IPSec Security

[Guest]

For the sake of simplicity, I have 2 xp stations and 1 win2003 server as
router with 2 NICS. (actually have numerous machines on each side subnet)
XP station1 on 172.18.6.100 and XP 2 on 192.168.0.100. One server nic
172.18.6.1 and the other 192.168.0.1. I want to be able to copy / browse
files from XP1 to XP2, but NOT allow XP2 to browse / see any machines on
XP1's side. I have tried using IPSec to block the SMB 13x ports and 445, but
cant seem to get the right combo. Any ideas? in other words, I dont want
anyone on XP2 to be able to go to the run box and type \\XP1 or
\\172.18.6.100 and get a browse window or share list. (One way copy / list)
Thanks
Bucrepus

 

[Roger Abell [MVP]]

One simple solution is to turn on the XP SP2 firewall on machine XP1 and
do not allow exceptions.

 

[Guest]

I have W2000 boxes on each side also..

One simple solution is to turn on the XP SP2 firewall on machine XP1 and
do not allow exceptions.

 

[Steven L Umbach]

On the computers on network 172.18.6.100 create an ipsec policy that has a
mirrored rule for filter action block for the ports you mention for all IP
addresses and then create a rule for the allowed subnets with a permit
filter action. For computers on 172.18.6.100 you would want to use
destination ports as SMB 13x ports, protocols as needed, and 445 and
destination address as "my IP" . The link may help in setting up ipsec
filtering policy. Note that this may not stop "browsing" which is largely
broadcast based but should prevent access to the share from blocked
networks. Of course share/NTFS permissions should also be configured as to
not allow unauthorized users/groups access. --- Steve

http://www.securityfocus.com/infocus/1559

 

[Roger Abell [MVP]]

To hinder the browsing behavior on the machine that is not to be
browsed the registry value Hidden dword 1 and Announce dword 0
could help. If I am recalling correctly these are in the
services/lanmanserver
perhaps lanmanserver/parameters key of HKLM.

I do not see how the proposed filter rules would accomplish what
the poster is afer, as the two mirrored rules outlined seem to only
disallow SMB and direct hosting from/to/with any IP except for
the desired subnet (the 192.168 . . .) and with that would allow
both ways. What did I miss here ??

 

[Roger Abell [MVP]]

So any machine on the 172 side should be able to browse+copy to/from
machines on the 192 side, and no machine on the 192 side should be able
to do so; and, there are W2k and XP on both sides ??

Did you try, for machines on the 172 side
block non-mirrored from any address to my address (for 13*+445 of relevant
protocols)
allow mirrored from my address to any address (for same ports/protocols)
?

Also, set permissons on the shares of machines on 172 side so no account
on 192 side could be granted access, and adjust the Hidden and Announce
reg keys so that they do not advertise their presence.

 

[Steven L Umbach]

I was proposing that he allow only inbound file and print sharing to 172
from whatever networks he wanted in the permit rule that would of course not
include 192. My understanding is that mirroring only allows return traffic
for the filter entry so in this case the traffic permitted from any port to
port 139 on the server would be also be permitted from port 139 on the
server to any port on the client computer. --- Steve

 

[Roger Abell [MVP]]

I was proposing that he allow only inbound file and print sharing to 172
from whatever networks he wanted in the permit rule that would of course
not include 192. My understanding is that mirroring only allows return
traffic for the filter entry so in this case the traffic permitted from any
port to port 139 on the server would be also be permitted from port 139 on
the server to any port on the client computer. --- Steve

got ya, but in that case I don't see how it allows 172 to get to 192 with
file&print

 

[Steven L Umbach]

I was assuming he did not want to restrict what networks 172 can connect to
for file shares and hence not use any ipsec policy to prevent such. The
block I suggested [or meant to suggest] was for only inbound fps ports to
172 [destination my IP, ports/protocols - fps] from anywhere [source any
IP, source ports any]- not block all and everything inbound/outbound for 172
computers. --- Steve

 

[Roger Abell [MVP]]

I think I am now with you. I had misreadthe "for all IP addresses" as a "to any"

--
Roger

I was assuming he did not want to restrict what networks 172 can connect to
for file shares and hence not use any ipsec policy to prevent such. The
block I suggested [or meant to suggest] was for only inbound fps ports to
172 [destination my IP, ports/protocols - fps] from anywhere [source any
IP, source ports any]- not block all and everything inbound/outbound for
172 computers. --- Steve

got ya, but in that case I don't see how it allows 172 to get to 192 with
file&print