I've used IPSec extensively as a second layer of defense. Using *My IP
Address* is a convenient way to allow reuse of a policy, however there's one
caveat: on systems that have virtual IP addresses, such as MS clustering
(MSCS), the policy doesn't pick up the VIPs. The result is that VIPs are
excluded from IPSec protection.
The way I've typically gotten around this issue is to replace *My IP Address*
with the subnet address the server sits on. This effectively does the same
thing, although it's not as flexible since you can only reuse the policy with
systems on the same segment. You could probably script the deployment and
have the script retrieve all IP addresses to build the policy, as well.
Scott
----------------------------------------
IPSec policies do not do port ranges very well, but Microsoft knows that.
I brought this up a few months ago on this forum in the "Port Ranges in
IPSec" thread (March 2002). That got me an email from Chris Black, IPSec
Program Manager at Microsoft. My response to him was this:
IPSec is often used as a poor-man's personal firewall on Windows
2000. Administrators can add a new "Filter Action" called "Deny" (just a
Block) to their IPSec configuration and easily gain the ability to
allow/deny traffic on the port level. (IPSec policies are often used for
this rather than the built-in IP Filtering feature because IPSec policies
are more readily exported and applied to lots of computers at once.)
A typical policy for an ecommerce server might look like this:
Permit (Any IP) on (Any Port) to (My IP) on TCP 443 //
Internet access
Permit (My IP) on (Any Port) to 10.0.01 on TCP 20035 // Backend
access
Deny (Any IP) (All Traffic) to (My IP)
Deny (My IP) (All Traffic) to (Any IP)
Ranges of ports would be incredibly useful to specify...
- Only "high ports" (>1023) i.e. (TCP 20 to TCP 1023-65535) for Active FTP
- Only "low ports" (<1024)
- A specific range of "RPC ports" i.e. (TCP 20001-20025)
- A specific range of "Data ports" for use with passive FTP i.e. (TCP
3000-3003)
- "NETBIOS" (135, 137, 138, 139, 445)
The usual syntax for ranges in the Microsoft world appears to be something
like "213-215," so that's what I'd probably suggest.
However, I haven't heard anything back, so can only guess they are mulling
it over.
Address* is a convenient way to allow reuse of a policy, however there's one
caveat: on systems that have virtual IP addresses, such as MS clustering
(MSCS), the policy doesn't pick up the VIPs. The result is that VIPs are
excluded from IPSec protection.
The way I've typically gotten around this issue is to replace *My IP Address*
with the subnet address the server sits on. This effectively does the same
thing, although it's not as flexible since you can only reuse the policy with
systems on the same segment. You could probably script the deployment and
have the script retrieve all IP addresses to build the policy, as well.
Scott
----------------------------------------
IPSec policies do not do port ranges very well, but Microsoft knows that.
I brought this up a few months ago on this forum in the "Port Ranges in
IPSec" thread (March 2002). That got me an email from Chris Black, IPSec
Program Manager at Microsoft. My response to him was this:
IPSec is often used as a poor-man's personal firewall on Windows
2000. Administrators can add a new "Filter Action" called "Deny" (just a
Block) to their IPSec configuration and easily gain the ability to
allow/deny traffic on the port level. (IPSec policies are often used for
this rather than the built-in IP Filtering feature because IPSec policies
are more readily exported and applied to lots of computers at once.)
A typical policy for an ecommerce server might look like this:
Permit (Any IP) on (Any Port) to (My IP) on TCP 443 //
Internet access
Permit (My IP) on (Any Port) to 10.0.01 on TCP 20035 // Backend
access
Deny (Any IP) (All Traffic) to (My IP)
Deny (My IP) (All Traffic) to (Any IP)
Ranges of ports would be incredibly useful to specify...
- Only "high ports" (>1023) i.e. (TCP 20 to TCP 1023-65535) for Active FTP
- Only "low ports" (<1024)
- A specific range of "RPC ports" i.e. (TCP 20001-20025)
- A specific range of "Data ports" for use with passive FTP i.e. (TCP
3000-3003)
- "NETBIOS" (135, 137, 138, 139, 445)
The usual syntax for ranges in the Microsoft world appears to be something
like "213-215," so that's what I'd probably suggest.
However, I haven't heard anything back, so can only guess they are mulling
it over.
-jgl
[ reply ]