Roger
Sat Feb 05 20:28:45 CST 2005
Yep, probably. What was in your inital post is purely yep, where
you could restrict on interface to speak any tcp/udp/ip, perhaps
icmp, with some subnet and drop all packets from others.
Where the probably comes in is that I am not sure which network
has ISA and if this is the ISA or just routes to it if ISA is on the
other, etc.. and there is the issue of ephemeral response ports
that may get opened. Simple IPsec filtering is not firewall, is
not stateful inspection, etc.. It is simply stating from ip/protocol
(and ports if applicable) and same for to ip/protocol; and one
can say mirrored to avoid manual definition of the complement
rule, one can use subnets for IP statement, and can null out any
part for allow all.
For a single machine and small ruleset the GUI is probably the
way to go. If this needs to be done on many machines, and the
IPsec policy cannot be done through group policy, then there
is a cmdline interface (which has changed with each release
of Windows, with W2k3 it is a context in netsh).
You would just define a new policy (it is at this level that one
assigns, or makes active, a group of rule sets), probably using
preshared key choice (but not both to share it, and then spend
some time experimenting to get a feel for defining rules and
IP filter lists. This leaves the predefined policies unchanged.
Just assign the new policy and then all changes you make to
the rules in it are immediately (assuming this is in local policy
and not AD delivered) effective. For the actions to use just
IPfiltering you would specify either allow or block - if you
do not have request/require security actions then you are not
defining any "real" use of IPsec for forming security associations,
but just "hyjacking" its ability to do basic network packet
filtering.
--
Roger
"exchangerookie1994" <exchangerookie1994@discussions.microsoft.com> wrote in
message news:C6DF6620-7701-4610-8D5B-1D6B1A58EE8C@microsoft.com...
> Thanks for the info.
> So I could create a rule for the internal subnet to allow all IP traffic
to
> and from server,a rule to block everything from the external subnet, and
> another rule another rule to allow internet traffic to ISA 2000 server Ip
> address - on the external subnet?
> Thanks
>
> "Roger Abell" wrote:
>
> > It depends on what you define.
> > If you use IPsec as it is intended, then all involved machines
> > will be using IPsec. If you use only the IP/protocol/port
> > filtering, then only the one machine is involved. You can
> > also use both if you want hard or soft sa bindings in IPsec
> > with some machines or for some IP/protocol/port combinations,
> > but you could leave other things open as long as it is an allowed
> > IP/protocol/port combination.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "William Stacey [MVP]" <staceywREMOVE@mvps.org> wrote in message
> > news:%23CAkon6CFHA.2600@TK2MSFTNGP09.phx.gbl...
> > > Thanks Roger. So can the rules on the internal nic say I can also use
> > IPv4
> > > or do all client now need to use IPSec to talk to server? TIA
> > >
> > > --
> > > William Stacey, MVP
> > >
http://mvp.support.microsoft.com
> > >
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:ex1Ykk6CFHA.4020@TK2MSFTNGP14.phx.gbl...
> > > > IPsec policy agent is on, for all interfaces; but, whether it does
> > > > something is controlled by the ruleset. Each rule can specify
> > > > the from and the to IP address. Since your different NICs what
> > > > different IPs, you have the ability to have IPsec ruleset treat
> > > > each NIC differently by using the to and from IP addresses.
> > > >
> > > > --
> > > > Roger Abell
> > > > Microsoft MVP (Windows Security)
> > > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > > "exchangerookie1994" <exchangerookie1994@discussions.microsoft.com>
> > wrote
> > > in
> > > > message news:7816AA7F-9D00-46B8-A896-F9452F33C1DC@microsoft.com...
> > > > > I have two subnets 1 Domain in a school enviroment. Student side
and
> > > > > Administration Side. They currently share a Internet connection
> > through
> > > > ISA
> > > > > 2000 server
> > > > > The admin side is currently running on Novell for file serving. We
> > want
> > > to
> > > > > replace Novell with secure Windows 2003 solution. The new server
will
> > > have
> > > > 2
> > > > > nics. I was trying to figure out if I could Enable IPSEC on just
the
> > > > external
> > > > > nic. The main goal
> > > > > is to let admin side get to student network for Internet only and
not
> > > let
> > > > > any other device on student network to comminicate with the new
admin
> > > > server?
> > > > >
> > > > > Thanks for your time
> > > > >
> > > >
> > > >
> > >
> >
> >
> >