. I have a simple block
rule for all UDP and TCP traffic then various rules to allow sql server
trafic from 'allowed' IPs, terminal services and https, http traffic
plus ftp. Most of the ruleset I originally copied from here;

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

The webserver is not part of any domain and is hosted remotely.

At the local office the intranet runs behind a public IP. That IP is
given access through the IPsec policy. It does work but periodically
the connection takes 5-10 seconds to authenticate. Without the IPsec
policy enabled it is instantaneous.

The local intranet is on a domain with AD and DHCP etc. DNS resolving
is done via the router, no netbios is used.

Is there something I should do at the intranet end to 'help' this speed
issue...?

The problem with trying to use IPSec as a firewall is that the logging is
really insufficient for either troubleshooting such issues, or monitoring
intrusion attempts and successes. I really recommend a real firewall of
some sort, host-based or hardware.

You really want to see what traffic is being sent and perhaps blocked. The
latest production version of Wireshark / ethereal currently from
www.ethereal.com will help you do this. Install it on one or both ends of
the connection that is troubled. A firewall, especially host-based firewall
software, would also let you have some visibility into the traffic.

Here's an article on how to get domain authentication working through a
firewall:

http://securityadmin.info/faq.asp?firewallproblem