Unicast IP Routing |
This section illustrates filter configurations for commonly implemented filtering scenarios.
Caution
If you combine any of the sample sets of filters, make sure that the desired subset of traffic is allowed and the desired level of security is maintained. For example, if you combine the local host filtering and Web traffic filtering, due to the way that the filters are applied (AND is used within a filter; OR is used between filters), all traffic destined for the host is allowed. The Web traffic input filter is essentially ignored.
Use local host filtering to ensure that only traffic destined for the host is allowed to be processed. This disables the forwarding of packets on the interface on which local host filtering is enabled. Local host filtering is used when an intranet is connected to the Internet and direct routing of packets between the intranet and the Internet is not desired. In this scenario, local host filtering is configured on the Internet interface.
Configure the following filters on the Internet interface. With these filters configured, only traffic destined for this host or for all hosts on the host's network, or multicast traffic is allowed on the interface.
Using the Drop all packets except those that meet the criteria below filter action, create a series of input filters with the following attributes:
The all subnets-directed broadcast is class-based broadcast address where the host bits before subnetting are set to all 1. For the example host, this filter would be filtering on the Destination IP address of 172.16.255.255. The filter for the all subnets-directed broadcast is only necessary when subnetting.
The Limited Broadcast is the destination IP address of 255.255.255.255.
Note
Local host filtering on an interface effectively disables unicast routing on that interface because the only unicast traffic allowed through the interface is destined for the host. Transit traffic is dropped.
Web traffic filtering is done on hosts that are Web servers so that only Web-based traffic to and from the Web server service on the host is allowed to be processed. This is done to secure the Web server from malicious attacks on other services running on the Web server. For a Web server connected to the Internet, Web traffic filtering is configured on the Internet interface.
Using the Drop all packets except those that meet the criteria below filter action, configure the following filters to confine the allowed traffic to packets to and from the Web server service:
If these filters are the only filters configured, the only traffic allowed through the interface is TCP traffic to and from the Web server service on the Windows 2000 Server–based computer.
Note
The preceding example assumes the default port of the Web server is port 80. If you are using a port other than 80, substitute the appropriate port for port 80 in these filters.
FTP traffic filtering is done on hosts that are FTP servers so that only FTP-based traffic to and from the FTP server service on the host is allowed to be processed. This is done to secure the FTP server from malicious attacks on other services running on the FTP server. For a FTP server connected to the Internet, FTP traffic filtering is configured on the Internet interface.
Using the Drop all packets except those that meet the criteria below filter action, configure the following filters to confine the allowed traffic to packets to and from the FTP server service:
If these filters are the only filters configured, the only traffic allowed through the interface is TCP traffic to and from the FTP server service on the Windows 2000 Server–based computer.
Note
The preceding example assumes the default ports, 20 and 21, of the FTP server. If you are using ports other than 20 and 21, substitute the appropriate ports for ports 20 and 21 in these filters.
Point-to-Point Tunneling Protocol (PPTP) traffic filtering is done on hosts that are PPTP servers so that only PPTP-based traffic to and from the PPTP server service on the host is allowed to be processed. This is done to secure the PPTP server from malicious attacks on other services running on the PPTP server. For a PPTP server connected to the Internet, PPTP traffic filtering is configured on the Internet interface.
Using the Drop all packets except those that meet the criteria below filter action, configure the following filters to confine the allowed traffic to packets to and from the PPTP service running on the server:
If the PPTP server is also to be used as a PPTP client to initiate tunneled connections to branch offices in a virtual private network (VPN) scenario, configure the following additional filters:
The TCP (established) filter is used to allow only traffic on the TCP connection that was established by the PPTP client. If TCP (established) is not used, a malicious Internet hacker can penetrate the PPTP server by sending packets from applications using TCP port 1723.
If these filters are the only filters configured, the only traffic allowed through the interface is TCP traffic and tunneled data (GRE traffic) to and from the PPTP server and PPTP client on the Windows 2000 Server–based computer.
For more information about PPTP, see "Virtual Private Networking" in this book.
Layer Two Tunneling Protocol (L2TP) over IPSec traffic filtering is done on hosts that are L2TP servers so that only L2TP-based traffic to and from the L2TP server service on the host is allowed to be processed. This is done to secure the L2TP server from malicious attacks on other services running on the L2TP server. For a L2TP server connected to the Internet, L2TP traffic filtering is configured on the Internet interface.
Using the Drop all packets except those that meet the criteria below filter action, configure the following filters to confine the allowed traffic to packets to and from the server running L2TP:
The filters for UDP port 1701 are for the L2TP protocol. The filters for UDP port 500 are for the Internet Key Exchange (IKE) used to create the IPSec security association. Packet filters for the IPSec Encapsulating Security Payload (ESP) header using IP protocol 50 are not needed because the inbound and outbound packets are first processed by IPSec, which adds or removes the ESP header before the Routing and Remote Access service IP packet filters are applied.
If these filters are the only filters configured, the only traffic allowed through the interface is UDP traffic to and from the L2TP server and client on the Windows 2000 Server–based computer.
For more information about L2TP over IPSec, see "Virtual Private Networking" in this book.
Another method of performing denial of service attacks is to flood servers with packets, such as TCP connection request packets, from addresses to which there can be no reply. In these cases, the malicious users spoof, or substitute, the source IP address of the packets with something other than the IP address of the interface on which the packets originated. An easy address to spoof is a private address because a response sent to a private address on the Internet results in an ICMP Destination Unreachable message.
To drop Internet traffic from spoofed private IP addresses, configure input filters on the Internet interface to accept all packets except the following:
The Routing and Remote Access service also supports the filtering of fragmented IP datagrams. A fragmented IP datagram is an IP datagram that contains a fragment of an IP payload. Source hosts or routers fragment IP payloads so that the resulting IP datagram is small enough to be sent on the network segment of the next hop. Routing and Remote Access service fragmentation filtering only applies to incoming traffic.
To enable fragmentation filtering
To prevent the router from forwarding fragmented IP packets for transit traffic on any interface, select this setting on all interfaces of the router. This does not prevent the forwarding of fragmented packets sent from the router.
Fragmentation filtering can be employed to prevent the Ping of Death, a denial of service attack where malicious users send one or multiple 64-KB ICMP Echo Request messages. The 64-KB messages are fragmented and must be reassembled at the destination host. For each separate 64-KB message, the TCP/IP protocol must allocate memory, tables, timers, and other resources. With enough fragmented messages, a Windows 2000 Server–based computer can become bogged down so that the servicing of valid information requests is impaired. By using fragmentation filtering, incoming fragmented IP datagrams are immediately discarded.