IP filtering

[Guest]

I have an Internet-VPN setup using IPsec and company owned PCs will be using a combination of non-company LAN , broadband and dialup Internet access. I am happy that while the IPsec-VPN client is running that the PC is isolated from the Internet, but system will likely be "online" without the VPN-Client running

We wish to deny all direct Internet access and only permit access to company service through the VPN-tunnel.
Is the IP filtering (IPsecurity ?) facility in Windows capable of limiting IP connections to only IPsec, preferably to a single destination. I have looked at Personal Firewalls but not found one that can be restrictive.

To complicate matters, we wahnt the same XP system to have full IP contivity to company LAN and WAN while directly connected to a company LAN.

So, if Windows TCP/IP filtering can do it, can this only be invoked only when a condition fails e.g. when a repetative DNS query to company internal DNS fails - invoke the filters. A reboot would be okay.

Any help and suggestions welcome.

John Hamilton
Edinburgh (UK)

 

[Roger Abell]

I have an Internet-VPN setup using IPsec and company owned PCs will be

using a combination of non-company LAN , broadband and dialup Internet
access. I am happy that while the IPsec-VPN client is running that the PC
is isolated from the Internet, but system will likely be "online" without
the VPN-Client running

We wish to deny all direct Internet access and only permit access to

company service through the VPN-tunnel.

Is the IP filtering (IPsecurity ?) facility in Windows capable of limiting

IP connections to only IPsec, preferably to a single destination. I have
looked at Personal Firewalls but not found one that can be restrictive.

To complicate matters, we wahnt the same XP system to have full IP

contivity to company LAN and WAN while directly connected to a company LAN.

So, if Windows TCP/IP filtering can do it, can this only be invoked only

when a condition fails e.g. when a repetative DNS query to company internal
DNS fails - invoke the filters. A reboot would be okay.

Any help and suggestions welcome.

John Hamilton
Edinburgh (UK)

I am not aware of an off-the-shelf setting that does the kinds of
things that you indicate in your last paragraph - basically tweaking
the network settings when some triggers and detected. It could be
set to happen without too much coding . . .

However, IPsec can be used to allow full communications within
your LAN and not otherwise. This seems to make the detect and
tweak of your last paragraph unneeded.

The problems that I see in what you have outlined are
- whether MS IPsec will get along well with this IPsec/VPN
that you are using
- how you will allow people to get their network connection
from an ISP and tunnel over those IPs within your VPN if you
also are going to use IPsec to refuse use of the internet. It would
seem that they will have to use not just any provider as an ISP
but only ones that offer VPN services for you.