> Thanks very much to both Dave and Jochem,
>
> I'm reading the link Jochem sent over, and googled this old but still
> apparently useful resource link list:
>
> http://labmice.techtarget.com/networking/ipsec.htm
>
> I also tracked down svrnetcn.exe in the msde file set and removed
> tcp/ip. The app (LiveStats.xsp) still seems to be working fine so
> that alone may do the trick, whether or not I can get past the hurdle
> of figuring out/implementing ipsec... I'll practice on a local
> workstation first :-)
I would indeed not recommend practicing on a production system :)
Usually the UDP rules are easy: allow remote port 53 from your
DNS servers, allow remote port 123 from your NTP servers (which
you can configure using "net time") and block all other UDP that
is not from the loopback interface.
TCP can be trickier, because it is not statefull you can't block
ephemeral ports. That means I pretty much block everything below
1027 except ports that need to be open (80, 443) and only put
rules on higher ports if I have a service running on them (5631
for pcAnywhere and port 5432 for PostgreSQL). That is about as
good as it gets in combination with the TCP/IP filter (this might
kill active or passive FTP):
http://support.microsoft.com/default.aspx?scid=kb;en-us;816792
Use "netstat -an" to find any open ports ("netstat -ano" on
Windows XP) you haven't covered with this. And if you want to go
all the way with what your OS provides is IP security, check out
the TCP/IP whitepaper and implement fast timeouts and
SYN-throttling:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810731
The firewall tools that come with the OS might not be stellar
(not statefull for instance), but as of Windows 2000 there is
actually quite a bit you can do.
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
