Tag Archive for firewall

Using Windows Firewall to block Ports

firewall

What is Windows Firewall with Advanced Security in Windows?

Windows Firewall with Advanced Security in Windows® 7, Windows Vista®, Windows Server® 2008 R2, and Windows Server® 2008 is a stateful, host-based firewall that filters incoming and outgoing connections based on its configuration. While typical end-user configuration of Windows Firewall still takes place through the Windows Firewall Control Panel, advanced configuration now takes place in a Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. The inclusion of this snap-in not only provides an interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers and by using Group Policy. Firewall settings are now integrated with Internet Protocol security (IPsec) settings, allowing for some synergy: Windows Firewall can allow or block traffic based on some IPsec negotiation outcomes.

Windows Firewall with Advanced Security supports separate profiles (sets of firewall and connection security rules) for when computers are members of a domain, or connected to a private or public network. It also supports the creation of rules for enforcing server and domain isolation policies. Windows Firewall with Advanced Security supports more detailed rules than previous versions of Windows Firewall, including filtering based on users and groups in Active Directory, source and destination Internet Protocol (IP) addresses, IP port number, ICMP settings, IPsec settings, specific types of interfaces, services, and more.

Windows Firewall with Advanced Security can be part of your defense in depth security policy. Defense in depth is the implementation of a security policy that uses multiple methods to protect computers and all components of the network from malicious attacks.

Protection must extend from the network perimeter to:

  • Internal networks
  • Computers in the internal network
  • Applications running on both servers and clients
  • Data stored on both servers and clients

Windows Firewall with Advanced Security provides a number of ways to implement settings on both local and remote computers. You can configure Windows Firewall with Advanced Security in the following ways:

  • Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the Netsh advfirewall command.
  • Configure Windows Firewall with Advanced Security Group Policy settings by using the Group Policy Management Console (GPMC) or by using the Netsh advfirewall command.

Rules

Firewall rules from different sources are first merged together. Rules can be stored on the local computer, or in a variety of Group Policy objects (GPOs).

Windows Firewall with Advanced Security uses a specific order in which firewall rule evaluation takes place.

This order is as follows:

FirewallRules

Example Firewall Tasks

One task we were asked to was to block our TEST Terminal Servers from being able to connect to DFS Shares on a DEV DFS Server. Below is a list of points to bear in mind.

  • It is best to control Server Firewall Rules by Group Policy
  • The GPO needs to apply to a Computer OU containing the DEV Server
  • The DEV Server can be put in the scope of the GPO
  • We could have an option to turn the Firewall on and then block servers
  • We could have an option to turn the Firewall off and then allow servers
  • We could use inbound rules blocking the DFS Ports – TCP Port 445 (SMB) TCP Port 135 (RPC) TCP Port 139 (NetBIOS Session Service) UDP Port 137 (NetBIOS Name Resolution) UDP Port 138 (NetBIOS Datagram Service)
  • If you set up Inbound Rules, you then need to set the scope which includes setting the Local Server IP Address (The DEV DFS Server) and the Remote Servers IP Addresses (The servers you want to block)

Useful Link for showing what ports applications use

http://technet.microsoft.com/en-us/library/cc875824.aspx

Example 1 (Turn Firewall On and Allow connections but block TEST Servers)

  • Open Group Policy Management
  • Right click on DEV DFS Server OU and select Create a GPO in this domain , and Link it here
  • Put in a name
  • Right click on new GPO and select Edit
  • Navigate to Computer Configuration > Polices > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile and Enable Windows Firewall: Protect all network connections

firewallblock12

  • Navigate to Computer Configuration > Polices > Windows Settings > Security Settings > Windows Firewall with Advanced Security
  • Click on Windows Firewall Properties (See Circled below)

firewallblock

  • Go through Domain Profile, Private Profile and Public Profile and set the following options for each one

firewallblock2

firewallblock3

firewallblock4

  • Navigate to Computer Configuration > Polices > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
  • Right clicked on Inbound rule > Selected New inbound rule > Select Custom

firewallblock5

  • Choose All Programs

firewallblock6

  • Choose Any for Protocol Type

firewallblock7

  • In Scope, leave the Local IP Addresses as Any IP Address and then for the Remote IP Addresses, put in the IP Addresses of the servers you want to block

firewallblock8

  • Choose Block as your Action

firewallblock9

  • Apply the rule to all Profiles

firewallblock10

  • Put in a Rule Name and Description

firewallblock11

  • Click Finish
  • Test accessing a DFS Share from a blocked server. It should be blocked

firewall20

 The second way of doing this

The second way of doing this is a kind of reverse way of doing this by turning the Windows Firewall on through Group Policy which by default should look like the below on a DFS Server when GPO is applied so you are blocking incoming connections but then you modify the Group Policy to only allow certain networks to use File and Printer Sharing.

Capture

  • Next log into Group Policy Management Console
  • Create a new GPO and attach it to your DFS Servers
  • Put the DFS Servers in the scope of the GPO
  • Now adjust the following settings
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Domain Profile > Firewall State (Turn On)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Domain Profile >Inbound Connections (Block Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Domain Profile > Outbound Connections (Allow Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Private Profile > Firewall State (Turn On)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Private Profile >Inbound Connections (Block Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Private Profile > Outbound Connections (Allow Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Public Profile > Firewall State (Turn On)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Public Profile >Inbound Connections (Block Default)
  • Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Public Profile > Outbound Connections (Allow Default)
  • Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections (Enable)
  • Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow inbound file and printer sharing (You will need to enable this and then put in the network which is allowed to access this)

fileandprint

  • Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Allow inbound Remote Desktop Connections
  • And then test this from a network you want to block from your DFS Servers etc
  • Voila 🙂

Configure and Maintain the ESXi Firewall

images

The ESXi Firewall

Supported services and management agents that are required to operate the host are described in a rule set configuration file in the ESXi firewall directory /etc/vmware/firewall/. The file contains firewall rules and lists each rule’s relationship with ports and protocols.

By default, when ESXi is installed, the firewall is enabled. The default configuration is to permit only the required operational traffic and to deny all other

Firewall

Identify esxcli firewall configuration commands

esxclinetwork

Capture

Example Commands of esxcli network firewall

List Firewall Rules

  • esxcli network firewall ruleset list

firewall

Enable and Disable the FTP Client Rulset

  • esxcli network firewall ruleset set –ruleset-id ftpClient –enabled true
  • esxcli network firewall ruleset set –ruleset-id ftpClient –enabled false

Firewall2

Explain the three Firewall Security Levels

Capture

Enable/Disable pre-configured services

Firewall2

Configure service behavior automation

Select a host > Configuration > Software > Security Profile > Services > Properties > Options

  • Start automatically if any ports are open, and stop when all ports are closed: The default setting for these services that VMware recommends. If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks.
  • Start and stop with host: The service starts shortly after the host starts and closes shortly before the host shuts down. Much like Start automatically if any ports are open, and stop when all ports are closed, this option means that the service regularly attempts to complete its tasks, such as contacting the specified NTP server. If the port was closed but is subsequently opened, the client begins completing its tasks shortly thereafter.
  • Start and stop manually: The host preserves the user-determined service settings, regardless of whether ports are open or not. When a user starts the NTP service, that service is kept running as long as the host is powered on. If the service is started and the host is powered off, the service is stopped as part of the shutdown process.

Firewall3

Open/Close ports in the firewall
  1. Login to vSphere client
  2. Enter the Hosts and Clusters View
  3. Select a host
  4. Click the Configuration tab
  5. Under the Software view, select Security Profile
  6. Under Security Profile > Firewall, click Properties
  7. Highlight a service
  8. To enable a firewall rule, check the check box next to the traffic label

firewall3

Allowing connections from an IP Address or a network

  1. All connections may be allowed or it can be restricted to a single IPv4 or IPv6 addresses and/or IPv4 or IPv6 networks.

Firewall2

Example esxcli network firewall commands

List the Firewall rules and their ports

  • esxcli network firewall ruleset rule list

firewall4

Disable and Enable the All IPs allowed rule for the ftpClient Rule

  • esxcli network firewall ruleset set –allowed-all false –ruleset-id=ftpClient
  • esxcli network firewall ruleset set –allowed-all true –ruleset-id=ftpClient

firewall5

Specify an allowed network range 10.1.1./24 for the ftpClient Firewall Rule

  • esxcli network firewall ruleset allowedip add –ip-address=10.1.1.0/25 –ruleset-id ftpClient

firewall6

Create a custom service

Rule set configuration files are located in the /etc/vmware/firewall directory and you will see there are 2 files there already

  • fdm.xml
  • service.xml

fw2

Create a custom service file for a service

  • Log into WinSCP and navigate to /etc/vmware/firewall/
  • Copy the service.xml file to your machine
  • I copied the format for an individual service within the service.xml file and created a new Wordpad file initially where I adjusted the service id to a unique ID, the id to my service name – RhianService and chose a new port number 800

XMLFormat

  • I then saved the file as RhianService.xml
  • Next copy this file to the /etc/vmware/firewall directory

Rhianservice2

  • Next Putty into your host and run the following commands as seen in the screenprint below
  • esxcli network firewall refresh
  • esxcli network firewallrulset list and you should see your new service

CustomFirewallRule

  • In vCenter look at Configuration > Software > Security Profile. You should see your custom profile

firewallservice

Adding a Custom Service

To add a service to the host security profile, VMware partners can create a VIB that contains the port rules for the service in a configuration file. VIB authoring tools are available to VMware partners only. Each set of rules for a service in the rule set configuration file contains the following information

  • A numeric identifier for the service, if the configuration file contains more than one service.
  • A unique identifier for the rule set, usually the name of the service.
  • For each rule, the file contains one or more port rules, each with a definition for direction, protocol, port type, and port number or range of port numbers.
  • An indication of whether the service is enabled or disabled when the rule set is applied.
  • An indication of whether the rule set is required and cannot be disabled

Set Firewall Security Level

fw

  • High Security (Default) – Firewall is configured to block all incoming and outgoing traffic, except for ports 22,123,427,443,902,5989, and 5988. These are ports used for basic ESXi communication
  • Medium Security – All incoming traffic is blocked, except on the default ports and any ports you specifically open. Outgoing traffic is not blocked
  • Low Security – There are no ports blocked on either incoming or outgoing traffic. This setting is equivalent to removing the fireall

Set High

  • esxcli network firewall set –default-action false

firewall7

Set Low

  • esxcli network firewall set –default-action true

firewall8

Restart hostd at the command line following Security Level changes by typing service mgmt-vmware restart

Troubleshoot the ESXi firewall

padlock

ESXi Firewall Log Location

Firewall changes are located in this location/var/log/vobd.log

ESXCLI Command Set

esxirules2

  • esxcli network firewall

ESCLI_Firewall

  • esxcli network firewall ruleset list

ESXCLI_Firewall2

  • esxcli network firewall get

ESXCLI_Firewall4

  • esxcli network firewall set –enabled true

ESXCLI_Firewall5

Firewall Ports to check

The following ports are enabled by default. If your port is not listed, you may need to enable a pre-defined rule or setup a custom firewall rule

Firewall_Ports

Identify Firewall Access Rules for Update Manager

images

Firewall Access Rules

If you access ESXi hosts through vCenter Server, you typically protect vCenter Server using a firewall. This firewall provides basic protection for your network.
A firewall might lie between the clients and vCenter Server. Alternatively, vCenter Server and the clients can be behind the firewall, depending on your deployment. The main point is to ensure that a firewall is present at what you consider to be an entry point for the system.

Update1

ESXi Security Guide

Please see Pages 23-25 for extra Port Information

ESXi Security Guide