Results 1 to 24 of 24
  1. #1

    IP Security Policies

    I want to setup a Windows 2003 security policy to filter traffic.

    I want to let most of the world through to port 80 so maybe just ban a few nuicance IP's.

    But then I have a POP / IMAP server, VPN, SMTP, etc that I want to block all but UK IP addresses.

    I know I can do this through the MMC snap in but this is 1000's of IP's.

    Is there a way I can import a list/range of IP's that I want to block from a country IP database?

  2. #2
    Join Date
    Aug 2006
    Location
    London
    Posts
    549
    Should be possible with GhostWall, last time I checked - it did have an import function.
    Ekin Ersoy
    Stagnom Servers | Europe Dedicated Servers with Redefined Support
    Follow us on Twitter: @StagnomUK | Like us on Facebook: facebook.com/Stagnom

  3. #3
    is that a software firewall? I was thining about doing it through the windows IP policies rather than another bit of software.

    I already have RRAS running so don't want to over complicate things.

    If I had a VPN firewall software solution that integrated with windows security that would be ok.

  4. #4
    Why not try to Block the IP segments using Subnet???

    If you have any specific activity reason for blocking IP, there are adds up firewall software which block automatically according to the activity perform.
    Live Your DreamZ
    ~Besty

  5. #5
    Join Date
    Aug 2006
    Location
    London
    Posts
    549
    @daninmanchester,

    I have no idea how to do it with the internal IP policies tools, sorry. GhostWall is a software firewall, very much like iptables in Linux - very lightweight and easy to use.
    Ekin Ersoy
    Stagnom Servers | Europe Dedicated Servers with Redefined Support
    Follow us on Twitter: @StagnomUK | Like us on Facebook: facebook.com/Stagnom

  6. #6
    Would it be easy to edit these IP tables programatically?
    e.g. add 1000 IP ranges to allow or deny?

  7. #7
    I've decided IP policies are the way to go.

    So what I need to know is how i would do the following on a windows 2003 box using IPSECCMD

    Block all traffic (IP, port, protocol)
    Allow any IP to access port 80 TCP
    But block specific IP range

  8. #8
    I worked that part out but there is another problem now ....

    If I add to many filters to a command it says the command line is too long.
    But I need to add in the order of 3000 or even more.

    Is there a way I can append filters to a previously created rule?
    What kind of impact will this ha on performance?

    Maybe this isn't the best way to be blocking large numbers of subnets?

  9. #9
    Join Date
    Aug 2006
    Posts
    850
    I recommend using a firewall, block 1000 Ips in ipsec is complicated.

    Use visnetic.
    WebSitePanel / Hosting Controller / Smartermail / Installation / Configuration / Troubleshooting / Migrations
    Windows Server Management / Security / Hardening
    I speak English and Spanish

  10. #10
    visnetic looks like it will do what I want.
    Much like IPSEC it allows be to create a rule based on a set of IP's. The import feature worked with 1000's of IP's too. But it's not free and that's what my client needs! economic downturn and all that.

    IPSEC isn't that hard with the scripting. I automated creating the scripts but can't append filters to a rule.

  11. #11
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    I have pre-fab ipsec policies for 2003 / XP that are just imported, and block certain countries.
    They can be edited. Since it's on my personal site, I don't feel like having DDoS against it. so if you would like a DL link, just holler. It's not complicated.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  12. #12
    Hi mugo tat would be really useful. I'm keen to learn how they were constructed though as well.

    As I said I think there are about 3000 subnets for the UK and scripting cant handle all those at once. But when I run a batch of scripts the next one overwrites the previous filters.

    I have a list of IP subnets for other countries such as China and russia etc that I want to block too. I also want to allow certain ports to some countries but not others.

    e.g.

    port 80 every one (until an IP is naughty)
    port 25 (everyone exept blacklisted IP's)
    port 3389 (just UK)
    port 110 (just UK)
    etc

  13. #13
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by daninmanchester View Post
    Hi mugo tat would be really useful. I'm keen to learn how they were constructed though as well.

    As I said I think there are about 3000 subnets for the UK and scripting cant handle all those at once. But when I run a batch of scripts the next one overwrites the previous filters.

    I have a list of IP subnets for other countries such as China and russia etc that I want to block too. I also want to allow certain ports to some countries but not others.

    e.g.

    port 80 every one (until an IP is naughty)
    port 25 (everyone exept blacklisted IP's)
    port 3389 (just UK)
    port 110 (just UK)
    etc
    If you want to learn how it's done, that's a good thing.

    First of all, here are all the IPv4 address spaces from IANA:

    http://www.iana.org/assignments/ipv4-address-space/

    And a how-to of IP sec for

    2003
    http://www.enterprisenetworkingplane...le.php/3489911

    XP
    http://www.securityfocus.com/infocus/1519

    They are similar, but the policies created are different enough that they are not interchangeable.

    Just remember to unassigned / reassign when adding or removing a new policy / IP block, otherwise it's not active for that particular change.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  14. #14
    Thanks mugo but I'm not sure how that helps me....I know how to create the rules using the policy snap-in and ipseccmd just not on mass like i *think* i need to?!

    What does the iana give me?

    I've been looking at http://www.countryipblocks.net/country-blocks/19/
    which gives me the huge list of subnets for countries. Is there a simpler way through that iana info?

  15. #15
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by daninmanchester View Post
    Thanks mugo but I'm not sure how that helps me....I know how to create the rules using the policy snap-in and ipseccmd just not on mass like i *think* i need to?!

    What does the iana give me?

    I've been looking at http://www.countryipblocks.net/country-blocks/19/
    which gives me the huge list of subnets for countries. Is there a simpler way through that iana info?
    Exactly, the tutorials will show you how to do just that. You can save as an mmc template when you finish, and have it at the ready when you want to modify.

    IANA gives you the net blocks and countries associated with. I, for instance, to block the APNIC assignement
    058/8 APNIC

    You would block traffic from 58.0.0.0/8

    Pick and choose what you countries / IPs you want to block from certain countries.

    For instance, I block all traffic except for N. America / UK on some mail servers.
    This cuts down brute force / SPAM by around 80% out of the gate.

    The real thought comes in specific machines vs. what you want to block or allow.
    For international ordering systems, this would cause problems. But for a US based "Johnnie's Roto-rooter service",
    you really don't care if all foreign traffic is blocked.
    I suggest using this IANA document as your base on what to block, it's about as straight forward as you can get, it's the official, up-to-date current IPv5 assignments.
    http://www.iana.org/assignments/ipv4-address-space/

    If you get stuck, let me know and I'll give you the policies to import. You can look at those and get a good idea of what's happening, as well as dump or add anything you need.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  16. #16
    So this may be a really dumb question forgive my ignorance.
    Why on this list is there a huge multitude of subnets http://www.countryipblocks.net/country-blocks/19/

    How do the iana address blocks relate to countries?

  17. #17
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    The IANA IPv4 sheet is based on the assigned entity designation (RIPE / APNIC / LATNIC, etc.), on the base /8 designations.
    What you have is a more granular db of the allocations, and associated netblocks.
    Using either is fine, it just depends on how granular you need to be. I prefer to keep it on the /8's
    Just make sure you aren't blocking a larger network, then specifying another smaller block that is covered by the larger network.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  18. #18
    Ok, so I guess my problem is geting the granular detail into a rule as it has so many subnets. Have you achieved this? Could I see your mappings?

  19. #19
    I've had a brain wave (of sorts) I'm going to put all the subnets into one giant database then look a the top level iana ip blocks and see what countries they cover and if they are sensible block accordingly. unless you have a better idea?

  20. #20
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by daninmanchester View Post
    Ok, so I guess my problem is geting the granular detail into a rule as it has so many subnets. Have you achieved this? Could I see your mappings?
    You just add the IP network you want to block. Instead of, blocking, say
    210.0.0.0/8
    (/8 = NM 255.0.0.0)

    if you don't want to be that general, you can name specific networks, such as -
    210.80.0.0/19
    210.80.32.0/19 (/19 = NM 225.255.224.0)

    The only difference is the IP block size you are naming. I find the /8's are a good general starting place, but if you run into trouble, you can remove or replace the entry with smaller blocks.

    There is some legwork in going through and figuring out what you need to block...no easy way around that.

    If you need the slash notation to get the right netmasks -
    http://www.akadia.com/services/ip_ro...n_subnets.html
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  21. #21
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by daninmanchester View Post
    I've had a brain wave (of sorts) I'm going to put all the subnets into one giant database then look a the top level iana ip blocks and see what countries they cover and if they are sensible block accordingly. unless you have a better idea?
    That actually sounds like a very good, and reusable, idea.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  22. #22
    Ok, well if it works I could perhaps put a search form online somewhere so people can look at different IP blocks and filter them, get the IPSECCMD command, etc.

    But better see if it works first!

  23. #23
    I haven't checked this yet it's hot off the press.
    Basically I split the top level into countries and the number of subnets within that level for that country.

    It's based on information takn from www.countryipblocks.net

    It can be broken down further to the second octet but I haven't done this yet.
    Attached Files Attached Files

  24. #24
    Somefurther analysis shows that if I block IP's using the first and second octet it still isn't that specific. Lets take china for example. To block china would also block one or more subnets from the following :

    LAO PEOPLE'S DEMOCRATIC REPUBLIC
    KOREA, REPUBLIC OF
    BRAZIL
    HONG KONG
    MALAYSIA
    NEW ZEALAND
    MARSHALL ISLANDS
    PUERTO RICO
    ASIAN PACIFIC
    SRI LANKA
    NORTHERN MARIANA ISLANDS
    PHILIPPINES
    INDONESIA
    MYANMAR
    VIET NAM
    BRUNEI DARUSSALAM
    AUSTRALIA
    SOLOMON ISLANDS
    AMERICAN SAMOA
    SAMOA
    MACAO
    MONGOLIA
    UNITED STATES
    MAURITIUS
    EUROPEAN UNION
    ECUADOR
    FIJI
    CANADA
    AFGHANISTAN
    THAILAND
    GABON
    KIRIBATI
    NEW CALEDONIA
    MALDIVES
    BRITISH INDIAN OCEAN TERRITORY
    TONGA
    INDIA
    VANUATU
    CAMBODIA
    FRENCH POLYNESIA
    PAPUA NEW GUINEA
    PAKISTAN
    GUAM
    BANGLADESH
    NEPAL
    JAPAN

    and thats a whopping 1110 subnets! which again can't be scripted.

    If you go up a level to the first octet it comes out at a manageable 40 but you then risk blocking .....

    LAO PEOPLE'S DEMOCRATIC REPUBLIC
    KOREA, REPUBLIC OF
    EGYPT
    FINLAND
    BRAZIL
    BERMUDA
    NAURU
    PALAU
    HONG KONG
    MALAYSIA
    GUATEMALA
    NEW ZEALAND
    ITALY
    MARSHALL ISLANDS
    PUERTO RICO
    ASIAN PACIFIC
    BOLIVIA
    SRI LANKA
    NORTHERN MARIANA ISLANDS
    NETHERLANDS
    PHILIPPINES
    MEXICO
    INDONESIA
    JAMAICA
    EL SALVADOR
    MYANMAR
    VIET NAM
    NICARAGUA
    BRUNEI DARUSSALAM
    GERMANY
    BARBADOS
    ALGERIA
    AUSTRALIA
    ARGENTINA
    SOLOMON ISLANDS
    CUBA
    AMERICAN SAMOA
    SAMOA
    MACAO
    SWITZERLAND
    MONGOLIA
    UNITED KINGDOM
    UNITED STATES
    MAURITIUS
    EUROPEAN UNION
    ECUADOR
    SWEDEN
    CHINA
    FIJI
    AUSTRIA
    WALLIS AND FUTUNA ISLANDS
    CANADA
    AFGHANISTAN
    THAILAND
    BOTSWANA
    GABON
    KIRIBATI
    NEW CALEDONIA
    NIUE
    PERU
    CROATIA
    MALDIVES
    TUVALU
    UNITED ARAB EMIRATES
    TUNISIA
    MICRONESIA, FEDERATED STATES OF
    BRITISH INDIAN OCEAN TERRITORY
    TONGA
    FRANCE
    INDIA
    BURKINA FASO
    URUGUAY
    VANUATU
    COLOMBIA
    CAMBODIA
    SOUTH AFRICA
    FRENCH POLYNESIA
    PAPUA NEW GUINEA
    CHILE
    PAKISTAN
    GUAM
    VENEZUELA
    BANGLADESH
    NEPAL
    JAPAN
    COOK ISLANDS
    TAIWAN, PROVINCE OF CHINA
    SINGAPORE
    COSTA RICA
    BELGIUM
    BHUTAN
    NORFOLK ISLAND
    GHANA
    PANAMA

    So it presents some practical problems!! As this less specific approah includes , UK, FR, US, etc some target customers and ISPs, google etc that we risk blocking.

Similar Threads

  1. Policies
    By GregoryS in forum Web Design and Content
    Replies: 3
    Last Post: 06-20-2007, 06:30 AM
  2. IRC Policies
    By ceridius in forum Marketing, Promotion, and Customer Service
    Replies: 4
    Last Post: 07-07-2004, 10:37 PM
  3. How to Bypass Security Policies on XP?
    By Mrdredd in forum Web Hosting Lounge
    Replies: 6
    Last Post: 09-07-2003, 11:22 PM
  4. Your policies...
    By belaus in forum Web Hosting Lounge
    Replies: 2
    Last Post: 08-21-2002, 06:02 PM
  5. where to get policies
    By Dexter in forum Running a Web Hosting Business
    Replies: 14
    Last Post: 01-05-2001, 01:50 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •