moszi.net     return dev ? .net : java login
  - bits & pieces about software development HostingAbc Logo
Show all posts.
Implementing a firewall using IPSEC in Windows Server 2003
Recently my list of purchased software was extended with Microsoft Windows Server 2003 Web Edition - which is the low price version of Windows Server 2003 Standard. Until SP2 was released the Web Edition was capable of handling 2GBs of memory but Microsoft decided with SP2 that a web server might need the use 4GBs of memory :) so with the low price they've included support for 4GBs... Unfortunatelly what they did NOT include is the Windows Firewall. I'm not really sure why would Microsoft consider that a web server needs less security - probably the low price means lower security at Microsoft :S ...

So I had to make a decision whether to install the free firewall from Comodo or to use IPSec. While IPSec was not designed specifically for this task, it can be used very well and it reminds me of iptables or ipchains on linux where I had absolute control of how my IP traffic is filtered.

So the first step was to launch Start->Administrative Tools->Local Security Policy where we can find IP Security Policies.


My advice is to play with these settings ONLY ON THE CONSOLE as there is a really good chance that we are going to face the unlikely event of locking out ourselves if we are logged in remotely through terminal services :) ... so just carefully :).
Now what we have to understand is that IPSec can match types of IP traffic - based on protocol, traffic direction and traffic source/destination. For instance let's say that an administrator would like to allow outsiders to use the locally installed SMTP server. This means that we have to identify the INCOMING traffic on port 25 and to ALLOW this traffic. This is achieved by creating a filter set rule that permits the traffic for a filter that matches traffic on TCP destination port 25 where the source IP address is anything and the destination is 'my ip address' :)
Basically this is what you have to do for each type of traffic you want to allow, but here are some screenshots, check them out, and what you should really do is to download from the bottom of this article my exported IPSec policies and import them to your computer and have an insight look on the filters.


One last word on IPSec policies: they are enabled on the machine only after right clicking the policy and choosing "Assing" from the context menu and that they can be modified from the command line as well using the "netsh ipsec static ..." commands.
And finally here are my IPSec policies, hope it helps you out hours of googling ;) ...

Download: FirewallWithIPSec.zip

Update {10/25/2007} : in the Enhanced version of Web Edition there IS a firewall. I've just installed the bits received from my MS reseller - and Web Edition does have the Windows Firewall. However I still consider that IPSec is better than Windows Firewall as there is no possibility to filter outgoing traffic with WF.
add link
microsoft.comWindowsClient.NetMike Taulty
The last comments:lucifer says:oh, i see now :D lucifer says:"If the LINQ runtime just thrown an exception similar to this one to your face". which one? :)apco says:1) Define the original issue. 2) The sorted list is sorted on value and there is not a key! 3) dark green text with black background: not too easy to read.moszidev says:Actually I've made these 2 forms with Expression Blend. I'm not sure if the extensive designing capabilities will be included in the VS designer ...Venemo says:I've just tried out Visual Studio 2008 Express, and it doesn't have the functionality to rotate the controls, but when I copied your source code, it recognised it. Anyway, it seems very similar to VS 2005, and only has a few improvements in its interBéla says:At long last! I'm looking forward to it! Keep it up! and so on ;)
{ This website uses MosziNet Persistence Manager and MosziNet Blog Control. }
Copyright (C) 2007, Molnar Szilveszter m@il me