Windows Server 2003 Configuring Packet Filters

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

Configuring Packet Filters: As you may recall, you can configure TCP/IP filters at the host level with Windows Server 2003, but with RRAS you can also configure filters at the packet level on a per interface basis. Packet filtering is used to control traffic through a router. By using packet filtering, you can prevent attacks on your internal network by blocking the protocol and ports that are vulnerable.

Packet filtering affects all traffic through an interface, so before you implement filters make sure that the protocol and port is not needed by a service. In addition to preventing attacks, you can also improve network performance by only allowing necessary traffic.There are two settings you can choose when implementing packet filtering. You can either allow all traffic except that specified, or you can prevent all except that specified. In either case, when you implement packet filtering, the router will drop any traffic that does not meet the conditions you specify.

You can also configure packet filtering as either inbound or outbound. Inbound filters are useful when, for example, you have a Web server that is only serving FTP and HTTP, but not accepting inbound FTP transfers or allowing inbound SMTP/POP3 traffic. Outbound filters are useful similarly when you want to restrict your users to certain kinds of Internet access, such as only HTTP and not FTP.

You can also configure multiple conditions within a filter, or you can configure multiple filters for an interface. When you configure multiple conditions within a filter, a logical AND is performed, whereby all conditions must be met for the packet to be allowed. On the other hand, if you configure multiple inbound OR outbound filters, then a logical OR operation is performed, whereby the packet must meet at least one of the allow conditions on one of the filters in order to pass. It is possible, however, to configure inbound and outbound filters where all packets will be dropped because the filters are contradictory. To configure packet filters, you start with the RRAS Management console. You need to expand the IP Routing section, click on General, and then click on the interface that you wish to configure packet filters on. From there, you can either right-click and choose properties or click on the Action menu and choose properties.

On the general tab, you choose either inbound or outbound filters. The configuration method is the same for each. When you click on New, you will see the Add IP Filter dialog box. There you can configure the source and destination networks, and the protocol to filter. After you choose the protocol, you will then be able to configure a source and destination port, or a type and code in the case of ICMP traffic. 

Filtering ICMP traffic is useful, for example, when you do not want an ICMP Echo Request (ping or tracert) to pass through your router. This is used both when a demand dial interface is configured and you only want actual data streams to instantiate the demand dial connection, and when you want to limit the exposure of your internal computers to probes from the public Internet.

After you have configured the protocol or protocols for the filter, you then need to define whether this will be an allow or an exclusion. Remember that you can either block all except, or allow all except. For this reason, packet filters are often referred to as using an exception list.When you have finished configuring filters, click on OK to return to the properties page for the interface, and OK again to apply the changes and close the properties page.

Pop Quiz Questions:
1. You know that RRAS is installed on your Windows Server 2003 but you cannot use the service. What do you need to do to troubleshoot this?
2. What can you do to stop Ping traffic across your router?
3. What is the first step to configuring a Routing Protocol?
4. What is the second step to configuring a Routing Protocol?
5. What is the third and final step to configuring a Routing Protocol?

Pop Quiz Answers:
1. Enable the service from the RRAS Management Console. Right-click and choose Action, then enable the service.
2. Use Packet Filtering.
3. Add the protocol to RRAS.
4. Add a minimum of one interface for the protocol in the RRAS console.
5. Configure the interfaces for use in the RRAS console.

Deborah Timmons is a Microsoft Certified Trainer and Microsoft Certified Systems Engineer. She came into the Microsoft technical field after six years in the adaptive technology field, providing technology and training for persons with disabilities. She is the President and co-owner of Integrator Systems Inc.

Article Rating (2 stars):
  • article full star
  • article full star
  • article no star
  • article no star
  • article no star
Rate this Article:
  • Article Word Count: 738
  • |
  • Total Views: 844
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |
>