Personal tools
You are here: Home Effective Practices IPSec Filtering

Packet Filtering with IPSec

 

Packet Filtering with Windows XP/2003 Computers Using IP Security

By: Randy R. Rouch <rrouch@csusb.edu>
Information Technology Consultant, Undergraduate Studies
CSU, San Bernardino

 

Table of Contents:

  1. Introduction
  2. Installing the IP Security Policy Management Snap-In
  3. Example: Isolating a Domain Controller

 

1. Introduction

The key to understanding IP Packet filtering in Windows XP and Server 2003 is the structure. Each IPSec policy consists of a list of rules. Each rule is made up of a Filter List, which for our purposes consists of a list of mirrored origins and destinations for incoming packets. Each rule also has an Action associated with it, to tell the computer what to do with each packet that fits the description in the Filter List.

  •  IP Security Policy
    • Rule 1
      • Filter List
        • Mirrored Packet Origin and Destination 1
        • Mirrored Packet Origin and Destination 2
      • Action
    • Rule 2
      • Filter List
        • Mirrored Packet Origin and Destination 3
      • Action

 

When matching traffic against the rules of an active policy, the most specific rule is applied. So, for example, suppose an IPSec policy contained two rules:

  1. A generic “Block From All” rule that blocks traffic from any address (0.0.0.0/0) and
  2. A “Permit Local” rue permitting traffic from 192.168.1.0/24.

A packet from 192.168.1.0/24 will match both the “Block From All” and the “Permit Local” rules. However, since the packet matches the “Permit Local” rule more specifically, it will be permitted.

 

 

2. Installing the IP Security Policy Management Snap-In

  1. At a Command Prompt or in the Run command, type MMC and hit Enter. This will open the Microsoft Management Console (MMC).
  2. Inside the MMC, under the File menu, click “Add/Remove Snap-in…”
  3. In the Add/Remove Snap-in window, click the “Add…” button.
  4. In the Add Standalone Snap-in window, scroll down and select the IP Security Policy Management snap-in and click Add.
  5. In the Select Computer or Domain window, you can choose whether you are managing the local computer IPSec policy, the IPSec policies of the current domain, another domain or another computer. Local Computer is selected by default. Click Finish.
  6. In the Add Standalone Snap-in window, click Close.
  7. In the Add/Remove Snap-in window, click OK.

 

3. Example: Isolating a Domain Controller

In the Microsoft TechNet web pages, there are articles describing which ports to open in the Windows Firewall for specific server roles (like FTP Server, Web Server, DNS Server, etc.). When you look under the role of Domain Controller, Microsoft says “ You must turn off Windows Firewall to use this server role.” This is likely because the Windows Firewall does not have an interface to allow or deny specific IP address ranges.

In the following example, we have

  • 192.168.1.x - subnet
  • 192.168.1.3 - Windows Server 2003 Domain Controller
  • 192.168.5.30 - DNS Server
  • www.update.com - update server
Once we have loaded the IP Security Policy Management snap-in, we can craft an IP Security Policy to isolate our Domain Controller from all other computers besides the ones it needs to contact.

 

Step 1: Block All Traffic

  1. Select the IP Security Policies object.
    Right click on it and select Create IP Security Policy...
  2. In the IP Security Policy Wizard window, click Next.
  3. Create a new name for your IP Security Policy and add a description (Optional). For our purposes, type in the name Lockdown Policy and click Next.
  4. Click Next to accept the default.
  5. Click Next to accept the default.
  6. Click Finish to complete the policy creation.
    Leave the Edit Properties checkbox checked (default) to continue defining the new policy.
  7. In the Policy Properties window, click “Add…
  8. In the Security Rule Wizard window, click Next.
  9. In the Tunnel Endpoint window, accept the defaults by clicking Next.
  10. In the Network Type window, accept the defaults (All Network Connections) and click Next.
  11. In the IP Filter List selection window, click Add...
  12. In the IP Filter List addition window, for Name type in All Traffic and then click Add...
  13. In the IP Filter Wizard window, click Next.
  14. In the IP Filter Description and Mirrored property window, you can add a description (Optional) as well as decide whether the filter list should be mirrored. (Mirroring means that when you set an Origin and Destination in the list, it will also catch packets going in the opposite direction.) Click Next.
  15. In the IP Traffic Source window, you can select the source for the IP Packets being filtered. For our example, select the default, My IP Address, and click Next.
  16. In the IP Traffic Destination window, you can select the destination of the IP Packets being filtered. For our example, select the default, Any IP Address, and click Next.
  17. In the IP Protocol Type window, for our example select the default Any and click Next.
  18. Click Finish to complete the IP Filter Wizard.
  19. Click OK to accept the new IP Filter List.
  20. Click the radio button next to the new filter list to select it and click Next.
  21. In the Filter Action window, click Add...
  22. In the Filter Action Wizard window, click Next.
  23. Add a name and description (optional) for the new filter action, in this case name it Block and click Next.
  24. In the Filter Action General Options window, select Block and click Next.
  25. Click Finish to complete the creation of the new action
  26. Click the Radio button to select the new action and click Next.
  27. De-select the Edit Properties checkbox and click Finish to complete the security rule.
Step 2: Allow Specific Traffic Through
  1. In the Policy Properties window, click Add..
  2. In the Security Rule Wizard window, click Next.
  3. In the Tunnel Endpoint window, accept the defaults by clicking Next.
  4. In the Network Type window, accept the defaults (All Network Connections) and click Next.
  5. in the IP Filter List selection window, click Add...
  6. In the IP Filter List addition window, type in the name Allowed Traffic and then click Add...
  7. In the IP Filter Wizard window, click Next.
  8. In the IP Filter Description and Mirrored property window, click Next.
  9. In the IP Traffic Source window, you can select the source for the IP Packets being filtered. For our example, select the default, My IP Address, and click Next.
  10. In the IP Traffic Destination window, select A specific IP Subnet. In IP address, type out the subnet in question, in this case 192.168.1.0, add the Subnet Mask (in this case 255.255.255.0) and click Next.
  11. In the IP Protocol Type window, for our example select the default Any and click Next.
  12. Click Finish to complete the IP Filter Wizard.
  13. In the IP Filter List addition window, click Add...
  14. In the IP Filter Wizard window, click Next.
  15. In the IP Filter Description and Mirrored property window, click Next.
  16. In the IP Traffic Source window, you can select the source for the IP Packets being filtered. For our example, select the default, My IP Address, and click Next.
  17. In the IP Traffic Destination window, select A specific IP Address. In IP address, type out the IP address of the DNS server (in this case 192.168.5.30) and click Next.
  18. In the IP Protocol Type window, for our example select the default Any and click Next.
  19. Click Finish to complete the IP Filter Wizard.
  20. In the IP Filter List addition window, click Add...
  21. In the IP Filter Wizard window, click Next.
  22. In the IP Filter Description and Mirrored property window, click Next.
  23. In the IP Traffic Source window, you can select the source for the IP Packets being filtered. For our example, select the default, My IP Address, and click Next.
  24. In the IP Traffic Destination window, select A specific DNS Name. In Host name, type out the DNS name for the update server, www.update.com, and click Next.
  25. In the Security Warning window, click Yes.
  26. In the IP Protocol Type window, for our example select the default Any and click Next.
  27. Click Finish to complete the IP Filter Wizard.
  28. Click OK to accept the new IP Filter List.
  29. Click the radio button next to the new filter list (Allowed Traffic) to select it and click Next.
  30. In the Filter Action window, click the radio button next to Permit and click Next.
  31. De-select the Edit Properties checkbox and click Finish to complete the security rule.

Step 3: Completing and Activating the IP Security Policy

  1. Click OK to accept the Security Policy properties.
  2. Right-click on the new Lockdown Policy and click Assign.
  3. The new policy is now in effect, blocking all traffic except that from 192.168.5.30, 192.168.1.x and www.update.com.

NOTE: You can lock down a machine even to only a few specific addresses alone! However, if you do so and want to access those machines via NetBIOS and/or Microsoft File Sharing, you must also add the Broadcast Address for your subnet (in our case 192.168.1.255) to the Allowed Traffic list. Usually it’s the highest address available in your subnet, meaning it’s usually 255.

References

Document Actions
Helpful Tools