TEE14 Scripted Demo 6 – Extended Port ACLs

My sixth  TechEd Europe 2014 demo was a fun one: Extended Port ACLs, which is the ability to apply network security rules in the virtual switch port, which cannot be overruled by the guest OS admin.

There is a demo VM that is running IIS with a default site. The Windows Firewall is turned off in the guest OS. The script will:

  1. Clean up the demo lab
  2. Open a window with a continuous ping to the VM, showing the open network status
  3. Starts IE and browses to the VM’s site
  4. Kills IE and applies an extended port ACL to block everything.
  5. IE is re-opened (with flushed cache) and fails to load the site. Ping packets are dropping in the continuous ping.
  6. Kills IE and creates another extended port ACL to allow inbound TCP 80
  7. Reopens IE to show the site is accessible. Meanwhile, pings continue to fail.

There’s plenty of process management, and controlling IE in this script.

cls
#Clean up the demo to start up with
Get-VMNetworkAdapterExtendedAcl -VMName PortACLs | Remove-VMNetworkAdapterExtendedAcl

$DemoVM = "PortACLS"

Write-Host "Extended Port ACLs Demo"

#Clear IE Cache
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8

#Ping the VM
Start-Process Ping -ArgumentList "-t","PortACLS"

#Start IE
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")

#Block all traffic script block
Read-Host "Block all traffic to the VM"
#Kill IE
Get-Process -Name IEXPLORE | Stop-Process
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
Write-Host "`nAdd-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action `“Deny`” –Direction `“Inbound`” –Weight 1"
Sleep 3
Write-Host "`nAll inbound traffic to the virtual machine is blocked" -foregroundcolor red -backgroundcolor yellow
Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action “Deny” –Direction “Inbound” –Weight 1
#Start IE to show the site is offline
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")

#Put in web traffic exception script block
Read-Host "`n`n`nAllow HTTP traffic to the VM"
#Kill IE
Get-Process -Name IEXPLORE | Stop-Process
RunDll32.exe InetCpl.cpl, ClearMyTracksByProcess 8
Write-Host "Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action `“Allow`” –Direction `“Inbound`” –LocalPort 80 –Protocol `“TCP`” –Weight 10"
Sleep 3
Write-Host "`nAll inbound traffic to the virtual machine is blocked EXCEPT for HTTP" -foregroundcolor red -backgroundcolor yellow
Add-VMNetworkAdapterExtendedAcl –VMName PortACLs –Action “Allow” –Direction “Inbound” –LocalPort 80 –Protocol “TCP” –Weight 10
#Start IE to show that the website is now back online, despite all other traffic being blocked
$ie = new-object -comobject InternetExplorer.Application
$ie.visible = $true
$ie.top = 200; $ie.width = 900; $ie.height = 600 ; $ie.Left = 100
$ie.navigate("http://portacls.demo.internal")

Read-Host "`n`n`nEnd the demo"

#Clean up after the demo
Get-Process -Name Ping | Stop-Process
Get-Process -Name IEXPLORE | Stop-Process
Get-VMNetworkAdapterExtendedAcl -VMName PortACLs | Remove-VMNetworkAdapterExtendedAcl

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.