Re: Microsoft Strategic Technology Protection Program
From: Tony Chow (tchow@BLUETENTACLE.COM)Date: 10/11/01
- Previous message: David LeBlanc: "Re: New IIS Lockdown tool from Microsoft"
- Maybe in reply to: Russ: "Microsoft Strategic Technology Protection Program"
- Next in thread: Kurt Seifried: "Re: Microsoft Strategic Technology Protection Program"
- Reply: Kurt Seifried: "Re: Microsoft Strategic Technology Protection Program"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <50B30C640EC48648ABAA34F00D737A96CDAA@leto.bluetentacle.local> Date: Thu, 11 Oct 2001 11:04:54 -0700 From: Tony Chow <tchow@BLUETENTACLE.COM> Subject: Re: Microsoft Strategic Technology Protection Program To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> AFAIK, IPsec filters can distinguish incoming and outgoing trafic.
> However, the default setting when specifying a filter in the 'IP
> Security Policies' plugin in the MMC is 'Mirrored'
> (equivalent to a '+'
> instead of '=' when specifying rule via ipsecpol), whose immediate
> effect is to effectively produce two rules, for incoming and outgoing
> trafic. You can uncheck this option and specify different rules for
> inbound and outbound trafic.
Perhaps I should have been more clear. I'm talking about inbound and
outbound TCP *sessions*. In a firewall you can configure, say, port 80
on a local web server address to only accept client-initiated *sessions*
(inbound sessions). This would mean that the web server cannot use port
80 on its end to initiate sessions and request service from the client
side. Conversely, you can specify on a firewall, to allow clients
inside the firewall to initiate sessions with port 80 of outside
webservers, so that they may browse the web (outbound sessions). The
outside web server cannot initiate a session on its 80 with ports on the
client side.
This is known as stateful packet inspection, and most modern firewalls
provide it. Such firewalls treat inbound and outbound TCP sessions
differently, even though they are both bidirectional in the raw IP
sense.
IPSec, on the otherhand, does not provide stateful inspection of
packets, and consequently does not distinguish between inbound and
outbound sessions. It only notes port numbers on the end points. So,
if you set up a mirrored filter in IPSec, specifying that any random
port on the local computer can communicate with the port 80 of any
outside computer, just like you would do in a true firewall, remote
hackers can then scan and attack all of your open local ports as long as
they are working from port 80.
It is worth keeping in mind this limitation of IPSec while implementing
filtering solutions with it.
> On the other hand, if you need to filter on ICMP messages (type and
> code), you can use the packet filtering possibilites of the RRAS
> service.
That is an option.
======================================
Delivery co-sponsored by Trend Micro, Inc.
======================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?siS&BI;$5&UL;=http://www.ant
ivirus.com/smex2000_rebate
- Previous message: David LeBlanc: "Re: New IIS Lockdown tool from Microsoft"
- Maybe in reply to: Russ: "Microsoft Strategic Technology Protection Program"
- Next in thread: Kurt Seifried: "Re: Microsoft Strategic Technology Protection Program"
- Reply: Kurt Seifried: "Re: Microsoft Strategic Technology Protection Program"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
