Windows IP Security Filters PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Windows IP Security Filters


1
Windows IP Security Filters
  • October 23, 2002

Joe Klemencicjklemenc_at_fnal.govFermilab Business
Services
2
What are IP Security Filters?
  • New feature in Windows 2000, XP .NET
  • Initially created to authenticate and encrypt
    communications
  • Packet Filtering method adopted by Microsoft
    during Windows 2000 beta testing

3
Intended Usage
  • Authenticate host connections
  • Negotiate encryption schemes
  • Filter access to services by host/subnet

It is important to note that the Authentication
schemes are not User based authentication, but
Machine based authentication.
4
Default Defined Policies
  • Client (Respond Only)
  • Request Security (Server)
  • Require Security (Server)

Clients attempting to connect to resources that
require Authentication and/or Encryption must
have an appropriately configured response policy.
5
IP Security Policy Creation
  • Group Policy Editor (gpedit.msc) MMC Snap-In GUI
    manager
  • Group Policy Editor within an Active Directory OU
    Properties
  • IPSECPOL.EXE command line utility from the W2K
    Resource Kit (Windows 2000)
  • IPSECCMD.EXE command line utility from the
    Support Tools on the media CD (XP .NET)
  • Proper planning and testing is the key to a
    successful policy creation and implementation

6
Anatomy of an IP Security Policy
  • An IP Security Policy consists of
  • IP Filters
  • Define who, what, where
  • Source IP/Network Address
  • Destination IP/Network Address
  • Protocol/Port/Service
  • IP Filter Actions
  • Define how
  • Permit
  • Block
  • Negotiate Security (Authenticate/Encrypt)
  • Kerberos (Requires W2K Domain)
  • PKI
  • Shared Key

7
IP Security Filter Modes
  • Dynamic Mode
  • Adds anonymous rules to the policy agent
  • Can co-exist with a DS based policy
  • Static Mode
  • Creates or modifies the stored policy
  • Overwrites current named policy or activates new
    named policy

8
IP Filter Evaluation Order
  • Rule Evaluation is from Most Granular to Least
    Specific
  • 1. My IP Address
  • 2. Specific IP Address Defined
  • 3. Specific IP Subnet
  • 4. Any IP Address
  • A. Specific Protocol/Port combination
  • B. Specific Protocol/Any Port
  • C. Any Protocol

9
IP Filter Evaluation Order (cont)
  • Visualize filter rule processing by applying
    weights
  • Source/Destination Addresses
  • My IP Address 3
  • Specific IP Address 2
  • Specific Network 1
  • Any Address 0
  • Protocol Used
  • Specified (TCP/UDP/ICMP/RAW/) 1
  • Any Protocol 0
  • Source/Destination Service Ports
  • Specified (23/80/135/137/139/443/445) 1
  • Any Port 0

10
IP Filter Evaluation Order (cont)
  • Source Src Port Dest Dest Port Protocol Action
  • Any Any MyIP Any Any Block
  • 0 0 3 0 0 3
  • Any Any MyIP 80 TCP Permit
  • 0 0 3 1 1 5
  • 10.1.1.0 Any MyIP Any Any Permit
  • 1 0 3 0 0 4
  • 10.1.1.0 Any MyIP 139 TCP Block
  • 1 0 3 1 1 6
  • In this example, all traffic from the 10.1.1.0
    network, except TCP/139 would be allowed. Also
    allow TCP/80 traffic from anywhere would be
    allowed. All other traffic will be blocked.

11
Mirroring vs. Reverse Rules
  • The Mirror Rule option is only activated when
    defining Authentication or Encryption Filter
    Actions
  • When creating simple Permit/Block Packet Filters,
    always create the reverse rule at the same time
    to prevent inadvertent denial of legitimate
    traffic
  • BUT. The reverse rule may inadvertently allow
    unsolicited connectivity

12
Reverse Rule
  • Consider the following

Src Src-Port Dst Dst-Port
Prot Action MyIP Any Any
80 TCP Permit Any 80
MyIP Any TCP
Permit Any Any MyIP Any
Any Block
In this ruleset, we are allowing the local
machine to surf the Internet while prohibiting
all other communication. An attacker could use a
port-redirector and still connect to the local
machines NetBios service as long as they source
their connection from TCP/80.
13
Sample Implementation Scenarios
Simple Packet Filtering
Allow Web services from everywhere, but restrict
FTP from only certain hosts
Src Src-Port Dst Dst-Port Prot
Action Any Any MyIP 80
TCP Permit MyIP 80 Any Any
TCP Permit MyNet Any MyIP
21 TCP Permit MyNet Any MyIP
20 TCP Permit MyIP 21
MyNet Any TCP Permit MyIP 20
MyNet Any TCP Permit Any
Any MyIP 21 TCP Block Any
Any MyIP 20 TCP Block
14
Sample Implementation Scenarios
Service Authentication
Allow normal traffic from network, but request a
Host to Kerberos authenticate from Wireless
network
Src Src-Port Dst Dst-Port Prot
Action WLAN Any MyIP Any
Any Kerberos Auth (auto-mirror)
This authentication is separate from the
Application Authentication Mechanism
15
Sample Implementation Scenarios
Service Encryption
Encrypt communications between servers while
allowing for unencrypted traffic from
workstations. Also, block communications from
non-local workstations
Src Src-Port Dst Dst-Port
Prot Action DC1 Any MyIP
Any Any Kerberos Auth Encrypt
(auto-mirror) MyIP Any DC1 Any
Any Kerberos Auth Encrypt
(auto-mirror) MyNet Any MyIP Any
Any Permit MyIP Any MyNet
Any Any Permit Any Any
MyIP Any Any Block
16
Usage Caveats
  • Certain traffic is not inspected by an IP Policy
  • Anything with a source port of 88 (Kerberos)
  • IKE
  • Multicast Traffic
  • Broadcast Traffic
  • RSVP/Quality of Service
  • This behavior may be changed by setting the
    following value in the Registry
  • HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoD
    efaultExempt DWORD1
  • See Microsoft Q253169 article for more information

17
Usage Caveats (cont)
  • No logging available when using as a Packet
    Filter
  • Because of Rule Evaluation Order, an ill-defined
    rule may allow traffic intended to be blocked
  • Difficult to implement Packet Filtering on
    General Use Workstations, but optimal for Kiosks
    and Servers

18
Further Reading
  • Securing W2K with IP Filters Part 1
    (Step-by-Step How-To Guide)
  • http//online.securityfocus.com/infocus/1559
  • Securing W2K with IP Filters Part 2
    (Implementing Encryption)
  • http//online.securityfocus.com/infocus/1566
  • Using IPSEC to Lock Down a Server
  • http//www.microsoft.com/serviceproviders/columns
    /using_ipsec.asp
  • Active Directory Replication Over Firewalls
  • http//www.microsoft.com/serviceproviders/columns
    /config_ipsec_P63623.asp
  • Microsoft Q254949 Article Domain Controller
    IPSEC Support
  • http//support.microsoft.com/default.aspx?scidkb
    en-usQ254949
  • How to Enable IPSEC Through a Firewall
  • http//support.microsoft.com/default.aspx?scidkb
    en-usQ233256
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Windows IP Security Filters" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!