block a single computer from surfing on the internet · web viewblock a single computer from...

39
Block Web Browsing but Allow Intranet Traffic with IPSec http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm# As written in the previous article - Block Web Browsing with IPSec , Windows 2000/XP/2003 machines have a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol that’s designed to protect individual TCP/IP packets traveling across your network by using public key encryption. Besides encryption, IPSec will also let you protect and configure your server/workstation with a firewall-like mechanism. How can you block specific users from surfing the Internet but still allow them to use a web browser to surf to internal (Intranet) sites? Right! With IPSec. You can do so simply by creating a policy element that will tell the computer to block all the specific IP traffic that uses HTTP and HTTPS, which use TCP ports 80 and 443 respectively as their destination ports. By blocking this specific traffic you will be able to stop a specific computer from browsing the Internet. But wait! Blocking all HTTP and HTTPS traffic will also prevent the user from surfing to internal sites. The solution is to add another policy element that will in fact ALLOW HTTP and HTTPS traffic but only to a specific computer's IP address, a specific computer's DNS name, or an entire subnet of computers. You can configure this policy specifically for one computer by manipulating that computers' IPSec policy, or, even better, you can configure the policy as a Group Policy Object (GPO) on a specific Site, Domain or Organization Unit (OU). In order to configure a GPO you must have Active Directory in place. Block a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring IP Filter Lists and Filter actions 1. Open an MMC window (Start > Run > MMC). 2. Add the IP Security and Policy Management Snap-In.

Upload: others

Post on 23-Sep-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

Block Web Browsing but Allow Intranet Traffic with IPSec

http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm#

As written in the previous article - Block Web Browsing with IPSec, Windows 2000/XP/2003 machines have a built-in IP security mechanism called IPSec (IP Security). IPSec is a protocol that’s designed to protect individual TCP/IP packets traveling across your network by using public key encryption. Besides encryption, IPSec will also let you protect and configure your server/workstation with a firewall-like mechanism.

How can you block specific users from surfing the Internet but still allow them to use a web browser to surf to internal (Intranet) sites? Right! With IPSec.

You can do so simply by creating a policy element that will tell the computer to block all the specific IP traffic that uses HTTP and HTTPS, which use TCP ports 80 and 443 respectively as their destination ports. By blocking this specific traffic you will be able to stop a specific computer from browsing the Internet.

But wait! Blocking all HTTP and HTTPS traffic will also prevent the user from surfing to internal sites.

The solution is to add another policy element that will in fact ALLOW HTTP and HTTPS traffic but only to a specific computer's IP address, a specific computer's DNS name, or an entire subnet of computers.

You can configure this policy specifically for one computer by manipulating that computers' IPSec policy, or, even better, you can configure the policy as a Group Policy Object (GPO) on a specific Site, Domain or Organization Unit (OU). In order to configure a GPO you must have Active Directory in place.

Block a single computer from surfing on the InternetTo configure a single computer follow these steps:

Configuring IP Filter Lists and Filter actions

1. Open an MMC window (Start > Run > MMC).2. Add the IP Security and Policy Management Snap-In.

Page 2: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring
Page 3: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

3. In the Select which computer this policy will manage window select the local computer (or any other policy depending upon your needs). Click Close then click Ok.

Page 4: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

4. Right-click IP Security Policies in the left pane of the MMC console. Select Manage IP Filter Lists and Filter Actions.

Page 5: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

5. In the Manage IP Filter Lists and Filter actions click Add.

Page 6: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

6. In the IP Filter List window type a descriptive name (such as HTTP, HTTPS) and click Add to add the new filters.

Page 7: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

7. In the Welcome window click Next.8. In the description box type a description if you want and click Next.

Page 8: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

9. In the IP Traffic Source window leave My IP Address selected and click Next.

Page 9: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

10. In the IP Traffic Destination window leave Any IP Address selected and click Next.

Page 10: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

11. In the IP Protocol Type scroll to TCP and press Next.

Page 11: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

12. In the IP Protocol Port type 80 (for HTTP) in the To This Post box, and click Next.

Page 12: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

13. In the IP Filter List window notice how a new IP Filter has been added. Now, if you want, add HTTPS (Any IP to Any IP, Protocol TCP, Destination Port 443) in the same manner.

Page 13: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

14. Now that you have both filters set up, click Ok.

Page 14: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

15. Back in the Manage IP Filter Lists and Filter actions review your filters (you can add or remove more filters later). Now we'd like to add a new filter that will define the INTRANET web traffic. Again, click Add.

Page 15: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

16. Again, give the new filter an appropriate name - for example - Intranet, and then proceed to configuring the filter by clicking Add.

Page 16: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

17. In the IP Traffic Source window leave My IP Address selected and click Next.18. In the IP Traffic Destination click the drop-down list and select the type of destination. For example, if

you only want to allow web traffic for one specific Intranet web server called SERVER200, choose A Specific DNS Name.

Page 17: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

Then, in the Host Name box type SERVER200 and click Next.

Page 18: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

If you want to allow web traffic for an entire internal subnet such as 192.168.0.0/24, select A Specific IP Subnet, and type the Network ID and Subnet Mask for the required subnet. Click Next.

Page 19: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

19. Back in the IP Filter list add any other filter you want, and finally click Ok.

Page 20: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

20. Back in the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Manage Filter Actions tab. Now we need to add a filter action that will block our designated traffic, so click Add.

Page 21: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

21. In the Welcome screen click Next.22. In the Filter Action Name type Block and click Next.

Page 22: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

23. In the Filter Action General Options click Block then click on Next.

Page 23: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

24. Back in the Manage IP Filter Lists and Filter actions review your filters and if all are set, click on the Close button. You can add Filters and Filter Actions at any time.

Page 24: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

Next step is to configure the IPSec Policy and to assign it.

Configuring the IPSec Policy

1. In the same MMC console right-click IP Security Policies on Local Computer and select Create IP Security Policy.

Page 25: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

2. In the Welcome screen click Next3. In the IP Security Policy Name enter a descriptive name, such as "Block HTTP, HTTPS, allow Intranet".

Click Next

Page 26: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

4. In the Request for Secure Communication window click to clear the Active the Default Response Rule check-box. Click Next

Page 27: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

5. In the Completing IP Security Policy Wizard window, click Finish.

Page 28: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

6. We now need to add the various IP Filters and Filter Actions to the new IPSec Policy. In the new IPSec Policy window click Add to begin adding the IP Filters and Filter Actions.

Page 29: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

7. In the Welcome window click Next.8. In the Tunnel Endpoint make sure the default setting is selected and click Next.

Page 30: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

9. In the Network Type windows select All Network Connections and click Next.

Page 31: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

10. In the IP Filter List window select one of the previously configured IP Filters, for example "HTTP, HTTPS" (configured in step #6 at the beginning of this article). If, for some reason, you did not previously configure the right IP Filter, then you can press Add and begin adding it now. When done, click Next.

Page 32: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

11. In the Filter Action window select one of the previously configured Filter Actions, for example "Block" (configured in step #20 at the beginning of this article). Again, if you did not previously configure the right Filter Action, you can now press Add and begin adding it now. When done, click Next.

Page 33: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

12. Back in the new IPSec Policy window, make sure the new IP Filter is selected. Click Add to add more IP Filters and Filter Actions just like you did before. In this example we will add the "Intranet" IP Filter.

Page 34: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

Performs steps #7 through #11.

13. Add the "Intranet" IP Filter.

Page 35: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

14. Configure it to use the Permit Filter Action.

15 Notice how the two IP Filters have been added.

Page 36: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

Also notice that you cannot change their order like in other full-featured firewalls. Even so, this configuration works perfectly as you will soon discover.

The next phase is to assign the IPSec Policy.

Assigning the IPSec Policy

1. In the same MMC console, right-click the new IPSec Policy and select Assign.

Page 37: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring
Page 38: Block a single computer from surfing on the Internet · Web viewBlock a single computer from surfing on the Internet To configure a single computer follow these steps: Configuring

Done, you can now test the configuration by trying to surf to restricted and unrestricted websites.

Blocking more than one computerBlocking of more than one computer can be done in 2 ways:

Exporting and Importing IPSec Policies Configuring IPSec Policies through GPO

Either way, both methods can be used to prevent a number of computers from surfing the Internet (or for any other IPSec Policy).

Related articlesYou may find these related articles of interest to you:

Block Ping Traffic with IPSec Block Web Browsing but Allow Intranet Traffic with IPSec Block Web Browsing with IPSec Configuring IPSec Policies through GPO Exporting and Importing IPSec Policies Secure IPSec Policy Agent

See Also: How Hyper-V Replica Can Save the Day

Related Articles

Block Web Browsing with IPSec Block Ping Traffic with IPSec Secure IPSec Policy Agent Exporting and Importing IPSec Policies