OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Scott Mulcahy (scottcm_at_usa.net)
Date: Tue Nov 05 2002 - 09:08:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've used IPSec extensively as a second layer of defense. Using *My IP
    Address* is a convenient way to allow reuse of a policy, however there's one
    caveat: on systems that have virtual IP addresses, such as MS clustering
    (MSCS), the policy doesn't pick up the VIPs. The result is that VIPs are
    excluded from IPSec protection.

    The way I've typically gotten around this issue is to replace *My IP Address*
    with the subnet address the server sits on. This effectively does the same
    thing, although it's not as flexible since you can only reuse the policy with
    systems on the same segment. You could probably script the deployment and
    have the script retrieve all IP addresses to build the policy, as well.

    Scott
    ----------------------------------------
    IPSec policies do not do port ranges very well, but Microsoft knows that.

    I brought this up a few months ago on this forum in the "Port Ranges in
    IPSec" thread (March 2002). That got me an email from Chris Black, IPSec
    Program Manager at Microsoft. My response to him was this:

    IPSec is often used as a poor-man's personal firewall on Windows
    2000. Administrators can add a new "Filter Action" called "Deny" (just a
    Block) to their IPSec configuration and easily gain the ability to
    allow/deny traffic on the port level. (IPSec policies are often used for
    this rather than the built-in IP Filtering feature because IPSec policies
    are more readily exported and applied to lots of computers at once.)

    A typical policy for an ecommerce server might look like this:
       Permit (Any IP) on (Any Port) to (My IP) on TCP 443 //
    Internet access
       Permit (My IP) on (Any Port) to 10.0.01 on TCP 20035 // Backend
    access
       Deny (Any IP) (All Traffic) to (My IP)
       Deny (My IP) (All Traffic) to (Any IP)

    Ranges of ports would be incredibly useful to specify...
    - Only "high ports" (>1023) i.e. (TCP 20 to TCP 1023-65535) for Active FTP
    - Only "low ports" (<1024)
    - A specific range of "RPC ports" i.e. (TCP 20001-20025)
    - A specific range of "Data ports" for use with passive FTP i.e. (TCP
    3000-3003)
    - "NETBIOS" (135, 137, 138, 139, 445)

    The usual syntax for ranges in the Microsoft world appears to be something
    like "213-215," so that's what I'd probably suggest.

    However, I haven't heard anything back, so can only guess they are mulling
    it over.

    -jgl