Re: Microsoft Strategic Technology Protection Program

From: Tony Chow (tchow@BLUETENTACLE.COM)
Date: 10/12/01

Message-ID:  <50B30C640EC48648ABAA34F00D737A96CDAC@leto.bluetentacle.local>
Date:         Fri, 12 Oct 2001 11:47:24 -0700
From: Tony Chow <tchow@BLUETENTACLE.COM>
Subject:      Re: Microsoft Strategic Technology Protection Program

Delivery co-sponsored by GFI Software
LANguard Security Event Log Monitor offer!

Catch hackers red-handed with LANguard S.E.L.M.! Provides intrusion
detection through centralized NT/2000 security event log monitoring.
Extensive reporting identifies all machines being targeted & local users
trying to hack. Download your FREE starter pack today:;
List message follows...

> Uhhh. Only if you allow remote clients to establish sessions
> with your IPSec
> capable systems, i.e. IPSec without authentication or publicly posted
> details or something (and we are nowhere near opportunistic
> IPSec yet). As
> for something on the other end of a legitimate IPSec
> connection scanning you
> this is of course possible, IPSec is opaque to firewalls
> (sort of the whole
> point). As for gateway/subnet clients to your subnet simply
> place a firewall
> behind the IPSec machine. These same problems of course apply
> to IDS. My
> upcoming paper covers these issues and more.

I absolutely agree that IPSec used without encryption/authentication is
a suboptimal replacement for firewall. However, for environments that
cannot implement a firewall or NAT for one reason or another (like some
academic environments where network and systems administrations are
separate) and need to filter unencrypted, unauthenticated traffic to and
from external clients, IPSec can be a useful filter if implemented
properly. In a firewall-enabled environment, filter-only IPSec is a
legitimate, second line of defense working on the machine level rather
than the segment level, should the latter fail.

There is a ham-handed way to reduce the risk of IPSec's inability to
distinguish the direction of sessions. If you absolutely need to block
all traffic to and from a computer and allow only outbound traffic to a
common server port like port 80 (so that the computer can browse the web
and do nothing else), you can specify this rule:

my ip<-->any ip at port 80: permit

AND THEN, specify a bounch of additional rules prohibiting remote port
80 from communicating with all ports active on the local system:

my ip at CIFS<-->any ip at port 80: block
my ip at NetBIOS over TCP/IP<-->any ip at port 80: block
my ip at ident<-->any ip at port 80: block

etc, etc, etc. More specific rules override more general rules. Since
the second set of rules specify ports on both ends of the traffic, they
take precedence when conditions match.

Relevant Pages

  • Re: sysvol replication breaks when IPSec running between DCs & firewal
    ... Also have a look here about UDP port 500: ... open the firewall for ports required by IPSec, ... We have two root DCs and three child domain DCs. ...
  • Re: UDP Port 500 open
    ... I use a free software firewall ... >> I have recently installed a firewall and it says that UDP Port 500 is ... > ISAKMPD uses this port to negotiate IPSec. ... >> perhaps a registry key and/or disabling some service or other in ...
  • Re: To IPSec Packet Filter OR Not To IPSec Packet Filter - that is the question
    ... an IPSec policy that should be sufficiently restrictive for your purposes. ... Client's Source port is ANY ... then how can I create an IPSec filter that blocks all ...
  • Re: IPSEC
    ... IPSEC works differently than a firewall in that a firewall will allow ... IPSEC will not allow any inbound traffic regardless of the origin, ... A quick and easy way to assign an IPSEC policy is to search the Microsoft ... > I block ALL inbound traffic on ANY port, ...
  • Re: VPN client will not connect behind firewall
    ... My firewall does not have any special rules to forward port 4500. ... does have the option to allow IPSec pass through enabled. ... used the VPN wizard to make a client VPN, ...