Solved

IPSec Policy Not Working Properly

Posted on 2006-11-29
5
485 Views
Last Modified: 2013-12-04
I have a small business workgroup with seven systems all running XP Pro.  I've created an IPSec policy on one system that's supposed to block any traffic from four other systems based on IP address.  The policy blocks traffic for all but one of the systems.  Enabling/Disabling the Default Response Rule has no effect.  The renegade system has only one LAN connection and all systems are plugged into the same switch.  Is there a setting that overrides IPSec and allows traffic despite the rule?  Thank you.
0
Comment
Question by:ottodoc
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:LanBuddha
ID: 18042022
Can you list your rules out in order that they appear?

If you have a rule that has a permit before the deny then that rule will take precedence.

IPSec on Windows does not have an explicit deny at the end of the rules so if no rule matches then the traffic is permitted.

Are we just talking about pings or what other traffic is getting through. There are some standard rules for ICMP.
0
 

Author Comment

by:ottodoc
ID: 18042687
There is only one rule in effect for the policy in question (Default Response is not enabled).  The rule is comprised of an IP Filter List that contains the source IP Addresses of the systems that should not have access (all filters have Protocol set to "Any") and a Filter Action of Block.  The Connection Type is All Network Connections.  Tunnel Settings and Authentication Methods do not apply.  My main concern is that the system that should be blocked can access the secure system (and all its shared files) thru "My Network Places".  Thanks in advance for your help.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 18042692
Have a look at this to see if it applies to that workstation: (but I think your issue is opposite)
http://technet2.microsoft.com/WindowsServer/en/library/0e79765c-beb2-4e5e-8a74-ea7d07598f821033.mspx?mfr=true

There are limitations to IPSec, port 500 and port 88 are allowed by default even if explicitly denied, in XP SP2 and 2003 you can change this behavior with some registry changes, but by default dst/src port 88 and 500 are exempt from IPSec rules. You can use a tool like Nmap to bind to a src port, and when it scan's an IPSec filter, it gets right through.
nmap -sT -P0 -T5 -g 88 server_name    or  nmap -sT -P0 -T5 -g 500 ip.ip.ip.ip
http://support.microsoft.com/kb/810207 http://support.microsoft.com/kb/811832 http://support.microsoft.com/kb/253169/EN-US/
Broadcasts are also exempt from IPSec filters, so DHCP can function, other broadcasts like netbios still work also, so you can still use "net send" to send little pop-ups

Also IPSec doesn't have an order of operation like most firewalls, it does have a "deny any any" and looks to see matches before applying it, but the order of deny vs allow in your own rules doesn't come into play, please read here: http://www.microsoft.com/technet/community/columns/cableguy/cg0205.mspx
However there are "weights" based on how specific a rule is: http://www.microsoft.com/technet/community/columns/cableguy/cg0205.mspx#EVG

I don't like IPSec filters any more, they are far harder than any firewall I've ever used to configure and they do have confusing and strange restraints. I'd use a personal firewall such as XP/2003, ZoneAlarm etc... instead.
-rich
0
 
LVL 2

Assisted Solution

by:LanBuddha
LanBuddha earned 250 total points
ID: 18042932
I don't want to hijack this question but I can not find anywhere that it is stated that there is a default "deny any any" on IPsec, I just want to clarify my statement. This article I think explains how I was trying to state it:

http://support.microsoft.com/default.aspx/kb/313190

How to Create an IPSec Policy That Is Based on the Filter List
To create an IPSec policy that is based on the filter list:
1. Right-click IP Security Policies in the left pane, and then click Create IP Security Policy.
2. In the Welcome to the IP Security Policy Wizard, click Next.
3. In the IP Security Policy Name dialog box, type Permit Inbound TCP 80 and 25 in the Name box, and then click Next.
4. Click to clear the Activate the default response rule check box, and then click Next.
5. In the Completing the IP Security Policy Wizard dialog box, click to select the Edit properties check box if it is not already selected, and then click Finish.
6. Click the Rules tab.
7. Click to clear the Use Add Wizard check box, and then click Add.
8. Click the IP Filter List tab.
9. Click Option that is to the left of Inbound TCP 80 and 25 IP Filter List.
10. Click the Filter Action tab.
11. Click Option that is to the left of Permit.
12. Click Apply, and then click OK.
13. The Inbound TCP 80 and 25 Filter List check box is selected. Click Close.
The IPSec policy checks for packets that are destined for TCP port 80 and TCP port 25 on the local interface, and then matches those packets to the Permit filter action, which allows the packets through the interface.

NOTE: If you assign this policy, all traffic is allowed because there is no Deny rule that prevents other traffic. If you want to only allow traffic that you specified in the above policy, you must create a Deny rule that denies all traffic.

(bowing gracefully to Master Rich)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18044519
Your correct, there is no deny any any by default, that is my mistake.
-rich
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now