none
Windows 7, IPsec and my ignorance

    Question

  • I am an Industrial Automation engineer. I am faced with a situation where I have multiple Windows 7 enterprise boxes on the plant floor that are using the enterprise network. These boxes are not apart of the enterprise domain, have an assigned subnet, and fixed IPs. These boxes must be protected from the genereal enterprise network traffic and allowed to communicate with specific boxes (some are Windows 7 VM's, some are Windows 7 real machines and some are not computers but PLC and the like) in and out of the specific subnet. The needed traffic needs to be integrity protected and in some cases encrypted even though it is all within the Intranet. I must do this within the Windows 7 machines only as I have no active directory/server capabilities. I am cmd/vba/vbs/wsh/netsh/powershell 1/2/3 fluent.

    I have set up an isolated  virtual network with two Windows 7 enterprise VM's in VMware workstation 9 on my lab machine (aka sandbox). I have been experimenting with the firewall settings at group policy level (via gpedit.msc). As an added verification I am using a third linux VM with Backtrack to sniff the traffic and pen test.

    Here are the steps I have completed so far:
    1. All firewall capability disabled and verified connection between the two Windows 7 machines and ease of penetration. 
    2. Enabled the firewalls and set them to block ALL traffic to verify no communication between the two machines and impossibility of penetration.
    3. Firewalls enabled but allowing connection between the two boxes by IP. I verified comms and lack of datastream encryption and vulnerability to man in the middle.
    4. Firewalls enabled but allowing connection between the two boxes by preshared key. I verified comms and datastream encryption and hardening to man in the middle.
    5. SSL certs: I cannot get this to work. I am at a loss.

    Can anyone point me in the direction of documentation on how to employ certificates and more advanced cryptographic/integrity methods (as compared against the unsafe preshared key option) using Windows 7 firewall? I have perused "Windows Firewall with Advanced Security Learning Roadmap" but am still having no luck. I am admittedly short on knowledge when it comes to this application of certificates.

    With the recent security events related to destruction of real world equipment in industrial environments by the bad guys, the situation I find this system in has me very nervous. Not to mention the automated computer maintenance and port scans employed by the well meaning enterprise IT contractor that have shutdown some systems and behaved like a malevolent DDoS.

    Regards,

    Thomas Scharmann

    Tuesday, February 05, 2013 10:57 PM

Answers

  • Hi Thomas,

    After reading what you are trying to accomplish, I thought of an idea which may or may not work.  I have not tested it and this point not even sure if it can be configured this way but I wanted to put it out there for consideration.  If there are others out there who have experience with this, please chime in if this can or cannot work.

    We have a several remote offices within US and some outside of US.  In order to setup secure communications between remote offices and the main office, we employed the use of IPSEC/GRE tunnels.

    So what I was thinking is that if we can treat each of your Windows 7 machines as a remote office and build a secure tunnel for each machine, all the communication between them can be secure.  Also with ACL (Access Control List) on a router, we can control which machines can talk to each other.

    Like I said, it something that may or may not work.  The diagram below gives bit more details on the idea but it is a very high level description.

    Regards,

    Shahid Chaudhary

    Thursday, February 07, 2013 2:13 PM