Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ December 18, 2003.

Published byBonnie George Modified over 8 years ago

Similar presentations

Presentation on theme: "Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ December 18, 2003."— Presentation transcript:

1 Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ mchirico@comcast.net December 18, 2003

2 What would you do if you had less than 5 minutes to lockdown a Windows 2000/XP computer?

3 IPSec vs. TCP/IP filtering Target specific addresses and interfaces Immediate (no reboot required) Silently discards blocked traffic Multiple Policies Blocks ICMP echo requests “ping” Ipseccmd (Audit logging)Audit logging

4 Windows 2000 and Window XP Different commands: Windows 2000 uses ipsecpol Windows XP uses ipseccmd (also all changes are static and supports audit logging)

5 Basic Windows 2000 ipsecpol ipsecpol -w REG -p FireWallPolicy -o ipsecpol -x -w REG -p FireWallPolicy -r RPC -n BLOCK -f *=0:135:TCP ipsecpol -x -w REG -p FireWallPolicy -r RPCudp -n BLOCK -f *=0:135:UDP ipsecpol -x -w Reg -p FireWallPolicy -r NetBIOSnameService -n BLOCK -f *=0:137:UDP ipsecpol -x -w Reg -p FireWallPolicy -r NetBIOSdatagrServe -n BLOCK -f *=0:138:UDP ipsecpol -x -w Reg -p FireWallPolicy -r NetBIOSsessionService -n BLOCK -f *=0:139:TCP ipsecpol -x -w Reg -p FireWallPolicy -r SMBtcp -n BLOCK -f *=0:445:TCP ipsecpol -x -w Reg -p FireWallPolicy -r SMBudp -n BLOCK -f *=0:445:UDP ipsecpol -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1433:TCP ipsecpol -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1434:TCP ipsecpol -x -w Reg -p FireWallPolicy -r FTP -n BLOCK -f *=0:21:TCP ipsecpol -x -w Reg -p FireWallPolicy -r Telnet -n BLOCK -f *=0:23:TCP ipsecpol -x -w Reg -p FireWallPolicy -r HTTP -n BLOCK -f *=0:80:TCP ipsecpol -x -w Reg -p FireWallPolicy -r HTTPs -n BLOCK -f *=0:443:TCP ipsecpol -x -w Reg -p FireWallPolicy -r HTTPrpc -n BLOCK -f *=0:593:TCP ipsecpol -x -w Reg -p FireWallPolicy -r DNStcp -n BLOCK -f *=0:53:TCP ipsecpol -x -w Reg -p FireWallPolicy -r DNSudp -n BLOCK -f *=0:53:UDP *Download ipsecpol (or run secpol.msc ) (-x assign, -w write to registry, -p policy, -r ruleName, -f filter) http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

6 Basic Windows XP ipseccmd ipseccmd -w REG -p FireWallPolicy -o ipseccmd -x -w REG -p FireWallPolicy -r RPC -n BLOCK -f *=0:135:TCP ipseccmd -x -w REG -p FireWallPolicy -r RPCudp -n BLOCK -f *=0:135:UDP ipseccmd -x -w Reg -p FireWallPolicy -r NetBIOSnameService -n BLOCK -f *=0:137:UDP ipseccmd -x -w Reg -p FireWallPolicy -r NetBIOSdatagrServe -n BLOCK -f *=0:138:UDP ipseccmd -x -w Reg -p FireWallPolicy -r NetBIOSsessionService -n BLOCK -f *=0:139:TCP ipseccmd -x -w Reg -p FireWallPolicy -r SMBtcp -n BLOCK -f *=0:445:TCP ipseccmd -x -w Reg -p FireWallPolicy -r SMBudp -n BLOCK -f *=0:445:UDP ipseccmd -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1433:TCP ipseccmd -x -w Reg -p FireWallPolicy -r SQLserver -n BLOCK -f *=0:1434:TCP ipseccmd -x -w Reg -p FireWallPolicy -r FTP -n BLOCK -f *=0:21:TCP ipseccmd -x -w Reg -p FireWallPolicy -r Telnet -n BLOCK -f *=0:23:TCP ipseccmd -x -w Reg -p FireWallPolicy -r HTTP -n BLOCK -f *=0:80:TCP ipseccmd -x -w Reg -p FireWallPolicy -r HTTPs -n BLOCK -f *=0:443:TCP ipseccmd -x -w Reg -p FireWallPolicy -r HTTPrpc -n BLOCK -f *=0:593:TCP ipseccmd -x -w Reg -p FireWallPolicy -r DNStcp -n BLOCK -f *=0:53:TCP ipseccmd -x -w Reg -p FireWallPolicy -r DNSudp -n BLOCK -f *=0:53:UDP (-x assign, -w write to registry, -p policy, -r ruleName, -f filter) http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

7 IPSec remotely (Windows 2000) net use x: \\192.168.0.70\c$ /user:administrator ipsecpol \\192.168.0.70 -w REG -p FireWallPolicy -o ipsecpol \\192.168.0.70 -x -w REG -p FireWallPolicy -r AllowMe -n PASS -f 0+192.168.0.71 ipsecpol \\192.168.0.70 -x -w REG -p FireWallPolicy -r BlockAll -n BLOCK -f 0+*

8 C:\netstat -na Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING ….. TCP 192.168.0.71:1644 192.168.0.70:139 ESTABLISHED ….

9 Will this work? ipsecpol -x -w Reg -p FireWallPolicy -r AllUDP137 -n BLOCK -f 0:137+*::UDP ipsecpol -x -w Reg -p FireWallPolicy -r AllUDP138 -n BLOCK -f 0:138+*::UDP ipsecpol -x -w Reg -p FireWallPolicy -r AllTCP139 -n BLOCK -f 0:139+*::TCP ipsecpol -x -w Reg -p FireWallPolicy -r AllTCP445 -n BLOCK -f 0:445+*::TCP ipsecpol -x -w Reg -p FireWallPolicy -r AllUDP445 -n BLOCK -f 0:445+*::UDP ipsecpol -x -w Reg -p FireWallPolicy -r All1433 -n BLOCK -f 0:1433+*::TCP ipsecpol -x -w Reg -p FireWallPolicy -r AllFTP -n BLOCK -f 0:21+*::TCP

10

11

12

13

14 172.31.0.0/255.255.0.0:80=157.0.0.0/255.0.0.0:80:TCP will filter all TCP traffic from the first subnet, port 80 to the second subnet, port 80 128.*.*.* is same as 128.0.0.0/255.0.0.0 128.*.* is the same as above 128.* is the same as above 144.92.*.* is same as 144.92.0.0/255.255.0.0

15 Common commands Rem blocks everything ipsecpol -x -w REG -p "FireWallPolicy" -r "BlockAll" -n BLOCK -f 0+* Rem blocks ping ipsecpol -x -w REG -p "FireWallPolicy" -r "BlockICMP" -n BLOCK -f 0+*::ICMP

16 Server ipsecpol -w REG -p "FireWallPolicy" -o rem ipsecpol -x -w REG -p "FireWallPolicy" -r "BlockAll" -n BLOCK -f 0+* ipsecpol -x -w REG -p "FireWallPolicy" -r "SMTP" -n BLOCK -f *=0:25:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "FTP" -n BLOCK -f *=0:21:TCP Ipsecpol -x -w REG –p "FireWallPolicy" -r " Telnet" -n BLOCK -f *=0:23:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "DNS_udp" -n BLOCK -f *=0:53:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_replication_udp" -n BLOCK -f *=0:42:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_replication_tcp" -n BLOCK -f *=0:42:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "DNS_tcp" -n BLOCK -f *=0:53:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "WWW" -n BLOCK -f *=0:80:TCP

17 Server ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_udp" -n BLOCK -f *=0:88:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_tcp" -n BLOCK -f *=0:88:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "RPC" -n BLOCK -f *=0:135:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Name_Service_udp" -n BLOCK -f *=0:137:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Name_Service_tcp" -n BLOCK -f *=0:137:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Datagram_Service" -n BLOCK -f *=0:138:UDP

18 Server ipsecpol -x -w REG -p "FireWallPolicy" -r "NetBIOS_Session_Service" -n BLOCK -f *=0:139:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "LDAP_udp" -n BLOCK -f *=0:389:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "LDAP_tcp" -n BLOCK -f *=0:389:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "HTTPoverSSL" -n BLOCK -f *=0:443:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "SMB_udp" -n BLOCK -f *=0:445:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "SMB_tcp" -n BLOCK -f *=0:445:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_kpasswd_udp" -n BLOCK -f *=0:464:UDP

19 Server ipsecpol -x -w REG -p "FireWallPolicy" -r "Kerberos_kpasswd_tcp" -n BLOCK -f *=0:464:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "IKE" -n BLOCK -f *=0:500:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "RealStream" -n BLOCK -f *=0:554:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "HTTP_RPC" -n BLOCK -f *=0:593:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "LDAP_SSL" -n BLOCK -f *=0:636:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_resol_udp" -n BLOCK -f *=0:1512:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "NFS-orIIS" -n BLOCK -f *=0:1025:TCP

20 Server ipsecpol -x -w REG -p "FireWallPolicy" -r "iad2" -n BLOCK -f *=0:1031:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "pptp" -n BLOCK -f *=0:1723:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "mysql" -n BLOCK -f *=0:3306:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "msdtc" -n BLOCK -f *=0:3372:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "WINS_resol_tcp" -n BLOCK -f *=0:1512:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "SQL_Server" -n BLOCK -f *=0:1433:TCP

21 Server ipsecpol -x -w REG -p "FireWallPolicy" -r "AD_GLobal_Catalog" -n BLOCK -f *=0:3268:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "AD_Global_Catalog_ssl" -n BLOCK -f *=0:3269:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "ssh" -n BLOCK -f *=0:22:TCP ipsecpol -x -w REG -p "FireWallPolicy" -r "ssh_udp" -n BLOCK -f *=0:22:UDP ipsecpol -x -w REG -p "FireWallPolicy" -r "Windows_Terminal_Service" -n BLOCK -f *=0:3389:TCP

22 References Good overview IPSec setup http://www.microsoft.com/serviceproviders/colum ns/using_ipsec.asp http://www.microsoft.com/serviceproviders/colum ns/using_ipsec.asp List of ports http://www.microsoft.com/windows2000/techinfo/ reskit/samplechapters/cnfc/cnfc_por_simw.asp http://www.microsoft.com/technet/treeview/defaul t.asp?url=/technet/ittasks/tasks/adrepfir.asp http://www.microsoft.com/windows2000/techinfo/ reskit/samplechapters/cnfc/cnfc_por_simw.asp http://www.microsoft.com/technet/treeview/defaul t.asp?url=/technet/ittasks/tasks/adrepfir.asp Current scanning activity http://www.cert.org/current/scanning.html http://www.cert.org/current/scanning.html

23 References continued Nmap (good for testing your configuration) http://www.insecure.org/nmap/nmap_download.html http://www.insecure.org/nmap/nmap_download.html More on IPSec IEFT standard http://rr.sans.org/win2000/ipsec_w2k.php http://rr.sans.org/win2000/ipsec_w2k.php Security Sites http://www.ntsecurity.net/ http://project.honeynet.org http://www.cert.org/nav/index_main.html http://www.ciac.org/ciac/

Download ppt "Windows 2000/XP Internet Protocol Security IPSec Mike Chirico M.S. souptonuts.sourceforge.net/chirico/ December 18, 2003."

Similar presentations

Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
IS 247 Introduction to Web Application Development Tim Wu.

IS 247 Introduction to Web Application Development Tim Wu.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Application Layer PART VI.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Application Layer PART VI.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Advanced Web 2012 Lecture 2 Sean Costain 2012. How the Web Works - Refresh Sean Costain 2012 The web is a matrix of servers that handle client requests.

Advanced Web 2012 Lecture 2 Sean Costain How the Web Works - Refresh Sean Costain 2012 The web is a matrix of servers that handle client requests.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
Workshop 1: Introduction to TCP/IP

Workshop 1: Introduction to TCP/IP
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google