IPSEC

[flekso]

how to create a policy that enables certain ports/protocols and blocks the
rest?

i know how to create a filter list/action but if i create a filter list that
permits HTTP + FTP, and another one that blocks all ip traffic i don't get
the desired effect - i guess the block action has higher priority than
permit, but how then to permit small range of ports while disabling the
majority - except to create a filter for each port (ludicrous) ?

 

[Herb Martin]

how to create a policy that enables certain ports/protocols and blocks the
rest?

i know how to create a filter list/action but if i create a filter list that
permits HTTP + FTP, and another one that blocks all ip traffic i don't get
the desired effect

- i guess the block action has higher priority than
permit,

No. More specific overrides more general. Block everything with
wild cards and then allow specifics.

but how then to permit small range of ports while disabling the
majority - except to create a filter for each port (ludicrous) ?

Make the "allow" more explicit -- the following is an excerpt from my
IPSec cmd file....(mostly the top part -- I can't publish the whole
thing since it includes information that might assist an attack.)

==========
setlocal
ipsecpol -w Reg -p "Herb Filter" -y
ipsecpol -w Reg -p "Herb Filter" -o
ipsecpol -w Reg -p "Herb Filter" -r "Block TCP" -f *+0::TCP -n BLOCK
ipsecpol -w Reg -p "Herb Filter" -r "Block UDP" -f *+0::UDP -n BLOCK
ipsecpol -w Reg -p "Herb Filter" -r "Block ICMP" -f *+0::ICMP -n BLOCK
ipsecpol -w Reg -p "Herb Filter" -r "Allow WEB" -f *+0:80:TCP -n
BLOCK-n PASS
ipsecpol %REGfilter% -r "Mail2 Mail" -f *+192.168.2.1:25:TCP -n PASS

Rem Then it continues on for some 100 lines opening other stuff besides the
Rem "80-HTTP-Website"

REM ....................................

Rem Then Activate it:
ipsecpol -w Reg -p "Herb Filter" -x
==========

 

[flekso]

No. More specific overrides more general. Block everything with
wild cards and then allow specifics.


Make the "allow" more explicit -- the following is an excerpt from my
IPSec cmd file....(mostly the top part -- I can't publish the whole
thing since it includes information that might assist an attack.)

==========
setlocal
ipsecpol -w Reg -p "Herb Filter" -y
ipsecpol -w Reg -p "Herb Filter" -o
ipsecpol -w Reg -p "Herb Filter" -r "Block TCP" -f *+0::TCP -n BLOCK
ipsecpol -w Reg -p "Herb Filter" -r "Block UDP" -f *+0::UDP -n BLOCK
ipsecpol -w Reg -p "Herb Filter" -r "Block ICMP" -f *+0::ICMP -n BLOCK
ipsecpol -w Reg -p "Herb Filter" -r "Allow WEB" -f *+0:80:TCP -n
BLOCK-n PASS
ipsecpol %REGfilter% -r "Mail2 Mail" -f *+192.168.2.1:25:TCP -n PASS

Rem Then it continues on for some 100 lines opening other stuff besides the
Rem "80-HTTP-Website"

REM ....................................

Rem Then Activate it:
ipsecpol -w Reg -p "Herb Filter" -x
==========

where did you get this ipsecpol tool ? (i've got administrative and support
tools but no ipsecpol, how many of these 'tools' packages are out there?)

could you repeat the given example with ipsec snapin for managment console ?


thanks anyways

 

[Mark V]

flekso wrote in
[ ]

where did you get this ipsecpol tool ? (i've got administrative
and support tools but no ipsecpol, how many of these 'tools'
packages are out there?)

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

 

[flekso]

flekso wrote in
[ ]

where did you get this ipsecpol tool ? (i've got administrative
and support tools but no ipsecpol, how many of these 'tools'
packages are out there?)

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

thanks

 

[Herb Martin]

where did you get this ipsecpol tool ? (i've got administrative and
support

tools but no ipsecpol, how many of these 'tools' packages are out there?)

There are two tools at Microsof -- IPSecPol for Win2000 and IPSecCmd
for WinXP (maybe the latter is built-in).

NetSh.exe is used on Win2003 servers for much the same purpose.

could you repeat the given example with ipsec snapin for managment console

?

Sorry, but no. The GUI is actually more confusing and more
difficult to get correct repeatedly than the command line.

With the command line, I can change, update, and test a change
in moments and the GUI just doesn't support that. This is one of
the places where the GUI is almost completely inferior to the
command line for getting something done quickly.

Also note, I don't even write the IPSecPol commands mostly --
I fill in a templated in a Perl script and let the script generate the
batch file (even in the command line the IPSecpol/IPSecCmd
is too tedious and there are too many rules/filters on a truly
protected machine.)

As I said, my ruleset is about 150 rules -- can you imagine entering
all that in the GUI, one at a time, with multiple filters for many of
them?

 

[flekso]

There are two tools at Microsof -- IPSecPol for Win2000 and IPSecCmd

for WinXP (maybe the latter is built-in).
thanks

As I said, my ruleset is about 150 rules -- can you imagine entering
all that in the GUI, one at a time, with multiple filters for many of
them?

that is mindbending

thanks again