Restricting Web Server Communication

Previous page
Table of content
Next page

The following example shows you how to use IPSec to limit communication with a Web server to port 80 (for HTTP traffic) and port 443 (for HTTPS traffic that uses SSL.) This is a common requirement for Internet- facing Web servers.

Note  

After applying the steps below, communication will be limited to port 80 and 443. In a real world environment, you will require additional communication such as that required for remote administration, database access and authentication. A complete IPSec policy, in a production environment, will include all authorized communication.

 Task   Create filter actions

  1. Start the Local Security Policy Microsoft Management Console (MMC) snap-in.

  2. Right-click IPSec Security Policies on Local Machine , and then click Manage IP filter lists and filter actions .

  3. Click the Manage Filter Actions tab.

  4. Click Add to create a new filter action, and then click Next to move past the introductory Wizard dialog box.

  5. Type MyPermit as the name for the new filter action. This filter action is used to permit traffic.

  6. Click Next .

  7. Select Permit , click Next , and then click Finish .

  8. Create a second filter action called "MyBlock" by repeating steps 4 to 8. This time, select Block when you are prompted by the Filter Action dialog box.

  9. Click Close to close the Manage IP filter lists and filter actions dialog box.

 Task   Create IP filters and filter lists

  1. Right-click IPSec Security Policies on Local Machine , and then click Manage IP filter lists and filter actions .

  2. Click Add to add a new IP filter list., and then type MatchAllTraffic for the filter list name.

  3. Click Add to create a new filter and proceed through the IP Filter Wizard dialogs boxes by selecting the default options.

    This creates a filter that matches all traffic.

  4. Click Close to close the IP Filter List dialog box.

  5. Click Add to create a new IP filter list, and then type MatchHTTPAndHTTPS for the filter list name.

  6. Click Add , and then click Next to move past the introductory Wizard dialog box.

  7. Select Any IP Address from the Source address drop-down list, and then click Next .

  8. Select My IP Address from the Destination address drop-down list, and then click Next .

  9. Select TCP from the Select a protocol type drop-down list, and then click Next .

  10. Select To this port and then specify port 80 .

  11. Click Next and then Finish .

  12. Click Add , and then repeat steps 9 to 14 to create another filter that allows traffic through port 443.

    Use the following values to create a filter that allows TCP over port 443:

    • Source Address: Any IP address

    • Destination Address: My IP Address

    • Protocol: TCP

    • From Port: Any

    • To Port: 443

After finishing these steps, your IP Filter List should look like the one that Figure 5 shows.

click to expand
Figure 5: IP Filter List dialog box

After creating the filter actions and filter lists, you need to create a policy and two rules to associate the filters with the filter actions.

 Task   Create and apply IPSec policy

  1. In the main window of the Local Security Policy snap-in, right-click IPSec Security policies on Local Machine , and then click Create IPSecurity Policy .

  2. Click Next to move past the initial Wizard dialog box.

  3. Type MyPolicy for the IPSec policy name and IPSec policy for a Web server that accepts traffic to TCP/80 and TCP/443 from anyone for the description, and then click Next .

  4. Clear the Activate the default response rule check box, click Next , and then click Finish .

    The MyPolicy Properties dialog box is displayed so that you can edit the policy properties.

  5. Click Add to start the Security Rule Wizard, and then click Next to move past the introductory dialog box.

  6. Select This rule does not specify a tunnel , and then click Next .

  7. Select All network connections , and then click Next .

  8. Select Windows 2000 default (Kerberos V5 protocol) , and then click Next .

  9. Select the MatchHTTPAndHTTPS filter list, and then click Next .

  10. Select the MyPermit filter action, click Next , and then click Finish .

  11. Create a second rule by repeating steps 5 to 10. Instead of selecting MatchHTTPAndHTTPS and MyPermit , select MatchAllTraffic and MyBlock .

After creating the second rule, the MyPolicy Properties dialog box should look like the one in Figure 6.

click to expand
Figure 6: MyPolicy Properties dialog box

Your IPSec policy is now ready to use. To activate the policy, right-click MyPolicy and then click Assign .

Summary of What You Just Did

In the previous three procedures, you performed these actions:

  • You started by creating two filter actions: one to allow traffic and one to block traffic.

  • Next, you created two IP filter lists. The one called MatchAllTraffic matches on all traffic, regardless of port. The one called MatchHTTPAndHTTPS contains two filters that match TCP traffic from any source address to TCP ports 80 and 443.

  • Then you created an IPSec policy by creating a rule that associated the MyBlock filter action with the MatchAllTraffic filter list and the MyPermit filter action with the MatchHTTPAndHTTPS filter list. The result of this is that the Web server only allows TCP traffic destined for port 80 or 443. All other traffic is rejected.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
SQL Tips & Techniques (Miscellaneous)
WebLogic: The Definitive Guide
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy