Internet file share with IPSec? - Network

This is a discussion on Internet file share with IPSec? - Network ; I'm new to IPSec. I'm trying to find out if it is feasible to put a normal Windows file share (SMB/CIFS) on the Internet and have it reasonable secure with IPSec (transport mode?). I would like traffic between client and ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Internet file share with IPSec?

  1. Internet file share with IPSec?

    I'm new to IPSec.

    I'm trying to find out if it is feasible to put a normal Windows file share
    (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    (transport mode?). I would like traffic between client and server to be
    encrypted and the share to be password protected. I want to be able to
    access it from any machine that I happen to be on (work, home, friend's,
    hotel, whatever).

    Is this just wishful thinking or is this possible?

    Thanks,

    Brandon

  2. Re: Internet file share with IPSec?

    That is not possible with ipsec transport mode. What you could do is to
    create a VPN connection into your network or use SSL for the web server
    connection which would require that the web server have a certificate that
    the users trust or the end user will receive a warning message that the
    certificate is not trusted. There are also implementations of ftp that use a
    secure connection. Try searching Google for " secure ftp". If you are trying
    to set up access for just yourself you also could use Remote Desktop if you
    are using XP Pro or try a third party remote access program. Windows XP Pro
    Remote Desktop connection uses a strong encryption. You would want to make
    sure that any accounts able to logon via Remote Desktop use a very strong
    password to prevent other internet users from trying to logon to your
    computer. Windows 2000 Pro/XP will allow a single incoming PPTP VPN
    connection. --- Steve

    http://support.microsoft.com/default...b;en-us;257333 -- Windows
    2000 Pro as a VPN server.

    "Brandon" wrote in message
    news:85127F91-076B-42B2-B012-FFAC58A1A67E@microsoft.com...
    > I'm new to IPSec.
    >
    > I'm trying to find out if it is feasible to put a normal Windows file
    > share
    > (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    > (transport mode?). I would like traffic between client and server to be
    > encrypted and the share to be password protected. I want to be able to
    > access it from any machine that I happen to be on (work, home, friend's,
    > hotel, whatever).
    >
    > Is this just wishful thinking or is this possible?
    >
    > Thanks,
    >
    > Brandon




  3. Re: Internet file share with IPSec?

    Hey Steven, do you know the reasons for this inability to do
    IPSec for SMB directly?

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    "Steven L Umbach" wrote in message
    news:eBkCw8mhFHA.3316@TK2MSFTNGP14.phx.gbl...
    > That is not possible with ipsec transport mode. What you could do is to
    > create a VPN connection into your network or use SSL for the web server
    > connection which would require that the web server have a certificate that
    > the users trust or the end user will receive a warning message that the
    > certificate is not trusted. There are also implementations of ftp that use

    a
    > secure connection. Try searching Google for " secure ftp". If you are

    trying
    > to set up access for just yourself you also could use Remote Desktop if

    you
    > are using XP Pro or try a third party remote access program. Windows XP

    Pro
    > Remote Desktop connection uses a strong encryption. You would want to make
    > sure that any accounts able to logon via Remote Desktop use a very strong
    > password to prevent other internet users from trying to logon to your
    > computer. Windows 2000 Pro/XP will allow a single incoming PPTP VPN
    > connection. --- Steve
    >
    > http://support.microsoft.com/default...b;en-us;257333 -- Windows
    > 2000 Pro as a VPN server.
    >
    > "Brandon" wrote in message
    > news:85127F91-076B-42B2-B012-FFAC58A1A67E@microsoft.com...
    > > I'm new to IPSec.
    > >
    > > I'm trying to find out if it is feasible to put a normal Windows file
    > > share
    > > (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    > > (transport mode?). I would like traffic between client and server to be
    > > encrypted and the share to be password protected. I want to be able to
    > > access it from any machine that I happen to be on (work, home, friend's,
    > > hotel, whatever).
    > >
    > > Is this just wishful thinking or is this possible?
    > >
    > > Thanks,
    > >
    > > Brandon

    >
    >




  4. Re: Internet file share with IPSec?

    Hi Herb.

    Ipsec transport will not work the way he wants for remote access from the
    internet. For remote access "tunnel mode" could possibly work for client to
    gateway/server but MS states that is "unsupported" though I have done it
    myself. I am not sure if that was exactly what your were asking
    out? --- Steve


    "Herb Martin" wrote in message
    news:O67%23aKohFHA.4028@TK2MSFTNGP10.phx.gbl...
    > Hey Steven, do you know the reasons for this inability to do
    > IPSec for SMB directly?
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    > "Steven L Umbach" wrote in message
    > news:eBkCw8mhFHA.3316@TK2MSFTNGP14.phx.gbl...
    >> That is not possible with ipsec transport mode. What you could do is to
    >> create a VPN connection into your network or use SSL for the web server
    >> connection which would require that the web server have a certificate
    >> that
    >> the users trust or the end user will receive a warning message that the
    >> certificate is not trusted. There are also implementations of ftp that
    >> use

    > a
    >> secure connection. Try searching Google for " secure ftp". If you are

    > trying
    >> to set up access for just yourself you also could use Remote Desktop if

    > you
    >> are using XP Pro or try a third party remote access program. Windows XP

    > Pro
    >> Remote Desktop connection uses a strong encryption. You would want to
    >> make
    >> sure that any accounts able to logon via Remote Desktop use a very strong
    >> password to prevent other internet users from trying to logon to your
    >> computer. Windows 2000 Pro/XP will allow a single incoming PPTP VPN
    >> connection. --- Steve
    >>
    >> http://support.microsoft.com/default...b;en-us;257333 --
    >> Windows
    >> 2000 Pro as a VPN server.
    >>
    >> "Brandon" wrote in message
    >> news:85127F91-076B-42B2-B012-FFAC58A1A67E@microsoft.com...
    >> > I'm new to IPSec.
    >> >
    >> > I'm trying to find out if it is feasible to put a normal Windows file
    >> > share
    >> > (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    >> > (transport mode?). I would like traffic between client and server to
    >> > be
    >> > encrypted and the share to be password protected. I want to be able to
    >> > access it from any machine that I happen to be on (work, home,
    >> > friend's,
    >> > hotel, whatever).
    >> >
    >> > Is this just wishful thinking or is this possible?
    >> >
    >> > Thanks,
    >> >
    >> > Brandon

    >>
    >>

    >
    >




  5. Re: Internet file share with IPSec?

    After thinking some more about it maybe it could work in some cases though I
    am sure transport mode [without L2TP] is not supported by MS for use for
    remote access. It might work if there are no NAT devices in the path between
    the client and server. Transport mode does not add a new IP header like
    tunnel mode does. I don't have any way to test it out right now. If you do
    try giving it a shot to see what happens. --- Steve


    "Steven L Umbach" wrote in message
    news:uR$YToqhFHA.3260@TK2MSFTNGP10.phx.gbl...
    > Hi Herb.
    >
    > Ipsec transport will not work the way he wants for remote access from the
    > internet. For remote access "tunnel mode" could possibly work for client
    > to gateway/server but MS states that is "unsupported" though I have done
    > it myself. I am not sure if that was exactly what your were asking
    > t? --- Steve
    >
    >
    > "Herb Martin" wrote in message
    > news:O67%23aKohFHA.4028@TK2MSFTNGP10.phx.gbl...
    >> Hey Steven, do you know the reasons for this inability to do
    >> IPSec for SMB directly?
    >>
    >> --
    >> Herb Martin, MCSE, MVP
    >> Accelerated MCSE
    >> http://www.LearnQuick.Com
    >> [phone number on web site]
    >>
    >> "Steven L Umbach" wrote in message
    >> news:eBkCw8mhFHA.3316@TK2MSFTNGP14.phx.gbl...
    >>> That is not possible with ipsec transport mode. What you could do is to
    >>> create a VPN connection into your network or use SSL for the web server
    >>> connection which would require that the web server have a certificate
    >>> that
    >>> the users trust or the end user will receive a warning message that the
    >>> certificate is not trusted. There are also implementations of ftp that
    >>> use

    >> a
    >>> secure connection. Try searching Google for " secure ftp". If you are

    >> trying
    >>> to set up access for just yourself you also could use Remote Desktop if

    >> you
    >>> are using XP Pro or try a third party remote access program. Windows XP

    >> Pro
    >>> Remote Desktop connection uses a strong encryption. You would want to
    >>> make
    >>> sure that any accounts able to logon via Remote Desktop use a very
    >>> strong
    >>> password to prevent other internet users from trying to logon to your
    >>> computer. Windows 2000 Pro/XP will allow a single incoming PPTP VPN
    >>> connection. --- Steve
    >>>
    >>> http://support.microsoft.com/default...b;en-us;257333 --
    >>> Windows
    >>> 2000 Pro as a VPN server.
    >>>
    >>> "Brandon" wrote in message
    >>> news:85127F91-076B-42B2-B012-FFAC58A1A67E@microsoft.com...
    >>> > I'm new to IPSec.
    >>> >
    >>> > I'm trying to find out if it is feasible to put a normal Windows file
    >>> > share
    >>> > (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    >>> > (transport mode?). I would like traffic between client and server to
    >>> > be
    >>> > encrypted and the share to be password protected. I want to be able
    >>> > to
    >>> > access it from any machine that I happen to be on (work, home,
    >>> > friend's,
    >>> > hotel, whatever).
    >>> >
    >>> > Is this just wishful thinking or is this possible?
    >>> >
    >>> > Thanks,
    >>> >
    >>> > Brandon
    >>>
    >>>

    >>
    >>

    >
    >




  6. Re: Internet file share with IPSec?

    "Steven L Umbach" wrote in message
    news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    > After thinking some more about it maybe it could work in some cases though

    I
    > am sure transport mode [without L2TP] is not supported by MS for use for
    > remote access. It might work if there are no NAT devices in the path

    between
    > the client and server. Transport mode does not add a new IP header like
    > tunnel mode does. I don't have any way to test it out right now. If you

    do
    > try giving it a shot to see what happens. --- Steve


    [I am not arguing, just curious...]

    What if we don't call it "remote access" and just say that we wish to
    use transport mode across a routed environment -- is there some reason
    that SMB would not be IPSec negotiable etc.?

    I thought when he first asked that the biggest deal would be setting up
    the authentication (not impossible just tedious and error prone.)

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    >
    >
    > "Steven L Umbach" wrote in message
    > news:uR$YToqhFHA.3260@TK2MSFTNGP10.phx.gbl...
    > > Hi Herb.
    > >
    > > Ipsec transport will not work the way he wants for remote access from

    the
    > > internet. For remote access "tunnel mode" could possibly work for client
    > > to gateway/server but MS states that is "unsupported" though I have done
    > > it myself. I am not sure if that was exactly what your were asking
    > > t? --- Steve
    > >
    > >
    > > "Herb Martin" wrote in message
    > > news:O67%23aKohFHA.4028@TK2MSFTNGP10.phx.gbl...
    > >> Hey Steven, do you know the reasons for this inability to do
    > >> IPSec for SMB directly?
    > >>
    > >> --
    > >> Herb Martin, MCSE, MVP
    > >> Accelerated MCSE
    > >> http://www.LearnQuick.Com
    > >> [phone number on web site]
    > >>
    > >> "Steven L Umbach" wrote in message
    > >> news:eBkCw8mhFHA.3316@TK2MSFTNGP14.phx.gbl...
    > >>> That is not possible with ipsec transport mode. What you could do is

    to
    > >>> create a VPN connection into your network or use SSL for the web

    server
    > >>> connection which would require that the web server have a certificate
    > >>> that
    > >>> the users trust or the end user will receive a warning message that

    the
    > >>> certificate is not trusted. There are also implementations of ftp that
    > >>> use
    > >> a
    > >>> secure connection. Try searching Google for " secure ftp". If you are
    > >> trying
    > >>> to set up access for just yourself you also could use Remote Desktop

    if
    > >> you
    > >>> are using XP Pro or try a third party remote access program. Windows

    XP
    > >> Pro
    > >>> Remote Desktop connection uses a strong encryption. You would want to
    > >>> make
    > >>> sure that any accounts able to logon via Remote Desktop use a very
    > >>> strong
    > >>> password to prevent other internet users from trying to logon to your
    > >>> computer. Windows 2000 Pro/XP will allow a single incoming PPTP VPN
    > >>> connection. --- Steve
    > >>>
    > >>> http://support.microsoft.com/default...b;en-us;257333 --
    > >>> Windows
    > >>> 2000 Pro as a VPN server.
    > >>>
    > >>> "Brandon" wrote in message
    > >>> news:85127F91-076B-42B2-B012-FFAC58A1A67E@microsoft.com...
    > >>> > I'm new to IPSec.
    > >>> >
    > >>> > I'm trying to find out if it is feasible to put a normal Windows

    file
    > >>> > share
    > >>> > (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    > >>> > (transport mode?). I would like traffic between client and server

    to
    > >>> > be
    > >>> > encrypted and the share to be password protected. I want to be able
    > >>> > to
    > >>> > access it from any machine that I happen to be on (work, home,
    > >>> > friend's,
    > >>> > hotel, whatever).
    > >>> >
    > >>> > Is this just wishful thinking or is this possible?
    > >>> >
    > >>> > Thanks,
    > >>> >
    > >>> > Brandon
    > >>>
    > >>>
    > >>
    > >>

    > >
    > >

    >
    >




  7. Re: Internet file share with IPSec?


    "Herb Martin" wrote in message
    news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    > "Steven L Umbach" wrote in message
    > news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    >> After thinking some more about it maybe it could work in some cases
    >> though

    > I
    >> am sure transport mode [without L2TP] is not supported by MS for use for
    >> remote access. It might work if there are no NAT devices in the path

    > between
    >> the client and server. Transport mode does not add a new IP header like
    >> tunnel mode does. I don't have any way to test it out right now. If you

    > do
    >> try giving it a shot to see what happens. --- Steve

    >
    > [I am not arguing, just curious...]
    >
    > What if we don't call it "remote access" and just say that we wish to
    > use transport mode across a routed environment -- is there some reason
    > that SMB would not be IPSec negotiable etc.?
    >
    > I thought when he first asked that the biggest deal would be setting up
    > the authentication (not impossible just tedious and error prone.)
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    >>
    >>
    >> "Steven L Umbach" wrote in message
    >> news:uR$YToqhFHA.3260@TK2MSFTNGP10.phx.gbl...
    >> > Hi Herb.
    >> >
    >> > Ipsec transport will not work the way he wants for remote access from

    > the
    >> > internet. For remote access "tunnel mode" could possibly work for
    >> > client
    >> > to gateway/server but MS states that is "unsupported" though I have
    >> > done
    >> > it myself. I am not sure if that was exactly what your were asking
    >> > t? --- Steve
    >> >
    >> >
    >> > "Herb Martin" wrote in message
    >> > news:O67%23aKohFHA.4028@TK2MSFTNGP10.phx.gbl...
    >> >> Hey Steven, do you know the reasons for this inability to do
    >> >> IPSec for SMB directly?
    >> >>
    >> >> --
    >> >> Herb Martin, MCSE, MVP
    >> >> Accelerated MCSE
    >> >> http://www.LearnQuick.Com
    >> >> [phone number on web site]
    >> >>
    >> >> "Steven L Umbach" wrote in message
    >> >> news:eBkCw8mhFHA.3316@TK2MSFTNGP14.phx.gbl...
    >> >>> That is not possible with ipsec transport mode. What you could do is

    > to
    >> >>> create a VPN connection into your network or use SSL for the web

    > server
    >> >>> connection which would require that the web server have a certificate
    >> >>> that
    >> >>> the users trust or the end user will receive a warning message that

    > the
    >> >>> certificate is not trusted. There are also implementations of ftp
    >> >>> that
    >> >>> use
    >> >> a
    >> >>> secure connection. Try searching Google for " secure ftp". If you are
    >> >> trying
    >> >>> to set up access for just yourself you also could use Remote Desktop

    > if
    >> >> you
    >> >>> are using XP Pro or try a third party remote access program. Windows

    > XP
    >> >> Pro
    >> >>> Remote Desktop connection uses a strong encryption. You would want to
    >> >>> make
    >> >>> sure that any accounts able to logon via Remote Desktop use a very
    >> >>> strong
    >> >>> password to prevent other internet users from trying to logon to your
    >> >>> computer. Windows 2000 Pro/XP will allow a single incoming PPTP VPN
    >> >>> connection. --- Steve
    >> >>>
    >> >>> http://support.microsoft.com/default...b;en-us;257333 --
    >> >>> Windows
    >> >>> 2000 Pro as a VPN server.
    >> >>>
    >> >>> "Brandon" wrote in message
    >> >>> news:85127F91-076B-42B2-B012-FFAC58A1A67E@microsoft.com...
    >> >>> > I'm new to IPSec.
    >> >>> >
    >> >>> > I'm trying to find out if it is feasible to put a normal Windows

    > file
    >> >>> > share
    >> >>> > (SMB/CIFS) on the Internet and have it reasonable secure with IPSec
    >> >>> > (transport mode?). I would like traffic between client and server

    > to
    >> >>> > be
    >> >>> > encrypted and the share to be password protected. I want to be
    >> >>> > able
    >> >>> > to
    >> >>> > access it from any machine that I happen to be on (work, home,
    >> >>> > friend's,
    >> >>> > hotel, whatever).
    >> >>> >
    >> >>> > Is this just wishful thinking or is this possible?
    >> >>> >
    >> >>> > Thanks,
    >> >>> >
    >> >>> > Brandon
    >> >>>
    >> >>>
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >




  8. Re: Internet file share with IPSec?


    "Herb Martin" wrote in message
    news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    > "Steven L Umbach" wrote in message
    > news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    >> After thinking some more about it maybe it could work in some cases
    >> though

    > I
    >> am sure transport mode [without L2TP] is not supported by MS for use for
    >> remote access. It might work if there are no NAT devices in the path

    > between
    >> the client and server. Transport mode does not add a new IP header like
    >> tunnel mode does. I don't have any way to test it out right now. If you

    > do
    >> try giving it a shot to see what happens. --- Steve

    >
    > [I am not arguing, just curious...]
    >
    > What if we don't call it "remote access" and just say that we wish to
    > use transport mode across a routed environment -- is there some reason
    > that SMB would not be IPSec negotiable etc.?
    >
    > I thought when he first asked that the biggest deal would be setting up
    > the authentication (not impossible just tedious and error prone.)
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]


    I don't have the ability to test it right now but I believe it would work if
    there is not any NAT/PAT involved in the path. Authentication would have to
    be computer certificates or pre-shared key of course. The link below is to a
    MS article that indicates that it would work because they give a warning not
    to try it [using ipsec transport to access a server from the internet] and
    the reason why. So I may have been hasty in saying that it would not work
    though I hesitate to recommend trying it unless all other options are not
    viable, the user knows how to configure the needed ipsec require policies
    for client and server, knows how to configure firewalls for ipsec, is not
    using NAT in the path, and understands the associated risks. --- Steve

    http://www.microsoft.com/windows2000...ipsecsteps.asp

    Secure Servers
    IPSec security for all unicast IP traffic is either requested but optional,
    or requested and required, as established by the administrator's
    configuration of the server. Using this model, clients need only a default
    policy for how to respond to security requests from servers. Once IPSec
    security associations (one in each direction) are established between the
    client and server, they remain in effect for 1 hour after the last packet
    was sent between them. After that hour, the client cleans up the security
    associations and return to the initial "respond only" state. If the client
    sends unsecured packets to the same server again, the server will
    re-establish IPSec security. This is the easiest approach to take, and can
    be done safely as long as the first packets sent to the server by the
    application do not contain sensitive data, and as long as the server is
    permitted to receive unsecured, clear text packets from clients.

    Caution: This server-side configuration is appropriate for internal network
    servers ONLY, because the server is configured by IPSec policy to allow
    incoming, clear text, unsecured packets. If the server is placed on the
    Internet, then it must NOT have this configuration because of the
    opportunity for denial of service attacks that take advantage of the server's
    ability to receive incoming unsecured packets.

    Lockdown Servers
    If the server is directly accessible from the Internet, or if the first
    client packets contain sensitive data, then the client must receive an IPSec
    policy so that it requests IPSec security for traffic when it attempts to
    send data to the server. This walkthrough will not demonstrate this
    configuration, but it can be easily enabled using the steps explained in the
    section Configure an IPSec Filter Action.

    Clients and servers can have specific rules for permitting, blocking, or
    securing only certain network packets (protocol or port specific). This
    approach is more difficult to configure and prone to error because it
    requires in-depth knowledge of the type of network traffic that an
    application sends and receives, and administrative coordination to be sure
    that all clients and servers have compatible policy





  9. Re: Internet file share with IPSec?

    Quick read: I think the article was mostly warning about "request"
    policy (on server) and respond policy (on client) -- if both had
    a specific policy that REQUIRED then everything would be secure
    once it was made to work.

    They muddled it by applying the warning following a paragraph
    that referred to both "require" and "request" server options.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    "Steven L Umbach" wrote in message
    news:OBFG4HwhFHA.1232@TK2MSFTNGP15.phx.gbl...
    >
    > "Herb Martin" wrote in message
    > news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    > > "Steven L Umbach" wrote in message
    > > news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    > >> After thinking some more about it maybe it could work in some cases
    > >> though

    > > I
    > >> am sure transport mode [without L2TP] is not supported by MS for use

    for
    > >> remote access. It might work if there are no NAT devices in the path

    > > between
    > >> the client and server. Transport mode does not add a new IP header like
    > >> tunnel mode does. I don't have any way to test it out right now. If

    you
    > > do
    > >> try giving it a shot to see what happens. --- Steve

    > >
    > > [I am not arguing, just curious...]
    > >
    > > What if we don't call it "remote access" and just say that we wish to
    > > use transport mode across a routed environment -- is there some reason
    > > that SMB would not be IPSec negotiable etc.?
    > >
    > > I thought when he first asked that the biggest deal would be setting up
    > > the authentication (not impossible just tedious and error prone.)
    > >
    > > --
    > > Herb Martin, MCSE, MVP
    > > Accelerated MCSE
    > > http://www.LearnQuick.Com
    > > [phone number on web site]

    >
    > I don't have the ability to test it right now but I believe it would work

    if
    > there is not any NAT/PAT involved in the path. Authentication would have

    to
    > be computer certificates or pre-shared key of course. The link below is to

    a
    > MS article that indicates that it would work because they give a warning

    not
    > to try it [using ipsec transport to access a server from the internet] and
    > the reason why. So I may have been hasty in saying that it would not work
    > though I hesitate to recommend trying it unless all other options are not
    > viable, the user knows how to configure the needed ipsec require policies
    > for client and server, knows how to configure firewalls for ipsec, is not
    > using NAT in the path, and understands the associated risks. --- Steve
    >
    >

    http://www.microsoft.com/windows2000...ipsecsteps.asp
    >
    > Secure Servers
    > IPSec security for all unicast IP traffic is either requested but

    optional,
    > or requested and required, as established by the administrator's
    > configuration of the server. Using this model, clients need only a default
    > policy for how to respond to security requests from servers. Once IPSec
    > security associations (one in each direction) are established between the
    > client and server, they remain in effect for 1 hour after the last packet
    > was sent between them. After that hour, the client cleans up the security
    > associations and return to the initial "respond only" state. If the client
    > sends unsecured packets to the same server again, the server will
    > re-establish IPSec security. This is the easiest approach to take, and can
    > be done safely as long as the first packets sent to the server by the
    > application do not contain sensitive data, and as long as the server is
    > permitted to receive unsecured, clear text packets from clients.
    >
    > Caution: This server-side configuration is appropriate for internal

    network
    > servers ONLY, because the server is configured by IPSec policy to allow
    > incoming, clear text, unsecured packets. If the server is placed on the
    > Internet, then it must NOT have this configuration because of the
    > opportunity for denial of service attacks that take advantage of the

    server's
    > ability to receive incoming unsecured packets.
    >
    > Lockdown Servers
    > If the server is directly accessible from the Internet, or if the first
    > client packets contain sensitive data, then the client must receive an

    IPSec
    > policy so that it requests IPSec security for traffic when it attempts to
    > send data to the server. This walkthrough will not demonstrate this
    > configuration, but it can be easily enabled using the steps explained in

    the
    > section Configure an IPSec Filter Action.
    >
    > Clients and servers can have specific rules for permitting, blocking, or
    > securing only certain network packets (protocol or port specific). This
    > approach is more difficult to configure and prone to error because it
    > requires in-depth knowledge of the type of network traffic that an
    > application sends and receives, and administrative coordination to be sure
    > that all clients and servers have compatible policy
    >
    >
    >
    >




  10. Re: Internet file share with IPSec?

    NAT won't hurt it provided the proper version of windows is used *and* the
    protocol configured is ESP.

    NAT-T = teh r0x0r



    "Steven L Umbach" wrote in message
    news:OBFG4HwhFHA.1232@TK2MSFTNGP15.phx.gbl...
    >
    > "Herb Martin" wrote in message
    > news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    >> "Steven L Umbach" wrote in message
    >> news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    >>> After thinking some more about it maybe it could work in some cases
    >>> though

    >> I
    >>> am sure transport mode [without L2TP] is not supported by MS for use for
    >>> remote access. It might work if there are no NAT devices in the path

    >> between
    >>> the client and server. Transport mode does not add a new IP header like
    >>> tunnel mode does. I don't have any way to test it out right now. If you

    >> do
    >>> try giving it a shot to see what happens. --- Steve

    >>
    >> [I am not arguing, just curious...]
    >>
    >> What if we don't call it "remote access" and just say that we wish to
    >> use transport mode across a routed environment -- is there some reason
    >> that SMB would not be IPSec negotiable etc.?
    >>
    >> I thought when he first asked that the biggest deal would be setting up
    >> the authentication (not impossible just tedious and error prone.)
    >>
    >> --
    >> Herb Martin, MCSE, MVP
    >> Accelerated MCSE
    >> http://www.LearnQuick.Com
    >> [phone number on web site]

    >
    > I don't have the ability to test it right now but I believe it would work
    > if there is not any NAT/PAT involved in the path. Authentication would
    > have to be computer certificates or pre-shared key of course. The link
    > below is to a MS article that indicates that it would work because they
    > give a warning not to try it [using ipsec transport to access a server
    > from the internet] and the reason why. So I may have been hasty in saying
    > that it would not work though I hesitate to recommend trying it unless
    > all other options are not viable, the user knows how to configure the
    > needed ipsec require policies for client and server, knows how to
    > configure firewalls for ipsec, is not using NAT in the path, and
    > understands the associated risks. --- Steve
    >
    > http://www.microsoft.com/windows2000...ipsecsteps.asp
    >
    > Secure Servers
    > IPSec security for all unicast IP traffic is either requested but
    > optional, or requested and required, as established by the administrator's
    > configuration of the server. Using this model, clients need only a default
    > policy for how to respond to security requests from servers. Once IPSec
    > security associations (one in each direction) are established between the
    > client and server, they remain in effect for 1 hour after the last packet
    > was sent between them. After that hour, the client cleans up the security
    > associations and return to the initial "respond only" state. If the client
    > sends unsecured packets to the same server again, the server will
    > re-establish IPSec security. This is the easiest approach to take, and can
    > be done safely as long as the first packets sent to the server by the
    > application do not contain sensitive data, and as long as the server is
    > permitted to receive unsecured, clear text packets from clients.
    >
    > Caution: This server-side configuration is appropriate for internal
    > network servers ONLY, because the server is configured by IPSec policy to
    > allow incoming, clear text, unsecured packets. If the server is placed on
    > the Internet, then it must NOT have this configuration because of the
    > opportunity for denial of service attacks that take advantage of the
    > server's ability to receive incoming unsecured packets.
    >
    > Lockdown Servers
    > If the server is directly accessible from the Internet, or if the first
    > client packets contain sensitive data, then the client must receive an
    > IPSec policy so that it requests IPSec security for traffic when it
    > attempts to send data to the server. This walkthrough will not demonstrate
    > this configuration, but it can be easily enabled using the steps explained
    > in the section Configure an IPSec Filter Action.
    >
    > Clients and servers can have specific rules for permitting, blocking, or
    > securing only certain network packets (protocol or port specific). This
    > approach is more difficult to configure and prone to error because it
    > requires in-depth knowledge of the type of network traffic that an
    > application sends and receives, and administrative coordination to be sure
    > that all clients and servers have compatible policy
    >
    >
    >
    >




  11. Re: Internet file share with IPSec?

    Possibly. But even a computer with an ipsec require policy could [by default
    setting] accept unsecured communications from any computer though respond
    with ipsec secured communication only unless the option for "accept
    unsecured communications, but always respond using ipsec" is unchecked in
    which case non ipsec communications would be dropped by the server. I agree
    for anyone to attempt such only "require" ipsec policy should be used on
    both the server and client with "accept unsecured communications, but always
    respond using ipsec" disabled. --- Steve


    "Herb Martin" wrote in message
    news:%231vZ7KxhFHA.4028@TK2MSFTNGP10.phx.gbl...
    > Quick read: I think the article was mostly warning about "request"
    > policy (on server) and respond policy (on client) -- if both had
    > a specific policy that REQUIRED then everything would be secure
    > once it was made to work.
    >
    > They muddled it by applying the warning following a paragraph
    > that referred to both "require" and "request" server options.
    >
    > --
    > Herb Martin, MCSE, MVP
    > Accelerated MCSE
    > http://www.LearnQuick.Com
    > [phone number on web site]
    >
    > "Steven L Umbach" wrote in message
    > news:OBFG4HwhFHA.1232@TK2MSFTNGP15.phx.gbl...
    >>
    >> "Herb Martin" wrote in message
    >> news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    >> > "Steven L Umbach" wrote in message
    >> > news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    >> >> After thinking some more about it maybe it could work in some cases
    >> >> though
    >> > I
    >> >> am sure transport mode [without L2TP] is not supported by MS for use

    > for
    >> >> remote access. It might work if there are no NAT devices in the path
    >> > between
    >> >> the client and server. Transport mode does not add a new IP header
    >> >> like
    >> >> tunnel mode does. I don't have any way to test it out right now. If

    > you
    >> > do
    >> >> try giving it a shot to see what happens. --- Steve
    >> >
    >> > [I am not arguing, just curious...]
    >> >
    >> > What if we don't call it "remote access" and just say that we wish to
    >> > use transport mode across a routed environment -- is there some reason
    >> > that SMB would not be IPSec negotiable etc.?
    >> >
    >> > I thought when he first asked that the biggest deal would be setting up
    >> > the authentication (not impossible just tedious and error prone.)
    >> >
    >> > --
    >> > Herb Martin, MCSE, MVP
    >> > Accelerated MCSE
    >> > http://www.LearnQuick.Com
    >> > [phone number on web site]

    >>
    >> I don't have the ability to test it right now but I believe it would work

    > if
    >> there is not any NAT/PAT involved in the path. Authentication would have

    > to
    >> be computer certificates or pre-shared key of course. The link below is
    >> to

    > a
    >> MS article that indicates that it would work because they give a warning

    > not
    >> to try it [using ipsec transport to access a server from the internet]
    >> and
    >> the reason why. So I may have been hasty in saying that it would not work
    >> though I hesitate to recommend trying it unless all other options are
    >> not
    >> viable, the user knows how to configure the needed ipsec require policies
    >> for client and server, knows how to configure firewalls for ipsec, is not
    >> using NAT in the path, and understands the associated risks. --- Steve
    >>
    >>

    > http://www.microsoft.com/windows2000...ipsecsteps.asp
    >>
    >> Secure Servers
    >> IPSec security for all unicast IP traffic is either requested but

    > optional,
    >> or requested and required, as established by the administrator's
    >> configuration of the server. Using this model, clients need only a
    >> default
    >> policy for how to respond to security requests from servers. Once IPSec
    >> security associations (one in each direction) are established between the
    >> client and server, they remain in effect for 1 hour after the last packet
    >> was sent between them. After that hour, the client cleans up the security
    >> associations and return to the initial "respond only" state. If the
    >> client
    >> sends unsecured packets to the same server again, the server will
    >> re-establish IPSec security. This is the easiest approach to take, and
    >> can
    >> be done safely as long as the first packets sent to the server by the
    >> application do not contain sensitive data, and as long as the server is
    >> permitted to receive unsecured, clear text packets from clients.
    >>
    >> Caution: This server-side configuration is appropriate for internal

    > network
    >> servers ONLY, because the server is configured by IPSec policy to allow
    >> incoming, clear text, unsecured packets. If the server is placed on the
    >> Internet, then it must NOT have this configuration because of the
    >> opportunity for denial of service attacks that take advantage of the

    > server's
    >> ability to receive incoming unsecured packets.
    >>
    >> Lockdown Servers
    >> If the server is directly accessible from the Internet, or if the first
    >> client packets contain sensitive data, then the client must receive an

    > IPSec
    >> policy so that it requests IPSec security for traffic when it attempts to
    >> send data to the server. This walkthrough will not demonstrate this
    >> configuration, but it can be easily enabled using the steps explained in

    > the
    >> section Configure an IPSec Filter Action.
    >>
    >> Clients and servers can have specific rules for permitting, blocking, or
    >> securing only certain network packets (protocol or port specific). This
    >> approach is more difficult to configure and prone to error because it
    >> requires in-depth knowledge of the type of network traffic that an
    >> application sends and receives, and administrative coordination to be
    >> sure
    >> that all clients and servers have compatible policy
    >>
    >>
    >>
    >>

    >
    >




  12. Re: Internet file share with IPSec?

    Thanks for that Steve. For some reason I though that would not work for bare
    transport mode ipsec that was not used with L2TP. --- Steve


    "Steve Clark [MSFT]" wrote in message
    news:%23dS6VixhFHA.4048@TK2MSFTNGP10.phx.gbl...
    > NAT won't hurt it provided the proper version of windows is used *and* the
    > protocol configured is ESP.
    >
    > NAT-T = teh r0x0r
    >
    >
    >
    > "Steven L Umbach" wrote in message
    > news:OBFG4HwhFHA.1232@TK2MSFTNGP15.phx.gbl...
    >>
    >> "Herb Martin" wrote in message
    >> news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    >>> "Steven L Umbach" wrote in message
    >>> news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    >>>> After thinking some more about it maybe it could work in some cases
    >>>> though
    >>> I
    >>>> am sure transport mode [without L2TP] is not supported by MS for use
    >>>> for
    >>>> remote access. It might work if there are no NAT devices in the path
    >>> between
    >>>> the client and server. Transport mode does not add a new IP header like
    >>>> tunnel mode does. I don't have any way to test it out right now. If
    >>>> you
    >>> do
    >>>> try giving it a shot to see what happens. --- Steve
    >>>
    >>> [I am not arguing, just curious...]
    >>>
    >>> What if we don't call it "remote access" and just say that we wish to
    >>> use transport mode across a routed environment -- is there some reason
    >>> that SMB would not be IPSec negotiable etc.?
    >>>
    >>> I thought when he first asked that the biggest deal would be setting up
    >>> the authentication (not impossible just tedious and error prone.)
    >>>
    >>> --
    >>> Herb Martin, MCSE, MVP
    >>> Accelerated MCSE
    >>> http://www.LearnQuick.Com
    >>> [phone number on web site]

    >>
    >> I don't have the ability to test it right now but I believe it would work
    >> if there is not any NAT/PAT involved in the path. Authentication would
    >> have to be computer certificates or pre-shared key of course. The link
    >> below is to a MS article that indicates that it would work because they
    >> give a warning not to try it [using ipsec transport to access a server
    >> from the internet] and the reason why. So I may have been hasty in saying
    >> that it would not work though I hesitate to recommend trying it unless
    >> all other options are not viable, the user knows how to configure the
    >> needed ipsec require policies for client and server, knows how to
    >> configure firewalls for ipsec, is not using NAT in the path, and
    >> understands the associated risks. --- Steve
    >>
    >> http://www.microsoft.com/windows2000...ipsecsteps.asp
    >>
    >> Secure Servers
    >> IPSec security for all unicast IP traffic is either requested but
    >> optional, or requested and required, as established by the
    >> administrator's configuration of the server. Using this model, clients
    >> need only a default policy for how to respond to security requests from
    >> servers. Once IPSec security associations (one in each direction) are
    >> established between the client and server, they remain in effect for 1
    >> hour after the last packet was sent between them. After that hour, the
    >> client cleans up the security associations and return to the initial
    >> "respond only" state. If the client sends unsecured packets to the same
    >> server again, the server will re-establish IPSec security. This is the
    >> easiest approach to take, and can be done safely as long as the first
    >> packets sent to the server by the application do not contain sensitive
    >> data, and as long as the server is permitted to receive unsecured, clear
    >> text packets from clients.
    >>
    >> Caution: This server-side configuration is appropriate for internal
    >> network servers ONLY, because the server is configured by IPSec policy to
    >> allow incoming, clear text, unsecured packets. If the server is placed on
    >> the Internet, then it must NOT have this configuration because of the
    >> opportunity for denial of service attacks that take advantage of the
    >> server's ability to receive incoming unsecured packets.
    >>
    >> Lockdown Servers
    >> If the server is directly accessible from the Internet, or if the first
    >> client packets contain sensitive data, then the client must receive an
    >> IPSec policy so that it requests IPSec security for traffic when it
    >> attempts to send data to the server. This walkthrough will not
    >> demonstrate this configuration, but it can be easily enabled using the
    >> steps explained in the section Configure an IPSec Filter Action.
    >>
    >> Clients and servers can have specific rules for permitting, blocking, or
    >> securing only certain network packets (protocol or port specific). This
    >> approach is more difficult to configure and prone to error because it
    >> requires in-depth knowledge of the type of network traffic that an
    >> application sends and receives, and administrative coordination to be
    >> sure that all clients and servers have compatible policy
    >>
    >>
    >>
    >>

    >
    >




  13. Re: Internet file share with IPSec?

    NP at all.

    Things to look out for as you've mentioned on previous postings have to do
    with allowing inbound unauthenticated traffic (inbound passthrough) or
    allowing fall back to clear since each of these behaviors introduce certain
    risk elements. For example, inbound passthrough still subjects those hosts
    to single packet attacks, like SQL Slammer (unless IPsec filtering stops the
    inbound request first).

    Also, fall back to clear will still establish a "soft" SA to the destination
    host, and that host can then turn around and use that SA to send packets
    back to that initiator.

    We cover all of this in the "Server and Domain Isolation Using IPsec and
    Group Policy" guide. Specifically, look at the section where we discuss the
    Boundary Isolation Group and the rationale behind policy design for that
    group.



    "Steven L Umbach" wrote in message
    news:uABzEyxhFHA.2424@TK2MSFTNGP09.phx.gbl...
    > Thanks for that Steve. For some reason I though that would not work for
    > bare transport mode ipsec that was not used with L2TP. --- Steve
    >
    >
    > "Steve Clark [MSFT]" wrote in message
    > news:%23dS6VixhFHA.4048@TK2MSFTNGP10.phx.gbl...
    >> NAT won't hurt it provided the proper version of windows is used *and*
    >> the protocol configured is ESP.
    >>
    >> NAT-T = teh r0x0r
    >>
    >>
    >>
    >> "Steven L Umbach" wrote in message
    >> news:OBFG4HwhFHA.1232@TK2MSFTNGP15.phx.gbl...
    >>>
    >>> "Herb Martin" wrote in message
    >>> news:e$srFyuhFHA.2072@TK2MSFTNGP14.phx.gbl...
    >>>> "Steven L Umbach" wrote in message
    >>>> news:uYBYcprhFHA.4028@TK2MSFTNGP10.phx.gbl...
    >>>>> After thinking some more about it maybe it could work in some cases
    >>>>> though
    >>>> I
    >>>>> am sure transport mode [without L2TP] is not supported by MS for use
    >>>>> for
    >>>>> remote access. It might work if there are no NAT devices in the path
    >>>> between
    >>>>> the client and server. Transport mode does not add a new IP header
    >>>>> like
    >>>>> tunnel mode does. I don't have any way to test it out right now. If
    >>>>> you
    >>>> do
    >>>>> try giving it a shot to see what happens. --- Steve
    >>>>
    >>>> [I am not arguing, just curious...]
    >>>>
    >>>> What if we don't call it "remote access" and just say that we wish to
    >>>> use transport mode across a routed environment -- is there some reason
    >>>> that SMB would not be IPSec negotiable etc.?
    >>>>
    >>>> I thought when he first asked that the biggest deal would be setting up
    >>>> the authentication (not impossible just tedious and error prone.)
    >>>>
    >>>> --
    >>>> Herb Martin, MCSE, MVP
    >>>> Accelerated MCSE
    >>>> http://www.LearnQuick.Com
    >>>> [phone number on web site]
    >>>
    >>> I don't have the ability to test it right now but I believe it would
    >>> work if there is not any NAT/PAT involved in the path. Authentication
    >>> would have to be computer certificates or pre-shared key of course. The
    >>> link below is to a MS article that indicates that it would work because
    >>> they give a warning not to try it [using ipsec transport to access a
    >>> server from the internet] and the reason why. So I may have been hasty
    >>> in saying that it would not work though I hesitate to recommend trying
    >>> it unless all other options are not viable, the user knows how to
    >>> configure the needed ipsec require policies for client and server, knows
    >>> how to configure firewalls for ipsec, is not using NAT in the path, and
    >>> understands the associated risks. --- Steve
    >>>
    >>> http://www.microsoft.com/windows2000...ipsecsteps.asp
    >>>
    >>> Secure Servers
    >>> IPSec security for all unicast IP traffic is either requested but
    >>> optional, or requested and required, as established by the
    >>> administrator's configuration of the server. Using this model, clients
    >>> need only a default policy for how to respond to security requests from
    >>> servers. Once IPSec security associations (one in each direction) are
    >>> established between the client and server, they remain in effect for 1
    >>> hour after the last packet was sent between them. After that hour, the
    >>> client cleans up the security associations and return to the initial
    >>> "respond only" state. If the client sends unsecured packets to the same
    >>> server again, the server will re-establish IPSec security. This is the
    >>> easiest approach to take, and can be done safely as long as the first
    >>> packets sent to the server by the application do not contain sensitive
    >>> data, and as long as the server is permitted to receive unsecured, clear
    >>> text packets from clients.
    >>>
    >>> Caution: This server-side configuration is appropriate for internal
    >>> network servers ONLY, because the server is configured by IPSec policy
    >>> to allow incoming, clear text, unsecured packets. If the server is
    >>> placed on the Internet, then it must NOT have this configuration because
    >>> of the opportunity for denial of service attacks that take advantage of
    >>> the server's ability to receive incoming unsecured packets.
    >>>
    >>> Lockdown Servers
    >>> If the server is directly accessible from the Internet, or if the first
    >>> client packets contain sensitive data, then the client must receive an
    >>> IPSec policy so that it requests IPSec security for traffic when it
    >>> attempts to send data to the server. This walkthrough will not
    >>> demonstrate this configuration, but it can be easily enabled using the
    >>> steps explained in the section Configure an IPSec Filter Action.
    >>>
    >>> Clients and servers can have specific rules for permitting, blocking, or
    >>> securing only certain network packets (protocol or port specific). This
    >>> approach is more difficult to configure and prone to error because it
    >>> requires in-depth knowledge of the type of network traffic that an
    >>> application sends and receives, and administrative coordination to be
    >>> sure that all clients and servers have compatible policy
    >>>
    >>>
    >>>
    >>>

    >>
    >>

    >
    >




+ Reply to Thread