Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows IP Security Filters October 23, 2002 Joe Klemencic Fermilab Business Services.

Published byMoses Little Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows IP Security Filters October 23, 2002 Joe Klemencic Fermilab Business Services."— Presentation transcript:

1 Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services

2 What are IP Security Filters?  New feature in Windows 2000, XP &.NET  Initially created to authenticate and encrypt communications  Packet Filtering method adopted by Microsoft during Windows 2000 beta testing

3 Intended Usage  Authenticate host connections  Negotiate encryption schemes  Filter access to services by host/subnet It is important to note that the Authentication schemes are not User based authentication, but Machine based authentication.

4 Default Defined Policies  Client (Respond Only)  Request Security (Server)  Require Security (Server) Clients attempting to connect to resources that require Authentication and/or Encryption must have an appropriately configured response policy.

5 IP Security Policy Creation  Group Policy Editor (gpedit.msc) MMC Snap-In GUI manager  Group Policy Editor within an Active Directory OU Properties  IPSECPOL.EXE command line utility from the W2K Resource Kit (Windows 2000)  IPSECCMD.EXE command line utility from the Support Tools on the media CD (XP &.NET) Proper planning and testing is the key to a successful policy creation and implementation

6 Anatomy of an IP Security Policy  An IP Security Policy consists of: –IP Filters Define who, what, where –Source IP/Network Address –Destination IP/Network Address –Protocol/Port/Service –IP Filter Actions Define how –Permit –Block –Negotiate Security (Authenticate/Encrypt) Kerberos (Requires W2K Domain) PKI Shared Key

7 IP Security Filter Modes  Dynamic Mode –Adds anonymous rules to the policy agent –Can co-exist with a DS based policy  Static Mode –Creates or modifies the stored policy –Overwrites current named policy or activates new named policy

8 IP Filter Evaluation Order Rule Evaluation is from Most Granular to Least Specific 1. My IP Address 2. Specific IP Address Defined 3. Specific IP Subnet 4. Any IP Address A. Specific Protocol/Port combination B. Specific Protocol/Any Port C. Any Protocol

9 IP Filter Evaluation Order (cont) Visualize filter rule processing by applying weights Source/Destination Addresses: My IP Address: 3 Specific IP Address: 2 Specific Network: 1 Any Address: 0 Protocol Used: Specified (TCP/UDP/ICMP/RAW/…): 1 Any Protocol: 0 Source/Destination Service Ports: Specified (23/80/135/137/139/443/445…): 1 Any Port: 0

10 IP Filter Evaluation Order (cont) SourceSrc PortDestDest PortProtocolAction AnyAnyMyIPAnyAnyBlock 00300=300300=3 AnyAnyMyIP80TCPPermit 00311=500311=5 10.1.1.0AnyMyIPAnyAnyPermit 10300=410300=4 10.1.1.0AnyMyIP139TCPBlock 10311=610311=6 In this example, all traffic from the 10.1.1.0 network, except TCP/139 would be allowed. Also allow TCP/80 traffic from anywhere would be allowed. All other traffic will be blocked.

11 Mirroring vs. Reverse Rules  The Mirror Rule option is only activated when defining Authentication or Encryption Filter Actions  When creating simple Permit/Block Packet Filters, always create the reverse rule at the same time to prevent inadvertent denial of legitimate traffic  BUT…. The reverse rule may inadvertently allow unsolicited connectivity

12 Reverse Rule  Consider the following: Src Src-Port Dst Dst-Port Prot Action MyIP Any Any 80 TCP Permit Any 80 MyIP Any TCP Permit Any Any MyIP Any Any Block In this ruleset, we are allowing the local machine to surf the Internet while prohibiting all other communication. An attacker could use a port-redirector and still connect to the local machine’s NetBios service as long as they source their connection from TCP/80.

13 Sample Implementation Scenarios Allow Web services from everywhere, but restrict FTP from only certain hosts Simple Packet Filtering Src Src-Port Dst Dst-Port Prot Action Any Any MyIP 80 TCP Permit MyIP 80 Any Any TCP Permit MyNet Any MyIP 21 TCP Permit MyNet Any MyIP 20 TCP Permit MyIP 21 MyNet Any TCP Permit MyIP 20 MyNet Any TCP Permit Any Any MyIP 21 TCP Block Any Any MyIP 20 TCP Block

14 Sample Implementation Scenarios Service Authentication Allow normal traffic from network, but request a Host to Kerberos authenticate from Wireless network This authentication is separate from the Application Authentication Mechanism Src Src-Port Dst Dst-Port Prot Action WLAN Any MyIP Any Any Kerberos Auth (auto-mirror)

15 Sample Implementation Scenarios Service Encryption Encrypt communications between servers while allowing for unencrypted traffic from workstations. Also, block communications from non-local workstations Src Src-Port Dst Dst-Port Prot Action DC1 Any MyIP Any Any Kerberos Auth & Encrypt (auto-mirror) MyIP Any DC1 Any Any Kerberos Auth & Encrypt (auto-mirror) MyNet Any MyIP Any Any Permit MyIP Any MyNet Any Any Permit Any Any MyIP Any Any Block

16 Usage Caveats Certain traffic is not inspected by an IP Policy - Anything with a source port of 88 (Kerberos)* - IKE - Multicast Traffic - Broadcast Traffic - RSVP/Quality of Service *This behavior may be changed by setting the following value in the Registry: HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt DWORD=1 See Microsoft Q253169 article for more information

17 Usage Caveats (cont)  No logging available when using as a Packet Filter  Because of Rule Evaluation Order, an ill- defined rule may allow traffic intended to be blocked  Difficult to implement Packet Filtering on General Use Workstations, but optimal for Kiosks and Servers

18 Further Reading Securing W2K with IP Filters: Part 1 (Step-by-Step How-To Guide) http://online.securityfocus.com/infocus/1559 Securing W2K with IP Filters: Part 2 (Implementing Encryption) http://online.securityfocus.com/infocus/1566 Using IPSEC to Lock Down a Server http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp Active Directory Replication Over Firewalls http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp Microsoft Q254949 Article: Domain Controller IPSEC Support http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 How to Enable IPSEC Through a Firewall http://support.microsoft.com/default.aspx?scid=kb;en-us;Q233256

Download ppt "Windows IP Security Filters October 23, 2002 Joe Klemencic Fermilab Business Services."

Similar presentations

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Chapter 8 Administering TCP/IP.

Chapter 8 Administering TCP/IP.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Security Data Transmission and Authentication

Security Data Transmission and Authentication
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Similar presentations

Ads by Google