IPSec Vs Firewall software

C

Calvin Lai

Hi all,

At the beginning I thought I could implement a firewall using IPSec provided
w/ Win2k Server. However, I have at least one scenario that can't be
implemented using IPSec that could be achieved thru firewall software.

Here is the problem:
I want to block all inbound IP request on every port except 80 and perhaps
21. On the other hand, I want my local network to access internet freely. As
a reuslt, a very naive approach would be to set up:
a. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
and set this to Block
b. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
port 80/21, and set this to Permit

however, this leads to a very serious problem. Whenever my client within the
network trying to fetch anything from outside, e.g. a web page. they IP
request can pass thru the policy (since there is no restriction on
outbound). But when the data comes back to the server, they are blocked
because of the first rule.

I coulnd't think of anyway how this could be fixed using IPSec. Does anyone
know if this is one of the constraints of using IPSec as "firewall"? Thanks
for all inputs here.

Calvin
 
G

Guest

Dude... Ipsec is not used for firewalling. It is a way to protect traffic from one box another.
2 options, get some sort of actual NAT device, i recommend a linux box, woot another score for open source. or 2 use mickysoft's firewall..
or try this one, i do not know if it works or not
Try to filter the traffic using pack filtering in the outbound nic card. In the network places > outbound adepter > tcp / ip > advance > option > filter
 
S

Steven L Umbach

I have used ipsec to work in a similar situation though I think you are better off
with a firewall. Start with a mirrored block all IP rule, add a mirrored permit all
rule for the subnet if you are on one, add a mirrored permit rule with a filter
containing the allowed outbound traffic such as 80 tcp, 443 tcp, 53 udp [dns], etc.
You might first want to check your filter so that it is allowing inbound traffic from
any IP and FROM port 80 tcp to any port on your computer. --- Steve

http://www.securityfocus.com/infocus/1559
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IPSEC not blocking specific IP address per Ethereal 13
IP IPSEC Policy blocking ping 5
IPSec policy 1
IPSec firewall 2
Windows 2000 IPSec Not Blocking Traffic 2
IPSec and TCP/IP filtering 3
IPSec filter to allow only sending e-mail 4
IPSec on webserver 3

Top