Configuring Port range in IPsec

Archived from groups: microsoft.public.win2000.security (More info?)

We would like to add a rule to the IPsec config with the following
specification
Ports from 10000-20000 are open for all connections from segment 10.4.90.*
Ports from 0-10000 are closed for all connections from segment 10.4.90.*

I don`t see anything in the configuration possibilities indicating that we
can specify a port range and a specify a segment.

How can I configure this roule in IPsec or some whereelse on windows 2000
advanced server ?

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uCITVjO9EHA.3416@TK2MSFTNGP09.phx.gbl...
> You can not configure a port range in a single filter entry for an ipsec
> policy. You can either use an IP address or subnet when creating a filter
> entry for an ipsec rule. --- Steve
>


It's one of the serious weaknesses of the IPSec
filter rules.

I wrote a "generator" in Perl which builds the
IPSec rules from a table (sort of) because at
least one of my machines runs close to a 1000
rules/filter sets.

Even this is not a full solution because at a 1000
rules it can significantly impact the machines
performance for up to an hour when the rules are
re-applied.

Better would be for the filters to accept such
information and handle it efficiently.

--
Herb Martin

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:#nzGTLb9EHA.2196@TK2MSFTNGP11.phx.gbl...
> That is interesting. Do you know how many filters can fit into a rule and
> how many rules can fit into a policy?? Some user a while back said he had
so
> many filters in a rule that it would not accept any more. I suggested he
add
> a new rule with the same filter action but never heard back from him to
know
> whether that worked or not. I personally never plan to add that may to
find
> out. --- Steve
>

I have reached no limits -- unless you are thinking
of my complaint where at about 1000 rules it was
eating up my CPU to invoke the thing -- once it was
running it was fine.

This may have been (quietly) fixed in some service
pack/hotfix.

--
Herb Martin


>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> newsiZekUW9EHA.1084@TK2MSFTNGP15.phx.gbl...
> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > news:uCITVjO9EHA.3416@TK2MSFTNGP09.phx.gbl...
> >> You can not configure a port range in a single filter entry for an
ipsec
> >> policy. You can either use an IP address or subnet when creating a
filter
> >> entry for an ipsec rule. --- Steve
> >>
> >
> >
> > It's one of the serious weaknesses of the IPSec
> > filter rules.
> >
> > I wrote a "generator" in Perl which builds the
> > IPSec rules from a table (sort of) because at
> > least one of my machines runs close to a 1000
> > rules/filter sets.
> >
> > Even this is not a full solution because at a 1000
> > rules it can significantly impact the machines
> > performance for up to an hour when the rules are
> > re-applied.
> >
> > Better would be for the filters to accept such
> > information and handle it efficiently.
> >
> > --
> > Herb Martin
> >
> >
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

It sounds like you want a firewall and not really looking to use IP
security. IPSec is intended to validate traffic between two trusted peers,
either for all traffic, or maybe for select traffic used by a client/server
application. The Windows implementation does not support ranges (yet?) and
it is near impossible to create/apply a policy with individual filters for
each port (what did you want for ports 20k-64k?) both tcp and udp.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


"Andras" <Andras@discussions.microsoft.com> wrote in message
news:95B7BAC4-C854-47F9-B8C0-399E3D021168@microsoft.com...
> We would like to add a rule to the IPsec config with the following
> specification
> Ports from 10000-20000 are open for all connections from segment 10.4.90.*
> Ports from 0-10000 are closed for all connections from segment 10.4.90.*
>
> I don`t see anything in the configuration possibilities indicating that we
> can specify a port range and a specify a segment.
>
> How can I configure this roule in IPsec or some whereelse on windows 2000
> advanced server ?

Archived from groups: microsoft.public.win2000.security (More info?)

I was responding to the original poster of this thread and asking Herb if he
ever topped out the list being curious. I personally have no need to built
larger filter lists. However it could be handy to be able to do such. For
instance there could be several secured servers in a domain that have an
ipsec require policy and static IP addresses and you have a group of
computers in an OU that you only want those computers to be able to access
the servers using ipsec in the 192.168.1.40 - 192.168.1.60 range. So you
want to create an ipsec policy with negotiate filter action and destination
address of 192.168.1.40 - 192.168.1.60. You of course would have to create
21 entries in the filter list for the rule for the ipsec policy. Maybe not
a big deal but would take some time and could be more prone to error. ---
Steve


"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:41300632408220999452032@news.microsoft.com...
> Remember that IPsec is really about creating authenticated and
> (optionally) encrypted security associations between a pair of computers.
> Given that primary design goal, it appears that port ranges aren't
> something that's required.
>
> I'm guessing that you'd like port ranges for simple block/allow rules --
> using the IPsec engine as a packet filter. Is that right? Or do you have a
> need for security associations with port ranges?
>
> Steve Riley
> steriley@microsoft.com
>
>
>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:#nzGTLb9EHA.2196@TK2MSFTNGP11.phx.gbl...
>>
>>> That is interesting. Do you know how many filters can fit into a rule
>>> and how many rules can fit into a policy?? Some user a while back
>>> said he had
>>>
>> so
>>
>>> many filters in a rule that it would not accept any more. I suggested
>>> he
>>>
>> add
>>
>>> a new rule with the same filter action but never heard back from him
>>> to
>>>
>> know
>>
>>> whether that worked or not. I personally never plan to add that may
>>> to
>>>
>> find
>>
>>> out. --- Steve
>>>
>> I have reached no limits -- unless you are thinking of my complaint
>> where at about 1000 rules it was eating up my CPU to invoke the thing
>> -- once it was running it was fine.
>>
>> This may have been (quietly) fixed in some service pack/hotfix.
>>
>>> "Herb Martin" <news@LearnQuick.com> wrote in message
>>> newsiZekUW9EHA.1084@TK2MSFTNGP15.phx.gbl...
>>>
>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>> news:uCITVjO9EHA.3416@TK2MSFTNGP09.phx.gbl...
>>>>
>>>>> You can not configure a port range in a single filter entry for an
>>>>>
>> ipsec
>>
>>>>> policy. You can either use an IP address or subnet when creating a
>>>>>
>> filter
>>
>>>>> entry for an ipsec rule. --- Steve
>>>>>
>>>> It's one of the serious weaknesses of the IPSec
>>>> filter rules.
>>>> I wrote a "generator" in Perl which builds the
>>>> IPSec rules from a table (sort of) because at
>>>> least one of my machines runs close to a 1000
>>>> rules/filter sets.
>>>> Even this is not a full solution because at a 1000 rules it can
>>>> significantly impact the machines performance for up to an hour when
>>>> the rules are re-applied.
>>>>
>>>> Better would be for the filters to accept such
>>>> information and handle it efficiently.
>>>> -- Herb Martin
>>>>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

It's our implementation that allows for three actions, not all do. We still
prefer that people use real host firewalls for block/allow; but there are
some instances where slamming an IPsec block policy on a machine might be
more effective (like to slow down the spread of a worm).

People have been requesting port ranges in the IPsec engine for a while,
but it's almost always in the context of simple block/allow rules, not in
the context of rules that negotiate security associations. Steve Umbach makes
a good point in his post about the 21 servers, but that's an IP address range,
not a port range.

We'd really be curious in hearing from people who can describe security association
scenarios where port ranges are useful.

Steve Riley
steriley@microsoft.com



> "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> news:41300632408220999452032@news.microsoft.com...
>
>> Remember that IPsec is really about creating authenticated and
>>
> (optionally)
>
>> encrypted security associations between a pair of computers. Given
>> that
>>
> primary
>
>> design goal, it appears that port ranges aren't something that's
>> required.
>>
> I disagree -- that may have been the original intention, but it allows
> for three actions: Pass, Block, or negotiate actual IPSec services.
>
> The BLOCK and PASS are not only useful without
> the IPSec they are better than any other built-in (and
> ubiquitous) Windows blocking mechanism.
>> I'm guessing that you'd like port ranges for simple block/allow rules
>> --
>>
> For me you are largely correct.
>
>> using the IPsec engine as a packet filter. Is that right? Or do you
>> have a need for security associations with port ranges?
>>
> Someone might -- IPSec is vastly underutilized
> by the majority of admistrators.

Archived from groups: microsoft.public.win2000.security (More info?)

The purpose of this filtering is to setup a secured network for backups.
So batch programs has to pass this filter without authentifications in order
to backup their data. Server has 3 network cards and one of them needs to be
secured.

Would it be better to use certificate based authentification ?


"Andras" wrote:

> We would like to add a rule to the IPsec config with the following
> specification
> Ports from 10000-20000 are open for all connections from segment 10.4.90.*
> Ports from 0-10000 are closed for all connections from segment 10.4.90.*
>
> I don`t see anything in the configuration possibilities indicating that we
> can specify a port range and a specify a segment.
>
> How can I configure this roule in IPsec or some whereelse on windows 2000
> advanced server ?

Archived from groups: microsoft.public.win2000.security (More info?)

"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:42640632409481686790992@news.microsoft.com...
> > third party doodad
>
> Herb, have you been drinking too much MS koolaid? Save some for me, my
> inventory is getting low and they've cut back on the distribution here...
> hehehehehe

No, I am just cheap (and honest) so I don't like
buying stuff that I get (e.g., already paid for,) for
free.

<grin>

I am OS and Language agnostic, but I make most
of my money from Microsoft systems and by helping
their customers and employees.

--
Herb Martin


>
> Steve Riley
> steriley@microsoft.com
>
>
>
> > "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> > news:42091632409066343697360@news.microsoft.com...
> >
> >> It's our implementation that allows for three actions, not all do. We
> >>
> > still
> >
> >> prefer that people use real host firewalls for block/allow; but there
> >> are some instances where slamming an IPsec block policy on a machine
> >> might be more effective (like to slow down the spread of a worm).
> >>
> > Also because it is free and built-in, supported by Microsoft rather
> > than another third party doodad to add on.
> >
> >> People have been requesting port ranges in the IPsec engine for a
> >> while, but it's almost always in the context of simple block/allow
> >> rules, not in the context of rules that negotiate security
> >> associations. Steve Umbach
> >>
> > makes
> >
> >> a good point in his post about the 21 servers, but that's an IP
> >> address
> >>
> > range,
> >
> >> not a port range.
> >>
> > Address ranges would be nice too but
> > most of time the classical masks(*) work out.
> >> We'd really be curious in hearing from people who can describe
> >> security
> >>
> > association
> >
> >> scenarios where port ranges are useful.
> >>
>
>