IPSec, Windows, and You

OK, try to keep up with this. Microsoft has one of the better IPSec implementations out there, and IPSec is a Good Thing. Basically, IPSec is an optional authorization mechanism for IP traffic that can control precisely what types of packets your machine can send and receive.

Problem is, using IPSec is hard, even when it's easy. Let me explain. No one has yet come up with an easy tool that lets you graphically configure IPSec on your machine to say "I want all traffic between Jim's computer and mine to be encrypted, but I want all traffic from the home office in Toledo to be authenticated." Click, whir, done.

So even implementing a basic IPSec policy is work, whereas if you simplify it ridiculously, it's empty rote devoid of any comprehension of what you're doing.

Say, for instance, you have a Windows XP machine and someone was surfing some naughty, naughty web sites. You can slap the wrists of the employee and tell him to never do that again, but he probably will. (I'm on the fence in regards to the "porn is addictive" argument. I don't think that porn is the addiction. I think it's the pleasure derived from it. If somebody gets hot and bothered thinking about vinyl siding all the time, what's the addiction there? Can one really get hooked on thinking about vinyl siding? And if so, is it the siding's fault?)

Another thing you can do is install some complicated rulesets in your firewall that block TCP traffic. That's certainly an option, but one must consider that most firewalls deal strictly with an IP/port relationship. If the PC in question ever gets a new network card, or is using DHCP, you cannot guarantee that the firewall will still correctly associate the rule with the system.

No, it's better to modify the system itself. And instead of installing some third-party firewall tool, you can just use IPSec and be done with it. Here's how:

First, you need the Windows XP Service Pack 2 Support Tools. These are, inexplicably, not installed when you install SP2. Instead, one must download them from Microsoft. They'll only install on an XP system, but after doing so the one file you need can be copied from "C:\Program Files\Support Tools" to any sort of USB thumb drive or network share. It's called ipseccmd.exe.

ipseccmd.exe is a fairly terse command-line tool for creating, destroying, and modifying IPSec policies on your XP system. Note that it will not work on Windows 2000, but Microsoft has another tool called "ipsecpol" that is essentially the same thing. With ipseccmd.exe, you can explicitly restrict both incoming and outgoing traffic on TCP and UDP ports (among other things).

Once you have ipseccmd.exe handy on your XP system, either because you have the support tools installed locally or you took them from a different XP machine that did, you can create a new IPSec policy to block TCP port 80 with a single command. This will effectively cripple the use of Internet Explorer (and Netscape, and Firefox, and Opera) on the machine and make it unusable for your casual porn hound.

From the directory where ipseccmd.exe is installed, type this all on one line:

  G:\ipseccmd -w REG \
    -p "Block 80/tcp Filter" \
    -r "Block Outbound 80/tcp Rule" \
    -f 0=*:80:TCP \
    -n BLOCK \
    -x

I'll skip the significance of some of these flags, since their meaning should be clear from their context. If you want to know more, read the ipseccmd.exe documentation or the Microsoft Knowledge Base article titled How to block specific network protocols and ports by using IPSec. Instead, I want to elaborate on the interesting flags:

"-w REG" defines where the policy is to be stored. "REG" means "the local Windows registry".

"-n BLOCK" states that the action to be taken when IP traffic matching this rule occurs. You may choose to "BLOCK" the traffic, allow it to "PASS" through, or you can also specify "INPASS", which will permit the initial inbound connection to be unsecured, but responses from your machine will have to be encrypted or authenticated with an existing IPSec mechanism.

"-x" simply demands that the policy be put into place immediately. None of this rebooting crap.

"-f 0=*:80:TCP" OK. This is the interesting one. -f defines the actual port and protocol source and destinations you intend to filter. The format is "SrcAddr/SrcMask:SrcPort=DstAddr/DstMask:DstPort:Protocol"

So if you want to filter all incoming traffic to port 123/udp (which is the SNTP time synchronization protocol), your line would contain "-f *=0:123:UDP" It's important to understand why: "*" means "any source machine on the Internet coming from anywhere" and "0:123:UDP" means "coming to any address used by this local system, on port 123, using UDP". Since clients talk to servers using the servers' port of choice, you will seldom find a connection where the source and destination ports are the same (123 to 123, or 80 to 80, for example). So in order to block outgoing TCP traffic, you have to specify the correct source and destination IPs. Let's parse this one more time:

"-f 0=*:80:TCP" Source address "0", meaning any interface on the local system. Destination "*:80:TCP" means any IP address anywhere, port 80/tcp. In other words, most HTTP servers in the world, which operate on port 80/tcp, are going to have traffic to them blocked by this rule.

And that's precisely what you want. As a note, HTTP servers are also often found on other ports, such as 8000, 8080, 81, 82, and 443. Just so you know. There is no hard and fixed list of HTTP server ports. You could run one on port 12345 if you chose to do so. IPSec is meant to restrict nearly all HTTP traffic and prevent porn surfing by a casual user. James Bond and Kevin Mitnick could both circumvent your IPSec policy easily. Caveat emptor.