史萊姆論壇

返回   史萊姆論壇 > 教學文件資料庫 > 網路軟硬體架設技術文件
忘記密碼?
註冊帳號 論壇說明 標記討論區已讀

歡迎您來到『史萊姆論壇』 ^___^

您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的!

請點擊這裡:『註冊成為我們的一份子!』

Google 提供的廣告


 
 
主題工具 顯示模式
舊 2003-12-28, 11:37 PM   #1
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設 教你如何利用Windows自身的IPsec和Firewall功能。功能比網路內容中的TCP/IP Filter強

summary: Installing Windows 2000/XP IPsec Firewall Filters
last updated: Thursday, January 22, 2003
prepared by: rev, jtk
test hardware: Gateway E3200, Gateway MD-200STM
test OS: XP professional version 2002, Windows 2000

--------
Overview
--------
Operating systems, and in particular recent versions of Microsoft
operating systems, have been compromised due to vulernabilities in
remotely accessible services that are enabled by the default install.
Many operating systems today come with host-based firewalls that can
be used to help limit accessibility of services from untrusted or
unwanted remote systems. In recent versions of Microsoft operating
systems, including Windows 2000 and Windows XP, bundled with the
system is a implementation of the IP Security Protocol (IPsec).
IPsec is used to provide authentication and privacy of IP datagrams
between communicating hosts through the use of payload encryption
and digital signatures. Microsoft's IPsec implementation includes
rudimentary packet level filtering capabilities that can be used to
provide some minimal host-based firewall protection. While not as
flexible as other available firewall toolkits, Microsoft's IPsec
toolkit does provide enough functionality that it can significantly
increase the security of a host by prohibiting potentially dangerous
services from being accessible to untrusted or unwanted remote hosts.
This document details a practical implementation for a set of IPsec
filters appropriate for an internal DePaul Windows client.

------------
Requirements
------------
Windows XP systems require the IPSECCMD.EXE command line utility.
This can be installed from a Windows XP installation CD. Run
SETUP.EXE from the SUPPORT\TOOLS directory to install.

Windows 2000 systems must install the IPSECPOL.EXE command line
utility. This tool may be downloaded from Microsoft's web site:

<http://www.microsoft.com/windows2000...ipsecpol-o.asp>

Local copies of these tools are located on the NTG R&D software page:

<http://ntg.depaul.edu/rd/software/>

The IPSECCMD.EXE or IPSECPOL.EXE utilities must be run from their
installation directory or located in the system path. We recommend
placing the appropriate utility in the WINNT\SYSTEM32 directory.

The IPsec policy service must be running on the system.

Administrator privileges will be required to install IPsec policies.

-------------
Configuration
-------------
The XP and 2000 utilities while different, use the same syntax. The
XP tool IPSECCMD.EXE is used in the examples below. All commands
start with the following syntax in these examples:

ipseccmd -w REG -p "DPU Local Filter"

Be sure to replace <command> below with the syntax above.

1. Clear existing IPsec policies:

<command> -o

2. Block TCP port 20 (FTP-DATA):

<command> -r "Block TCP/20" -f *+0:20:TCP -n BLOCK

3. Block TCP port 21 (FTP):

<command> -r "Block TCP/21" -f *+0:21:TCP -n BLOCK

4. Block TCP port 25 (SMTP):

<command> -r "Block TCP/25" -f *+0:25:TCP -n BLOCK

5. Block TCP port 80 (HTTP):

<command> -r "Block TCP/80" -f *+0:80:TCP -n BLOCK

6. Limit TCP port 135 (EPMAP):

<command> -r "Limit TCP/135" -f 140.192.0.0/255.255.0.0+0:135:TCP -n PASS
<command> -r "Block TCP/135" -f *+0:135:TCP -n BLOCK

7. Limit TCP port 137 (NETBIOS-NS):

<command> -r "Limit TCP/137" -f 140.192.0.0/255.255.0.0+0:137:TCP -n PASS
<command> -r "Block TCP/137" -f *+0:137:TCP -n BLOCK

8. Limit TCP port 138 (NETBIOS-DGM):

<command> -r "Limit TCP/138" -f 140.192.0.0/255.255.0.0+0:138:TCP -n PASS
<command> -r "Block TCP/138" -f *+0:138:TCP -n BLOCK

9. Limit TCP port 139 (NETBIOS-SSN):

<command> -r "Limit TCP/139" -f 140.192.0.0/255.255.0.0+0:139:TCP -n PASS
<command> -r "Block TCP/139" -f *+0:139:TCP -n BLOCK

10. Limit TCP port 427 (SVRLOC):

<command> -r "Limit TCP/427" -f 140.192.0.0/255.255.0.0+0:427:TCP -n PASS
<command> -r "Block TCP/427" -f *+0:427:TCP -n BLOCK

11. Block TCP port 443 (HTTPS):

<command> -r "Block TCP/443" -f *+0:443:TCP -n BLOCK

12. Limit TCP port 445 (MICROSOFT-DS):

<command> -r "Limit TCP/445" -f 140.192.0.0/255.255.0.0+0:445:TCP -n PASS
<command> -r "Block TCP/445" -f *+0:445:TCP -n BLOCK

13. Limit UDP port 68 (BOOTPC):

<command> -r "Limit UDP/68" -f 140.192.0.0/255.255.0.0+0:68:UDP -n PASS
<command> -r "Block UDP/68" -f *+0:68:UDP -n BLOCK

14. Block UDP port 69 (TFTP):

<command> -r "Block UDP/69" -f *+0:69:UDP -n BLOCK

15. Block UDP port 111 (RPC):

<command> -r "Block UDP/111" -f *+0:111:UDP -n BLOCK

16. Limit UDP port 135 (EPMAP):

<command> -r "Limit UDP/135" -f 140.192.0.0/255.255.0.0+0:135:UDP -n PASS
<command> -r "Block UDP/135" -f *+0:135:UDP -n BLOCK

17. Limit UDP port 137 (NETBIOS-NS):

<command> -r "Limit UDP/137" -f 140.192.0.0/255.255.0.0+0:137:UDP -n PASS
<command> -r "Block UDP/137" -f *+0:137:UDP -n BLOCK

18. Limit UDP port 138 (NETBIOS-DGM):

<command> -r "Limit UDP/138" -f 140.192.0.0/255.255.0.0+0:138:UDP -n PASS
<command> -r "Block UDP/138" -f *+0:138:UDP -n BLOCK

19. Limit UDP port 139 (NETBIOS-SSN):

<command> -r "Limit UDP/139" -f 140.192.0.0/255.255.0.0+0:139:UDP -n PASS
<command> -r "Block UDP/139" -f *+0:139:UDP -n BLOCK

20. Block UDP port 161 (SNMP):

<command> -r "Block UDP/161" -f *+0:161:UDP -n BLOCK

21. Limit UDP port 427 (SRVLOC):

<command> -r "Limit UDP/427" -f 140.192.0.0/255.255.0.0+0:427:UDP -n PASS
<command> -r "Block UDP/427" -f *+0:427:UDP -n BLOCK

22. Limit UDP port 445 (MICROSOFT-DS):

<command> -r "Limit UDP/445" -f 140.192.0.0/255.255.0.0+0:445:UDP -n PASS
<command> -r "Block UDP/445" -f *+0:445:UDP -n BLOCK

23. Apply the new IPsec policy:

<command> -x

---------------
Troubleshooting
---------------
There is limited ability to troubleshoot IPsec policies within Windows
2000 and XP. IPsec filters do not log blocked or passed packets, so
it is difficult to determine exactly what the IPsec filter rules are
doing. We recommend exhausting all other areas of troubleshooting
before changing the IPsec filters, but as a last resort, IPsec filters
can be temporarily disabled by running the following command:

ipseccmd -w REG -p "DPU Local Filter" -o

NOTE: you will need to reapply the entire configuration over again if
you disable IPsec filters this way.

The IPsec rules should be flexible enough that they will work for most
typical user configurations. However, in some instances, it may be
required to have some services remotely accessible that are blocked by
the filters above. In the majority of cases, it is recommended that
standard filters remain intact, and alternative, more secure means of
communication be used . Many of the filter rules above are there
to protect against very common problems with Windows vulnerabilities
and disabling any of them may put a system at greater risk.

-----
Notes
-----
The filter rules above are designed for locally connected DePaul
University client Windows hosts. If for example the host being
protected is a laptop, BOOTP/DHCP (UDP port 68) may need to be open
to other networks (probably by not even configuring the the BOOTPC
rule at all). Hosts used primarily as servers or those requiring
access to services blocked or limited above may need significantly
different IPsec rules than those presented here.

IPsec policies can be centrally managed if Windows hosts are part of
a Windows Domain. Managing IPsec policies are beyond the scope of
this document. For further details on managing IPsec policies in
this way, see the following Microsoft page:

<http://www.microsoft.com/technet/pro...c_tcp_vouk.asp>

Windows IPsec policies do not have a user-defined ordering for the
filter rules. Instead, filters are evaluated from the most specific
to the least specific rule. So for example, if two rules both block
TCP port 80, but one specifies a source subnet and the other does not,
the more specific filter with the source subnet specified will be
evaluated first. This allows you to build filter rules that allow
a select group of trusted hosts, but blocks all other IP sources as
shown in the rules above.

A packet is not explicitly denied should it pass all the filter rules.
A default deny can achieved by using a rule such as the following:

ipseccmd -w REG -p "policy-name" -r "deny all" -f 0+* -n BLOCK

There are some types of packets that the IPsec filters will not
act upon. A Windows registry key defines additional types of traffic
that may or may not be filtered by default. The registry key is:

HKEY_LOCAL_MACHINE\SYTEM\CurrentControlSet\Services\IPSEC\NoDefaultExemmpt

The possible values for this key are:

0 - Exempt Kerberos, RSVP and multicast/broadcast packets
1 - Exempt multicast/broadcast (not Kerberos or RSVP)
2 - Exempt Kerberos and RSVP (not multicast/broadcast) - XP/.NET server only
3 - No exemptions (only XP/.NET server)

Default values for Windows systems are:

0 - Windows 2000 (Service Pack 3 and earlier)
0 - Windows XP (and Service Pack 1)
1 - Windows 2000 (Service Pack 4)
1 - Windows XP (Service Pack 2)
3 - .NET Server

類型s greater than 1 on Windows 2000 will be ignored and a value of 1
will be used.

In addition to the packet types above, Windows IPsec filters also cannot
act on IPsec packets nor IPv6 packets.

It should be noted from the configuration section above, a trade-off
in security for usability with regards to local DePaul University hosts.
This stance does not prevent one internal DePaul host from gaining
access through a vulnerable service on another DePaul host. While this
risk exists, it is a necessary trade-off in order to allow many users
the ability to use the popular Microsoft networking protocols within
the campus environment. This stance requires continued activity in
maintaining up-to-date end systems by applying patches regularly. The
default configuration shown above is meant to limit a great deal of the
external threat, but not entirely eliminate it. Further enhancements
from Microsoft are desired as are increasingly better management and
support practices from DePaul staff.

In Windows XP, the Internet Connection Firewall (ICF) toolkit is a very
good defense mechanism. See the R&D team's technote on the Internet
Connection Firewall (ICF) configuration for Windows XP (tn-winxp-icf.txt)
for further information. Note, that in some cases, the ICF toolkit
cannot be used due to design limitations.

----------
References
----------
Microsoft IPSECCMD tool
http://www.microsoft.com/technet/pro...cs/ipsecmd.asp

Windows ipsecpol.exe: Internet Protocol Security Policies Tool
http://www.microsoft.com/windows2000...ipsecpol-o.asp

RFC 2401 Security Architecture for the Internet Protocol
http://www.ietf.org/rfc/rfc2401.txt

-------
Changes
-------
2003-01-06,jtk: re-done from rev's original document
2003-01-07,jtk: minor edits
2003-01-10,jtk: IPsec limitations, registry setting, management, minor edits
2003-01-22,jtk: minor edits
2003-01-31,jtk: typo
要安裝ipseccmd.exe指令,可以在xp的安裝碟裡SUPPORT\TOOLS 目錄執行setup.exe安裝,win2k要從ms網站上download,http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

上面那篇文章就是解釋執行ipseccmd.exe後的一些指令和用法,感覺和圖形界面的ipsec設定差不多吧?
psac 目前離線  
送花文章: 3, 收花文章: 1630 篇, 收花: 3204 次
 


主題工具
顯示模式

發表規則
不可以發文
不可以回覆主題
不可以上傳附加檔案
不可以編輯您的文章

論壇啟用 BB 語法
論壇啟用 表情符號
論壇啟用 [IMG] 語法
論壇禁用 HTML 語法
Trackbacks are 禁用
Pingbacks are 禁用
Refbacks are 禁用


所有時間均為台北時間。現在的時間是 12:18 AM


Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2020, Jelsoft Enterprises Ltd.


SEO by vBSEO 3.6.1