none
Reading IPSec policies.. RRS feed

  • Question

  • Are there any Windows API which I could use to read/interpret the active IPSec policy.
    Actually I need to programmatically know which ports are blocked at the network level by this policy, so that I am not worried about these ports for sure for any kind of vulnerability threats.
    How can I get the list of blocked ports by the IPSec policy programmatically?
    Does anyone know or have any suggestions?
    (I wonder what netdiag command uses underneath...)
    Monday, September 10, 2007 6:16 AM

Answers

  • To list out the ports that are protected by IPSec, you can either use a static approach by using the filter management functions or write a kernel mode callout driver.

     

    1. User Mode.

    IPSec policies added using the netsh or Advanced windows firewall will plumb an inbound filter at the transport layer to verify that the packets that were supposed to arrive over a security association did indeed arrive securely. The filters are associated with the well known following callouts with callout ids

    FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4

    FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6

     

    Use the FwpmFilterCreateEnumHandle0 function to create a handle to enumerate the filter objects.

    One of the parameters to this function is the enumTemplate(FWPM_FILTER_ENUM_TEMPLATE0) that restricts the enumeration.

    Set the callout key member of the enumTemplate to the ipsec callout id(FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4).

    Use the FwpmFilterEnum0 function with the enum handle returned by the FwpmFilterCreateEnumHandle0 to list all filters that match the enum template.

     

    For more on the filter management functions refer to

    http://msdn2.microsoft.com/en-us/library/ms758486.aspx

     

    2. Kernel Mode.

    Write a callout driver and this would be a more dynamic approach as you can inspect every connection to verify that it is secure.

    This driver will reside at the ALE_AUTH_CONNECT(TCP) and at the ALE_AUTH_RECV_ACCEPT layer. This will make sure that the classify function gets invoked for every new connection

     

    The FWPS_INCOMING_VALUES0 is a structure that defines data values that are passed by the filter engine to a callout drivers classify function.

    flags=inFixedValues->incomingValue[#LAYER#].value.uint32;

     

    if (flags & FWP_CONDITION_FLAG_IS_IPSEC_SECURED) implies that the connection is protected by IPSec

     

    For more on callout drivers refer to

    http://msdn2.microsoft.com/en-us/library/aa504873.aspx

    Thursday, September 13, 2007 2:08 AM

All replies

  • To list out the ports that are protected by IPSec, you can either use a static approach by using the filter management functions or write a kernel mode callout driver.

     

    1. User Mode.

    IPSec policies added using the netsh or Advanced windows firewall will plumb an inbound filter at the transport layer to verify that the packets that were supposed to arrive over a security association did indeed arrive securely. The filters are associated with the well known following callouts with callout ids

    FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4

    FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6

     

    Use the FwpmFilterCreateEnumHandle0 function to create a handle to enumerate the filter objects.

    One of the parameters to this function is the enumTemplate(FWPM_FILTER_ENUM_TEMPLATE0) that restricts the enumeration.

    Set the callout key member of the enumTemplate to the ipsec callout id(FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4).

    Use the FwpmFilterEnum0 function with the enum handle returned by the FwpmFilterCreateEnumHandle0 to list all filters that match the enum template.

     

    For more on the filter management functions refer to

    http://msdn2.microsoft.com/en-us/library/ms758486.aspx

     

    2. Kernel Mode.

    Write a callout driver and this would be a more dynamic approach as you can inspect every connection to verify that it is secure.

    This driver will reside at the ALE_AUTH_CONNECT(TCP) and at the ALE_AUTH_RECV_ACCEPT layer. This will make sure that the classify function gets invoked for every new connection

     

    The FWPS_INCOMING_VALUES0 is a structure that defines data values that are passed by the filter engine to a callout drivers classify function.

    flags=inFixedValues->incomingValue[#LAYER#].value.uint32;

     

    if (flags & FWP_CONDITION_FLAG_IS_IPSEC_SECURED) implies that the connection is protected by IPSec

     

    For more on callout drivers refer to

    http://msdn2.microsoft.com/en-us/library/aa504873.aspx

    Thursday, September 13, 2007 2:08 AM
  • Filter management functions - Don't they run only on Windows Vista and above?
    Isn't there any simpler thing to interpret IPSec statistics?
    Thursday, October 18, 2007 4:59 AM
  •  sainjure wrote:
    Filter management functions - Don't they run only on Windows Vista and above?

    Yes

     sainjure wrote:

    Isn't there any simpler thing to interpret IPSec statistics?

    I don't know, but posting the question on the Filtering Platform forum certainly predisposes you to getting answers which utilize that API...
    Thursday, October 18, 2007 9:44 PM