Google

IPSec as a simple firewall

IPSec as a simple firewall

Contact:[email protected] 

-----Original Message-----
From: Focus on Microsoft Mailing List
[mailto:[email protected]]On Behalf Of Paul Culmsee
Sent: Wednesday, December 27, 2000 3:05 PM
To: [email protected]
Subject: IPSec as a simple firewall


Hi

It has occured to me that the win2k IPSEC implementation is very close to
being a reasonable effective host based packet filterer - much more flexible
that the native packet filtering capabiliies of Win2k which is an all or
nothing approach.

I saw the following article on MS web site..

http://www.microsoft.com/TechNet/security/au091100.asp

Interestingly, it gave an example of a policy that was tantalisingly close
to an IPChains approach on Linux but unfortunately for me, didn't elaborate
far enough on the topic..

Here is a snippett..

"The following ipsecpol commands leave only port 80 accessible on a host:

ipsecpol \\computername -w REG -p "Web" -o
ipsecpol \\computername -x -w REG -p "Web" -r "BlockAll" -n BLOCK -f 0+*
ipsecpol \\computername -x -w REG -p "Web" -r "OkHTTP" -n PASS -f
0:80+*::TCP

Specifically, these two commands create an IPSec policy called "Web"
containing two filter rules, one called "BlockAll" that blocks all protocols
to and from this host and all other hosts, and a second called "OkHTTP" that
permits traffic on port 80 to and from this host and all others. If you want
to enable ping or ICMP (which I strongly advise against unless absolutely
necessary), you can add this rule to the Web policy:

ipsecpol \\computername -x -w REG -p "Web" -r "OkICMP" -n PASS -f 0+*::ICMP
"

What order are IPSEC policies implemented? The above example is an implicit
deny above an allow. Therefore does that mean that IPSEC policies are not
processed in order? So how would I do examples like the following (which I
have a real world need for)

Disable NETBIOS between \\computername for all servers EXCEPT \\servera and
\\serverb
Allow SQL (1433) traffic between \\computername and \\server a. Disable for
all others.

It would be very cool to have a page with examples of common scenarios like
the above.

In addition, what are the logging options for dropped packets?

Anyone toyed with this stuff?

Paul Culmsee - Senior Systems Engineer
* WiredCity 9th floor 256 Adelaide Terrace Perth 6000
     [email protected]
*08 92189780
*08 92189790


Back to the Index