Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


May 2005

IPsec for Network Protection

Three scenarios to improve the security of the hosts in your network
From the May 2005 Edition
of Windows IT Pro
Steve Riley
Solutions +
InstantDoc #45903
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Although typically used for VPNs, IP Security (IPsec) can do so much more to help you keep your network secure. You can use IPsec to solve three common problems—to stop worms, to protect servers, and to isolate a domain—and none of these techniques involves performance-sapping encryption. Let's look at the steps involved in each technique.

Using IPsec to Stop Worms
The best way to stop worms is to not get them in the first place. Alas, because some people don't understand or even care about the threats and risks associated with email and Web surfing, worms and other kinds of malicious code are a fact of life right now. Given this unfortunate situation, how can you reduce the damage that such code inflicts? You can thwart malicious code in three ways: prevent it from being installed, prevent the code from being executed, or prevent it from communicating.

In some instances, your only option might be to prevent malicious code from communicating. IPsec policies can help by limiting the kinds of traffic a computer accepts and generates. Rules with filter actions that specify simply to block or allow traffic (without building any IPsec security associations—i.e., authenticating or encrypting traffic) can act as effective basic packet filters on individual computers. Use Group Policy to assign these rules to computers, and you can reduce the amount of malicious traffic propagating throughout your network.

Your choice of IPsec policies depends on which OS you're running. Windows Server 2003 and Windows XP include Windows Firewall, which is more effective than IPsec for blocking inbound traffic, so if you run these OSs and are using Windows Firewall, your IPsec policies need to block only outbound traffic. Windows 2000 doesn't include a host-based firewall, so you should consider IPsec policies that block both inbound and outbound traffic for systems running Win2K.

Consider the Slammer worm. Slammer finds computers running Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE) by blasting the network with messages to UDP port 1434. Microsoft released a patch for this worm, but patching all computers can take some time; an excellent interim mitigation is to use Group Policy to quickly assign an IPsec policy that blocks inbound traffic to the vulnerable port. Of course, because the policy blocks inbound traffic to your SQL Server systems, don't leave this policy enabled on these systems after you've patched them.

To prevent a computer from getting infected by Slammer, assign a policy that blocks all inbound traffic from anywhere to the computer's own IP address with destination port UDP 1434:

  • Filter list with one filter: from any-address:any-port to my-address:1434/udp
  • Filter action: block
  • Rule: link the list with the action; all interfaces; no tunnel; any authentication method (the method doesn't matter because a block filter doesn't have any IPsec security associations)

To create the policy, first open the IPsec management console on the computer you want to protect (the process is the same for Windows 2003, XP or Win2K):

  1. Double-click Local Security Policy in the Administrative Tools folder.
  2. Click IP Security Policies on Local Computer.

Now create the filter list:

  1. Right-click in the right-hand pane of the Local Security Settings window, and select the Manage IP filter lists and filter actions menu option.
  2. On the Manage IP Filter Lists tab, click Add.
  3. Enter Slammer filter list for the name.
  4. Click Add, then click Next at the first IP filter wizard screen.
  5. Select Any IP Address for the source.
  6. Select My IP Address for the destination.
  7. Select UDP for the protocol.
  8. Click the To this port option, and enter 1434.
  9. Click Finish to end the wizard.
  10. Click OK.

Now create the filter action (if you already have an action called Block, skip this part):

  1. On the Manage IP filter lists and filter actions dialog box's Manage Filter Actions tab, click Add, then click Next at the first IP Security filter action wizard screen.
  2. Enter Block for the name.
  3. Select Block for the behavior.
  4. Click Finish to end the wizard.
  5. Click Close to finish setting up the filter list and action.

Now create the IPsec policy:

  1. Right-click in the right-hand pane of the Local Security Settings window, select Create IP Security Policy, and click Next at the first screen of the IP Security policy wizard.
  2. Enter Slammer filter for the name.
  3. Clear the Activate the default response rule option, and click Next.
  4. Leave the Edit properties option selected, and click Finish to end the wizard.

Now add the rule to the policy:

  1. The policy's properties dialog box appears. Click Add, then click Next.
  2. Leave the next three wizard screens at their defaults.
  3. From the list of filter lists, select the Slammer filter list.
  4. From the list of filter actions, select Block.
  5. Click Finish to end the wizard, and click OK to close the rule properties dialog box.
  6. Click Close to close the policy properties dialog box.

Now assign the policy:

Right-click the Slammer filter policy and select Assign.

Scripting IPsec Policy Creation
You can also use a command-line tool to create IPsec policies—this capability is useful for scripting. For Win2K, the tool is ipsecpol.exe from the Microsoft Windows 2000 Resource Kits; for XP, it's ipseccmd.exe from the Windows Support Tools for Microsoft Windows XP; for Windows 2003, it's the Netsh Ipsec tool included with the OS. To apply the Slammer filter in XP, use the following command:

ipseccmd -w REG -p "Block UDP 1434 Filter"
 -r "Block Inbound UDP 1434 Rule"
 -f *=0:1434:UDP -n BLOCK -x

Be sure to use uppercase and lowercase letters as shown; Ipsecpol and Ipseccmd are picky about case. Also note that this command is a single command that should be typed on one line—it's wrapped here to fit the article's column format.

This command creates and assigns a static policy called Block UDP 1434 Filter with a single rule called Block Inbound UDP 1434 Rule that contains the same filter list as above linked to a block filter action. Static policies are stored in the registry and persist between reboots. The policy won't apply until the next boot or restart of the IPsec policy agent, so if you want the policy to be applied immediately, your script should also stop and restart the policyagent service. When you build the policy with the GUI, it's applied immediately.

If a computer does get infected with Slammer, you can use a different IPsec rule to prevent the computer from infecting other computers by blocking outbound communications to destination port UDP 1434:

  • Filter list with one filter: from my-address:any-port to any-address:1434/udp
  • Filter action: block
  • Rule: link the list with the action; all interfaces; no tunnel; any authentication method

Note the subtle difference here: In the earlier (inbound) rule, the filter checks traffic from any-address:any-port to my-address:1434/udp, whereas in the outbound rule, the filter checks traffic from my-address:any-port to any-address:1434/udp. The outbound rule blocks any traffic to UDP port 1434 on any computer. Use the following command to script the rule and add it to the same policy as the first rule:

ipseccmd -w REG -p "Block UDP 1434 Filter"
 -r "Block Outbound UDP 1434  Rule"
 -f 0=*:1434:UDP -n BLOCK

In the first command above, the -x switch indicates a new policy. In this second command, you omit the -x switch because this command is adding another rule to the existing policy. Note also that in the filter list portion of the second command, the asterisk (*) and the 0 are reversed from the first command; this is because the "direction" of the filter is reversed.

   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path IPsec Command-line Tools:
"Windows 2000 Resource Kits"

"Windows XP Service Pack 2 Support Tools"


Microsoft Resources:
"Overviews, Deployment Guides, and Additional Resources"

"Domain Isolation at Microsoft"

"Isolation Guide"
Top Viewed ArticlesView all articles
Microsoft: Save Money ... By Paying for Software

Microsoft this week adopted an interesting tactic in its long-running battle with open source software: Businesses looking to save money over the long haul should simply pay for software instead of moving to free, open source solutions. The rationale? ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Top 10 Email Security Challenges and Solutions

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Implement a Successful Archiving Solution
View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets
Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.

Prepare Yourself for Exchange Catastrophe
Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.

Boost Customer Confidence and Satisfaction
Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing