Does a BLOCK action in IPsec act like a No Access in NTFS where it overrides all other actions?
I'm testing out IPsec policies to secure traffic between servers. I have created a set of policies (on a SQL server) to restrict traffic from a particular IIS server to the database server. When I added a filter to DENY all traffic and added an exception for telnet on port 23 the telnet connection cannot be established. If i remove the Deny all filter telnet works fine.
Here are the filters and actions:
FilterList Details
------------------
FilterList Name : DENY ALL IIS
Description : Denies ALL traffic from IIS server
Store : Local Store <DATABASE-02>
Last Modified : 11/9/2003 8:51:05 PM
GUID : {514473BE-FDF6-4CA7-9BE0-3D170FB0A62B}
No. of Filters : 1
Filter(s)
---------
Description : NONE
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : <My IP Address>
Destination Mask : 255.255.255.255
Destination DNS Name : <My IP Address>
Protocol : ANY
Source Port : ANY
Destination Port : ANY
FilterAction Details
---------------------
FilterAction Name : BLOCK
Description : Deny traffic
Store : Local Store <DATABASE-02>
Action : BLOCK
AllowUnsecure(Fallback): NO
Inbound Passthrough : NO
Last Modified : 11/9/2003 5:56:05 PM
GUID : {5804249E-F24E-439A-BC28-F1C8FCEC0912}
Rule ID : 2, GUID = {7C697A10-7746-443D-85B8-96FDBE48B215}
Rule Name : NONE
Description : NONE
Last Modified : 11/9/2003 7:27:35 PM
Activated : YES
Connection Type : ALL
Authentication Methods(1)
KERBEROS
FilterList Details
------------------
FilterList Name : Allow Telnet from IIS
Description : NONE
Store : Local Store <DATABASE-02>
Last Modified : 11/9/2003 7:27:24 PM
GUID : {0242DBBA-EE7A-4F76-8911-9498BE36B16A}
No. of Filters : 1
Filter(s)
---------
Description : Allow Telnet to port (23).
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : 192.168.1.57
Destination Mask : 255.255.255.255
Destination DNS Name : <A Specific IP Address>
Protocol : TCP
Source Port : 23
Destination Port : 23
FilterAction Details
---------------------
FilterAction Name : Permit
Description : Permit unsecured IP packets to pass through.
Store : Local Store <DATABASE-02>
Action : PERMIT
AllowUnsecure(Fallback): NO
Inbound Passthrough : NO
Last Modified : 11/3/2003 9:11:08 PM
GUID : {7238523B-70FA-11D1-864C-14A300000000}
Rule ID : 3, GUID = {5841C36A-1E7E-4289-BC94-073F30E687CD}
Rule Name : NONE
Description : NONE
Last Modified : 11/9/2003 7:27:36 PM
Activated : YES
Connection Type : ALL
Authentication Methods(1)
KERBEROS
FilterList Details
------------------
FilterList Name : All TCP Traffic
Description : Restrict (incoming) traffic from IIS server to TCP ...
Store : Local Store <DATABASE-02>
Last Modified : 11/9/2003 8:42:04 PM
GUID : {07D2E420-457C-41A6-ADC3-C5EF3E014AF9}
No. of Filters : 2
Filter(s)
---------
Description : Restrict non-secure incoming TCP traffic to HTTP (80)
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : <My IP Address>
Destination Mask : 255.255.255.255
Destination DNS Name : <My IP Address>
Protocol : TCP
Source Port : 80
Destination Port : 80
Description : Restrict secure incoming TCP traffic to HTTPS (443)
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : <My IP Address>
Destination Mask : 255.255.255.255
Destination DNS Name : <My IP Address>
Protocol : TCP
Source Port : 443
Destination Port : 443
FilterAction Details
---------------------
FilterAction Name : Require Security
Description : Accepts unsecured communication, but always require...
Store : Local Store <DATABASE-02>
Action : NEGOTIATE SECURITY
AllowUnsecure(Fallback): NO
Inbound Passthrough : YES
QMPFS : NO
Last Modified : 11/3/2003 9:11:08 PM
GUID : {7238523F-70FA-11D1-864C-14A300000000}
Security Methods
AH ESP Seconds kBytes
-- --- ------- ------
[NONE] [SHA1 , 3DES] 900 100000
[NONE] [MD5 , 3DES] 900 100000
[NONE] [SHA1 , DES ] 900 100000
[NONE] [MD5 , DES ] 900 100000
Rule ID : 4, GUID = {4EB24EBF-83BD-4903-AEBB-3FFD0374F89C}
Rule Name : NONE
Description : NONE
Last Modified : 11/9/2003 9:36:40 AM
Activated : NO
Connection Type : ALL
Authentication Methods(1)
I'm testing out IPsec policies to secure traffic between servers. I have created a set of policies (on a SQL server) to restrict traffic from a particular IIS server to the database server. When I added a filter to DENY all traffic and added an exception for telnet on port 23 the telnet connection cannot be established. If i remove the Deny all filter telnet works fine.
Here are the filters and actions:
FilterList Details
------------------
FilterList Name : DENY ALL IIS
Description : Denies ALL traffic from IIS server
Store : Local Store <DATABASE-02>
Last Modified : 11/9/2003 8:51:05 PM
GUID : {514473BE-FDF6-4CA7-9BE0-3D170FB0A62B}
No. of Filters : 1
Filter(s)
---------
Description : NONE
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : <My IP Address>
Destination Mask : 255.255.255.255
Destination DNS Name : <My IP Address>
Protocol : ANY
Source Port : ANY
Destination Port : ANY
FilterAction Details
---------------------
FilterAction Name : BLOCK
Description : Deny traffic
Store : Local Store <DATABASE-02>
Action : BLOCK
AllowUnsecure(Fallback): NO
Inbound Passthrough : NO
Last Modified : 11/9/2003 5:56:05 PM
GUID : {5804249E-F24E-439A-BC28-F1C8FCEC0912}
Rule ID : 2, GUID = {7C697A10-7746-443D-85B8-96FDBE48B215}
Rule Name : NONE
Description : NONE
Last Modified : 11/9/2003 7:27:35 PM
Activated : YES
Connection Type : ALL
Authentication Methods(1)
KERBEROS
FilterList Details
------------------
FilterList Name : Allow Telnet from IIS
Description : NONE
Store : Local Store <DATABASE-02>
Last Modified : 11/9/2003 7:27:24 PM
GUID : {0242DBBA-EE7A-4F76-8911-9498BE36B16A}
No. of Filters : 1
Filter(s)
---------
Description : Allow Telnet to port (23).
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : 192.168.1.57
Destination Mask : 255.255.255.255
Destination DNS Name : <A Specific IP Address>
Protocol : TCP
Source Port : 23
Destination Port : 23
FilterAction Details
---------------------
FilterAction Name : Permit
Description : Permit unsecured IP packets to pass through.
Store : Local Store <DATABASE-02>
Action : PERMIT
AllowUnsecure(Fallback): NO
Inbound Passthrough : NO
Last Modified : 11/3/2003 9:11:08 PM
GUID : {7238523B-70FA-11D1-864C-14A300000000}
Rule ID : 3, GUID = {5841C36A-1E7E-4289-BC94-073F30E687CD}
Rule Name : NONE
Description : NONE
Last Modified : 11/9/2003 7:27:36 PM
Activated : YES
Connection Type : ALL
Authentication Methods(1)
KERBEROS
FilterList Details
------------------
FilterList Name : All TCP Traffic
Description : Restrict (incoming) traffic from IIS server to TCP ...
Store : Local Store <DATABASE-02>
Last Modified : 11/9/2003 8:42:04 PM
GUID : {07D2E420-457C-41A6-ADC3-C5EF3E014AF9}
No. of Filters : 2
Filter(s)
---------
Description : Restrict non-secure incoming TCP traffic to HTTP (80)
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : <My IP Address>
Destination Mask : 255.255.255.255
Destination DNS Name : <My IP Address>
Protocol : TCP
Source Port : 80
Destination Port : 80
Description : Restrict secure incoming TCP traffic to HTTPS (443)
Mirrored : NO
Source IP Address : 192.168.1.55
Source Mask : 255.255.255.255
Source DNS Name : <A Specific IP Address>
Destination IP Address : <My IP Address>
Destination Mask : 255.255.255.255
Destination DNS Name : <My IP Address>
Protocol : TCP
Source Port : 443
Destination Port : 443
FilterAction Details
---------------------
FilterAction Name : Require Security
Description : Accepts unsecured communication, but always require...
Store : Local Store <DATABASE-02>
Action : NEGOTIATE SECURITY
AllowUnsecure(Fallback): NO
Inbound Passthrough : YES
QMPFS : NO
Last Modified : 11/3/2003 9:11:08 PM
GUID : {7238523F-70FA-11D1-864C-14A300000000}
Security Methods
AH ESP Seconds kBytes
-- --- ------- ------
[NONE] [SHA1 , 3DES] 900 100000
[NONE] [MD5 , 3DES] 900 100000
[NONE] [SHA1 , DES ] 900 100000
[NONE] [MD5 , DES ] 900 100000
Rule ID : 4, GUID = {4EB24EBF-83BD-4903-AEBB-3FFD0374F89C}
Rule Name : NONE
Description : NONE
Last Modified : 11/9/2003 9:36:40 AM
Activated : NO
Connection Type : ALL
Authentication Methods(1)