2011年11月18日 星期五

使用 ipsec 做 ip address 或 封包的過濾

Windows 內建有一個 IPSEC 的服務,ipsec 功能之一就是在設定主機的防火牆, 避免主機中毒或被攻擊, 或在中毒後, 避免去攻擊別人.

這次的需求是,
1. 限制 所有的 IP 網段都不可以連目的協定udp, Port 137+139(網芳),
2. 允許 10.10.x.x 網段, 才可以連目的協定udp, Port 137+139(網芳),

ipsec的設定很方便,由於都有 GUI 使用起來還滿方便,設定也很直覺,建立 rule 的方式如下:

Create IPSec Policy
Typically, a Windows Server 2003 gateway is not a member of a domain, so a local IPSec policy is created. If the Windows Server 2003 gateway is a member of a domain that has IPSec policy applied to all members of the domain by default, this prevents the Windows Server 2003 gateway from having a local IPSec policy. In this case, you can create an organizational unit in Active Directory, make the Windows Server 2003 gateway a member of this organizational unit, and assign the IPSec policy to the Group Policy object (GPO) of the organizational unit. For more information, see the "Creating, modifying, and assigning IPSec policies" section of Windows Server 2003 online Help.
Click Start, click Run, and then type secpol.msc to start the IP Security Policy Management snap-in.
Right-click IP Security Policies on Local Computer, and then click Create IP Security Policy.
Click Next, and then type a name for your policy (for example, IPSec Tunnel with non-Microsoft Gateway). Click Next.

Note You can also type information in the Description box.
Click to clear the Activate the default response rule check box, and then click Next.
Click Finish (leave the Edit check box selected).
Note The IPSec policy is created with default settings for the IKE main mode. The IPSec tunnel is made up of two rules. Each rule specifies a tunnel endpoint. Because there are two tunnel endpoints, there are two rules. The filters in each rule must represent the source and destination IP addresses in IP packets that are sent to that rule's tunnel endpoint.



Build a Filter List from NetA to NetB
In the new policy properties, click to clear the Use Add Wizard check box, and then click Add to create a new rule.
Click the IP Filter List tab, and then click Add.
Type an appropriate name for the filter list, click to clear the Use Add Wizard check box, and then click Add.
In the Source address box, click A specific IP Subnet, and then type the IP Address and Subnet maskto for NetA.
In the Destination address box, click A specific IP Subnet, and then type the IP Address and Subnet mask for NetB.
Click to clear the Mirrored check box.
Click the Protocol tab. Make sure that the protocol type is set to Any, because IPSec tunnels do not support protocol-specific or port-specific filters.
If you want to type a description for your filter, click the Description tab. It is generally a good idea to give the filter the same name that you used for the filter list. The filter name appears in the IPSec monitor when the tunnel is active.
Click OK.


Build a Filter List from NetB to NetA
Click the IP Filter List tab, and then click Add.
Type an appropriate name for the filter list, click to clear the Use Add Wizard check box, and then click Add.
In the Source address box, click A specific IP Subnet, and then type the IP Address and Subnet mask for NetB.
In the Destination address box, click A specific IP Subnet, and then type the IP Address and Subnet mask for NetA.
Click to clear the Mirrored check box.
If you want to type a description for your filter, click the Description tab.
Click OK.


Configure a Rule for a NetA-to-NetB Tunnel
Click the IP Filter List tab, and then click to select the filter list that you created.
Click the Tunnel Setting tab, click The tunnel endpoint is specified by this IP Address box, and then type 3rdextip (where 3rdextip is the IP address that is assigned to the non-Microsoft gateway external network adapter).
Click the Connection Type tab, click All network connections (or click Local area network (LAN) if WIN2003extIP is not an ISDN, PPP, or direct-connect serial connection).
Click the Filter Action tab, click to clear the Use Add Wizard check box, and then click Add to create a new filter action because the default actions allow incoming traffic in clear text.
Keep the Negotiate security option enabled, and then click to clear the Accept unsecured communication, but always respond using IPSec check box. You must do this for secure operation.

Note None of the check boxes at the bottom of the Filter Action dialog box are selected as an initial configuration for a filter action that applies to tunnel rules. Only the Use session key perfect forward secrecy (PFS) check box is a valid setting for tunnels if the other end of the tunnel is also configured to use PFS.
Click Add, and keep the Integrity and encryption option selected (or you can select the Custom (for expert users) option if you want to define specific algorithms and session key lifetimes). Encapsulating Security Payload (ESP) is one of the two IPSec protocols.
Click OK. Click the General tab, type a name for the new filter action (for example, IPSec tunnel: ESP DES/MD5), and then click OK.
Click to select the filter action that you just created.
Click the Authentication Methods tab, configure the authentication method that you want (use preshared key for testing, and otherwise use certificates). Kerberos is technically possible if both ends of the tunnel are in trusted domains, and each trusted domain's IP address (IP address of a domain controller) is reachable on the network by both ends of the tunnel during IKE negotiation of the tunnel (before it is established). But this is rare.
Click Close.


Configure a Rule for a NetB-to-NetA Tunnel
In IPSec policy properties, click Add to create a new rule.
Click the IP Filter List tab, click to select the filter list that you created (from NetB to NetA).
Click the Tunnel Setting tab, click The tunnel endpoint is specified by this IP Address box, and then type WIN2003extIP (where WIN2003extIP is the IP address that is assigned to the Windows Server 2003 gateway external network adapter).
Click the Connection Type tab, click All network connections (or click Local area network (LAN) if WIN2003extIP is not an ISDN, PPP, or direct-connect serial connection). Any outbound traffic on the interface type that matches the filters tries to be tunneled to the tunnel endpoint that is specified in the rule. Inbound traffic that matches the filters is discarded because it must be received secured by an IPSec tunnel.
Click the Filter Action tab, and then click to select the filter action that you created.
Click the Authentication Methods tab, and then configure the same method that you used in the first rule (the same method must be used in both rules).
Click OK, make sure both rules that you created are enabled in your policy, and then click OK again.


資料來源:
http://support.microsoft.com/kb/816514/en-us#21

沒有留言:

張貼留言

Facebook 留言板