Karena situs aslinya malah sudah tutup, saya share lagi, sayang ilmunya:

Windows 2000 as well as Windows XP Professional both allow the end user to construct a IPSec Firewall without having to rely on canned or “for purchase” third-party solutions. I myself am amazed when paging through industry journals that spend most of their time painting most Firewall systems as half-baked because those systems only prevent ingress packets and not egress packets. I must admit that after witnessing Windows XP’s sorry excuse for Firewalling (this indeed is half-baked), I was heartened to see that Microsoft left the IPSec functionality alone while upgrading Windows. The only sin Microsoft is guilty of in this regard is burying the IPSec system so very deep in the system, where in Windows 2000 it’s nearly at the surface. Windows 9x is completely helpless in this regard and Linux uses a different system altogether so this is primarily going to just concentrate on Windows IPSEC Firewall security.

IPSec Firewalling begins at a blank MMC console:

From here, we will click these items in order:

1. Console
   
2. Add/Remove Snap-in
   
3. Add
   
4. Select “IP Security Policy Management”
   
5. Add
   
6. Finish
   
7. Close
   
8. Ok
   

To get to our starting screen:

Alternately, there is a faster way within Windows XP (maybe also 2000) and that is: Start, Run, secpol.msc. Thanks for the comments, sorry that the MMC intro is a little labyrinthine, Win2k (when I wrote this page initially) didn’t have a lot in the way of guides.

Windows 2000 initially ships with all these nifty MMC extensions and snap-ins to make your life easier, and it’s one of the most overlooked “cool features” that Microsoft never really hyped enough when they initially released Windows 2000. IPSec lacks some defaults, but this lack of attention on Microsofts part is easily patched over. IPSec lacks the ability to block any ports, even though blocking is something that you can eventually establish for rules and such, I’ve found adding to the IPSec Filter Actions an entry called “Block” makes life much easier later on. To establish a “Block” Filter Action, follow these steps:

1. Click on the “plus symbol” next to “IP Security Policies…” under the Console Root folder in the left-hand pane
   
2. Right-click on “IP Security Policies…” in the left-hand pane
   
3. Click “Manage IP Filter Lists and Filter Actions”
   
4. Click on the tab “Manage Filter Actions”
   
5. Click Add
   
6. Click Next
   
7. Set Name field to “Block” and set the description to “Block Access”
   
8. Click Next
   
9. Click the radio-button next to “Block” in the “Filter Action” dialog box
   
10. Click Next
    
11. Click Finish
    

This will be how it looks when you are done with establishing a Blocking rule:

Microsoft has never explained why they included “Permit”, “Request Security (Optional)”, and “Require Security” in this by default but never even gave a thought to including “Block” when it seems to be an obvious default to include, but, that’s Redmond Logic for ya. In the beginning we start with this screen:

We start our firewall off by these steps:

1. Right-clicking on the “IP Security Policies on…” item in the left-hand pane
   
2. Click on “Create IP Security Policy”
   
3. Click Next
   
4. In the Name field, type in “Firewall”, and in Description type in “Firewall”
   
5. Click Next
   
6. Click Next (the default will do fine)
   
7. Click Next (the default will do fine)
   
8. If you are not part of a domain, like me, a Warning will pop up, ignore it, if it doesn’t, then ignore this line. Click Yes if you get it.
   
9. Click Finish
   

This screen is now were we concentrate our activities, you’ll have to uncheck “Use Add Wizard” because I found it tacky and slow, and you might too! Anyhow, the screenshot:

1. Click Add
   
2. Two Filter Lists come predefined, All IP Traffic and All ICMP Traffic
   
3. Click the round circle to the left of “All IP Traffic” and then click on the tab named “Filter Action” and click the circle to the left of “Blocked”
   
4. Click OK.
   
5. Click Add
   
6. Click on the tab named “IP Filter List”
   
7. Click the round circle to the left of “All ICMP Traffic” and then click on the tab named “Filter Action” and click the circle to the left of “Blocked”
   
8. Click on the tab named “IP Filter List”
   
9. Click OK.
   

These steps effectively block all IP and ICMP traffic from both egress and ingress to your system once the “Firewall” package has been assigned. At this point in the game, your computer is almost as good as unconnected to the network, no port scanning on your IP address will reveal any ports open and as an added bonus, since you’ve also cut off ICMP traffic as well, all port scanning to your IP Address will behave as if it is a TCP/IP black hole, packets get sent out but they never get accepted or refused right out, so the scanner will have to wait for timeouts to pass for each scanned port, that seriously slows any scanning program right down, good for you and the WH, bad for the BH.

However, in this state it does suck for the user. Since no traffic can enter or leave based on IP or ICMP protocols it’s just as if we had unplugged the poor person from the network. This basic firewall is a great way to deny a user a path to the Internet while still allowing them the benefit of knowing the Ehternet cable is plugged into their NIC. At this point we have to start poking holes in our firewall to let the ports we know pass through in the ways we wish.

The general form that I follow depends on what filter definition you use, these shots coming up will show how to limit a popular port, like 80/tcp by ingress, or egress, or just from a particular subnet. Then at the end I’ll discuss what ports I do let through and why.

To Allow Port 80/tcp ingress (Opening your Webserver)

Starting from the top:

I’ve already created an “Example Firewall” and stocked it with all the options in order to achieve the objective, wihch is to provide 80/tcp ingress. The definition on the “Example Firewall” on the left, and when you double-click on “Example”, you see the screen on the right:

Essentially that is all there is to it, beyond being particular about subnetting and deciding ports and protocols the rest of the firewalling is up to you, the administrator. If you prepare a system like I have then you eventually find yourself developing a firewall that protects people while still allowing them to use the services they have come to depend on without risking ingress or egress on any other port that might eventually become useful to a BH agent. I simply leave ICMP totally alone except for opening it up to the local LAN, this provides ICMP messages (ping and tracer) information to flow across my LAN with ease but prevents any other ICMP packets from actually being processed by any of the Windows 2000 systems on my LAN. More of course, is coming up as I describe the ports and the why’s behind my selections.

Firewall Port Selection

Previously I stated that having the basic no-traffic-allowed firewall was the simplest to implement, it was also the most impossible to use. Because no packets can egress or ingress at all, no services that use network components ultimately fail. Items such as Netscape Navigator, Internet Explorer, DNS, NetBIOS, and even the Novell Client32 cannot work properly under these conditions. I faced this exact question when I first started working on this firewalling project. Initially I wanted only to provide firewall holes for services I knew about and I knew my users would absolutely need for core business processes. Because Windows 2000 IPSec firewalling prevents egress as well as ingress, I realized an unforseen benefit from employing these firewalls, unauthorized software that is internet enabled and uses unique TCP/IP ports are rendered useless without the user requesting help, and with slightly educated users, help with turning on ports, which leads to questions and a very useful way to protect people from their own shortsightedness. Anyhow, on with the Parade of Ports:

All other TCP/IP and ICMP ports are left closed, and all NetBIOS ports (nee, read SMB) are specifically closed to all network locations except for 192.168.1.0 and 192.168.2.0 class subnets. I spend extra time defining SMB protections because after analyzing the Windows 2000 logs I detected an inordinate amount of browsing going on thru Network Neighborhood in relationship to a popular subnetwork of ours called ResNet. While I cannot estimate how many of these browsers were bent for some BH purpose, my task was very clear, block everyone except those that must have SMB abilities from engaging in any activities related to SMB. The most sensitive ingress points are likewise protected by the extra definition of the subnet filter, no machine on our LAN outside of our two common subnets may engage these ingress points. The proof comes in the logs, the amount of detected browsing has sharply fallen off and those that do are local users for which I have implicit trust. The only technically unprotected ingress points are those surrounding NetMeeting, however Microsoft provides certificate and username/password controls on NetMeeting so I am not as greatly concerned about protecting those ingress points with so many rules – that and I prefer to leave those particular ingress points free so that I may have the convenience of connecting from remote locations off of our 192.168.0.0 home network.

Download Example Firewall IPSEC file here. (Hint: Use “Save Link As…” or “Save Target As…” to download this file) 

Download Basic Example Firewall IPSEC file here.

How to Install *.IPSEC files:

The file isn’t meant for MMC console, instead it’s meant for the IP Security Policy snap-in. Follow these steps:

1. Open MMC
   
2. Click on File
   
3. Click on Add/Remove Snap-In, add the IP Security Policy snap-in, click ok.
   
4. When back to the MMC console, click the plus to the left of “IP Security Policies on Local Computer” in the left-hand pane, then click on “IP Security Policies on Local Computer” itself, in the left-hand pane.
   
5. Right click on the IP Security Policy icon and click “All Tasks” then click on “Import Policies”, then find the firewall.ipsec file and click ok.
   

Updated: 6/15/2007