TCP/IP and ICMP filtering

Hello!

I want to use a Windows 2003 Enterprise Server for FTP only.
The server will be available on two networks:
1. NIC 1 (local area network)
2. VPN established via NIC 1 (
Device Name = WAN Miniport (PPTP)
Server Port = TCP 1723
Server Type = PPP
Authentication = MS CHAP V2
Transports = TCP/IP
)

I have stoped on three ways for protection and I want to minimize the system
resources used for filtering the network trafic. I also want to block the
ICMP trafic.
1. TCP/IP filtering on the Advanced TCP/IP Settings for the NIC 1(
TCP Ports: Permit Only (20, 21, 1723)
UDP Ports: Permit Only (none)
IP Protocols: Permit Only (which protocols should I enable here? Where can
I find more information about the mapping between names and numbers of IP
protocols?)
Are there missing ports that I need to enable?
Can I block ICMP from this dialog?
)

2. IP Security Policies (
Block all ICMP trafic
Block all UDP trafic
Dynamic: Default Responce: Kerberos
)

3. Internet Connection Firewall (ICF) Service (
ICMP - any requests are blocked.
Open TCP 20 = FTP Data
Open TCP 21 = FTP Control
)


Which protection method or group of methods are the optimal solution for
performance and security in this scenario?



Thank You for any support!

George Valkov

On Sun, 4 Apr 2004 19:49:59 +0300, "George Valkov"
<(E-Mail Removed)> wrote:

>Hello!
>
>I want to use a Windows 2003 Enterprise Server for FTP only.
>The server will be available on two networks:
>1. NIC 1 (local area network)
>2. VPN established via NIC 1 (
> Device Name = WAN Miniport (PPTP)
> Server Port = TCP 1723
> Server Type = PPP
> Authentication = MS CHAP V2
> Transports = TCP/IP
>)
>
>I have stoped on three ways for protection and I want to minimize the system
>resources used for filtering the network trafic. I also want to block the
>ICMP trafic.
>1. TCP/IP filtering on the Advanced TCP/IP Settings for the NIC 1(
> TCP Ports: Permit Only (20, 21, 1723)
> UDP Ports: Permit Only (none)
> IP Protocols: Permit Only (which protocols should I enable here? Where can
>I find more information about the mapping between names and numbers of IP
>protocols?)
> Are there missing ports that I need to enable?
> Can I block ICMP from this dialog?
>)
>
>2. IP Security Policies (
> Block all ICMP trafic
> Block all UDP trafic
> Dynamic: Default Responce: Kerberos
>)
>
>3. Internet Connection Firewall (ICF) Service (
> ICMP - any requests are blocked.
> Open TCP 20 = FTP Data
> Open TCP 21 = FTP Control
>)
>
>
>Which protection method or group of methods are the optimal solution for
>performance and security in this scenario?

4) Hardware firewall, properly configured and monitored.

Jeff

I understand that in a high end server envinronment I should use a hardware
firewall.
I want to compare the performance between
TCP/IP filtering
IP Security policy
Internet Connection Firewall
and optimize the performance of my home pc.
I also want to know if I need to enable any protocols for the TCP/IP
filtering
so that I can connect to the VPN server.


George Valkov




"Jeff Cochran" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 4 Apr 2004 19:49:59 +0300, "George Valkov"
> <(E-Mail Removed)> wrote:
>
> >Hello!
> >
> >I want to use a Windows 2003 Enterprise Server for FTP only.
> >The server will be available on two networks:
> >1. NIC 1 (local area network)
> >2. VPN established via NIC 1 (
> > Device Name = WAN Miniport (PPTP)
> > Server Port = TCP 1723
> > Server Type = PPP
> > Authentication = MS CHAP V2
> > Transports = TCP/IP
> >)
> >
> >I have stoped on three ways for protection and I want to minimize the
system
> >resources used for filtering the network trafic. I also want to block the
> >ICMP trafic.
> >1. TCP/IP filtering on the Advanced TCP/IP Settings for the NIC 1(
> > TCP Ports: Permit Only (20, 21, 1723)
> > UDP Ports: Permit Only (none)
> > IP Protocols: Permit Only (which protocols should I enable here? Where
can
> >I find more information about the mapping between names and numbers of IP
> >protocols?)
> > Are there missing ports that I need to enable?
> > Can I block ICMP from this dialog?
> >)
> >
> >2. IP Security Policies (
> > Block all ICMP trafic
> > Block all UDP trafic
> > Dynamic: Default Responce: Kerberos
> >)
> >
> >3. Internet Connection Firewall (ICF) Service (
> > ICMP - any requests are blocked.
> > Open TCP 20 = FTP Data
> > Open TCP 21 = FTP Control
> >)
> >
> >
> >Which protection method or group of methods are the optimal solution for
> >performance and security in this scenario?
>
> 4) Hardware firewall, properly configured and monitored.
>
> Jeff