windows ip security filters october 23, 2002 joe klemencic [email protected] fermilab business...
TRANSCRIPT
![Page 2: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/2.jpg)
What are IP Security Filters?
New feature in Windows 2000, XP & .NET Initially created to authenticate and encrypt
communications Packet Filtering method adopted by
Microsoft during Windows 2000 beta testing
![Page 3: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/3.jpg)
Intended Usage
Authenticate host connections Negotiate encryption schemes Filter access to services by host/subnet
It is important to note that the Authentication schemes are not User based authentication,
but Machine based authentication.
![Page 4: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/4.jpg)
Default Defined Policies
Client (Respond Only) Request Security (Server) Require Security (Server)
Clients attempting to connect to resources that require Authentication and/or Encryption must have
an appropriately configured response policy.
![Page 5: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/5.jpg)
IP Security Policy Creation Group Policy Editor (gpedit.msc) MMC Snap-In GUI manager
Group Policy Editor within an Active Directory OU Properties
IPSECPOL.EXE command line utility from the W2K Resource Kit (Windows 2000)
IPSECCMD.EXE command line utility from the Support Tools on the media CD (XP & .NET)
Proper planning and testing is the key to a successful policy creation and implementation
![Page 6: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/6.jpg)
Anatomy of an IP Security Policy An IP Security Policy consists of:
– IP Filters• Define who, what, where
– Source IP/Network Address– Destination IP/Network Address– Protocol/Port/Service
– IP Filter Actions• Define how
– Permit– Block– Negotiate Security (Authenticate/Encrypt)
• Kerberos (Requires W2K Domain)• PKI• Shared Key
![Page 7: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/7.jpg)
IP Security Filter Modes
Dynamic Mode– Adds anonymous rules to the policy agent– Can co-exist with a DS based policy
Static Mode– Creates or modifies the stored policy– Overwrites current named policy or activates
new named policy
![Page 8: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/8.jpg)
IP Filter Evaluation Order
Rule Evaluation is from Most Granular to Least Specific
1. My IP Address
2. Specific IP Address Defined
3. Specific IP Subnet
4. Any IP Address
A. Specific Protocol/Port combination
B. Specific Protocol/Any Port
C. Any Protocol
![Page 9: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/9.jpg)
IP Filter Evaluation Order (cont)
Visualize filter rule processing by applying weightsSource/Destination Addresses:
My IP Address: 3Specific IP Address: 2Specific Network: 1Any Address: 0
Protocol Used: Specified (TCP/UDP/ICMP/RAW/…): 1Any Protocol: 0
Source/Destination Service Ports:Specified (23/80/135/137/139/443/445…): 1Any Port: 0
![Page 10: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/10.jpg)
IP Filter Evaluation Order (cont)Source Src Port Dest Dest Port Protocol Action
Any Any MyIP Any Any Block
0 0 3 0 0 = 3
Any Any MyIP 80 TCP Permit
0 0 3 1 1 = 5
10.1.1.0 Any MyIP Any Any Permit
1 0 3 0 0 = 4
10.1.1.0 Any MyIP 139 TCP Block
1 0 3 1 1 = 6
In this example, all traffic from the 10.1.1.0 network, except TCP/139 would be allowed. Also allow TCP/80 traffic from anywhere would be allowed. All other traffic will be blocked.
![Page 11: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/11.jpg)
Mirroring vs. Reverse Rules
The Mirror Rule option is only activated when defining Authentication or Encryption Filter Actions
When creating simple Permit/Block Packet Filters, always create the reverse rule at the same time to prevent inadvertent denial of legitimate traffic
BUT…. The reverse rule may inadvertently allow unsolicited connectivity
![Page 12: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/12.jpg)
Reverse Rule
Consider the following:
Src Src-Port Dst Dst-Port Prot Action
MyIP Any Any 80 TCP Permit
Any 80 MyIP Any TCP Permit
Any Any MyIP Any Any Block
In this ruleset, we are allowing the local machine to surf the Internet while prohibiting all other communication. An attacker could use a port-
redirector and still connect to the local machine’s NetBios service as long as they source their connection from TCP/80.
![Page 13: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/13.jpg)
Sample Implementation Scenarios
Internet
Allow Web services from everywhere, but restrict FTP from only certain hosts
Simple Packet Filtering
Src Src-Port Dst Dst-Port Prot Action
Any Any MyIP 80 TCP Permit
MyIP 80 Any Any TCP Permit
MyNet Any MyIP 21 TCP Permit
MyNet Any MyIP 20 TCP Permit
MyIP 21 MyNet Any TCP Permit
MyIP 20 MyNet Any TCP Permit
Any Any MyIP 21 TCP Block
Any Any MyIP 20 TCP Block
![Page 14: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/14.jpg)
Sample Implementation Scenarios
Wireless
Service Authentication
Allow normal traffic from network, but request a Host to Kerberos authenticate from Wireless network
This authentication is separate from the Application Authentication Mechanism
Src Src-Port Dst Dst-Port Prot Action
WLAN Any MyIP Any Any Kerberos Auth (auto-mirror)
![Page 15: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/15.jpg)
Sample Implementation ScenariosService Encryption
Encrypt communications between servers while allowing for unencrypted traffic from workstations. Also, block communications from non-local workstations
Src Src-Port Dst Dst-Port Prot ActionDC1 Any MyIP Any Any Kerberos Auth & Encrypt (auto-mirror)MyIP Any DC1 Any Any Kerberos Auth & Encrypt (auto-mirror)MyNet Any MyIP Any Any PermitMyIP Any MyNet Any Any PermitAny Any MyIP Any Any Block
![Page 16: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/16.jpg)
Usage Caveats
Certain traffic is not inspected by an IP Policy- Anything with a source port of 88 (Kerberos)*- IKE- Multicast Traffic- Broadcast Traffic- RSVP/Quality of Service
*This behavior may be changed by setting the following value in the Registry:
HKLM\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt DWORD=1
See Microsoft Q253169 article for more information
![Page 17: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/17.jpg)
Usage Caveats (cont)
No logging available when using as a Packet Filter
Because of Rule Evaluation Order, an ill-defined rule may allow traffic intended to be blocked
Difficult to implement Packet Filtering on General Use Workstations, but optimal for Kiosks and Servers
![Page 18: Windows IP Security Filters October 23, 2002 Joe Klemencic jklemenc@fnal.gov Fermilab Business Services](https://reader035.vdocument.in/reader035/viewer/2022080905/56649e755503460f94b75989/html5/thumbnails/18.jpg)
Further ReadingSecuring W2K with IP Filters: Part 1 (Step-by-Step How-To Guide)
http://online.securityfocus.com/infocus/1559
Securing W2K with IP Filters: Part 2 (Implementing Encryption)
http://online.securityfocus.com/infocus/1566
Using IPSEC to Lock Down a Server
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
Active Directory Replication Over Firewalls
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
Microsoft Q254949 Article: Domain Controller IPSEC Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
How to Enable IPSEC Through a Firewall
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q233256