Re: Microsoft Strategic Technology Protection Program

From: Kurt Seifried (listuser@SEIFRIED.ORG)
Date: 10/11/01 

Message-ID:  <016c01c15283$a8192c60$6400030a@seifried.org>
Date:         Thu, 11 Oct 2001 12:36:34 -0600
From: Kurt Seifried <listuser@SEIFRIED.ORG>
Subject:      Re: Microsoft Strategic Technology Protection Program
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

>IPSec, on the otherhand, does not provide stateful inspection of
>packets, and consequently does not distinguish between inbound and
>outbound sessions. It only notes port numbers on the end points. So,
>if you set up a mirrored filter in IPSec, specifying that any random
>port on the local computer can communicate with the port 80 of any
>outside computer, just like you would do in a true firewall, remote
>hackers can then scan and attack all of your open local ports as long as
>they are working from port 80.
>
>It is worth keeping in mind this limitation of IPSec while implementing
>filtering solutions with it.

Uhhh. Only if you allow remote clients to establish sessions with your IPSec
capable systems, i.e. IPSec without authentication or publicly posted
details or something (and we are nowhere near opportunistic IPSec yet). As
for something on the other end of a legitimate IPSec connection scanning you
this is of course possible, IPSec is opaque to firewalls (sort of the whole
point). As for gateway/subnet clients to your subnet simply place a firewall
behind the IPSec machine. These same problems of course apply to IDS. My
upcoming paper covers these issues and more.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate

Relevant Pages

  • Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question
    ... an IPSec policy that should be sufficiently restrictive for your purposes. ... Client's Source port is ANY ... then how can I create an IPSec filter that blocks all ...
    (microsoft.public.win2000.security)
  • RE: TCP/IP Filtering problem on W2KAS
    ... These are definitely legitimate security concerns of the Win2K ... I have employed this technique to bypass IPSec port ... Port filtering with IPSec leaves you vulnerable because only the source port ...
    (Focus-Microsoft)
  • Re: IPSec Policy Doesnt Really Block
    ... basic filters to allow port 80 and port 25 inbound from Any to My IP, ... >I have created ipsec policies that work. ... The I add mirrored permit rules for the exceptions such ... >> Here is a list of IPSECPOL.exe commands I am using to create the policy. ...
    (microsoft.public.win2000.networking)
  • Re: IPSec Policy Doesnt Really Block
    ... basic filters to allow port 80 and port 25 inbound from Any to My IP, ... >I have created ipsec policies that work. ... The I add mirrored permit rules for the exceptions such ... >> Here is a list of IPSECPOL.exe commands I am using to create the policy. ...
    (microsoft.public.win2000.security)
  • RE: Win2k IPSec -Default behavior
    ... "When contacting a Kerberos server for a KRB_KDC_REQ request ... Used the FoundStone Scanline utility which yielded the following ... Then I added the registry key and restarted the ipsec policy agent on ... Would that not be traffic destined to port 88, ...
    (Focus-Microsoft)