RE: TCP/IP Filtering problem on W2KAS

From: garberoa@WellsFargo.COM
Date: 02/05/02 

From: garberoa@WellsFargo.COM
To: KSkinner@sandstream.com, garberoa@WellsFargo.COM, TurnerL@tea-emh1.army.mil, focus-ms@securityfocus.com
Date: Mon, 4 Feb 2002 16:20:01 -0800

These are definitely legitimate security concerns of the Win2K
implementation of IPSec. I have employed this technique to bypass IPSec port
filtering on Windows 2000 boxen.

Port filtering with IPSec leaves you vulnerable because only the source port
is examined. Try this experiment with a Windows 2000 box that has IPSec port
filtering applied (without the NoDefaultExempt setting applied):

1. Run a TCP port scan with your favorite scanner. You should see only
those ports that are not screened by the IPSec filter.

2. Run the same port scan, specifying TCP 88 as your source port.

3. Compare results.

For UDP scans use source port 500.

IPSec filtering on Windows 2000 doesn't care what service you are connecting
to. By using an exempt source port, you can pass right through. FWIW, based
on what I have heard from folks that work with MS, .NET server will ship
with an option to examine both source and destination ports.

Best Regards,

Andrew Garberoglio, MCSE, CISSP
Middleware Engineer/Architect
Wells Fargo Services, Internet Technology Services

"Let us prepare to grapple with the ineffable itself, and see if we may not
eff it after all"
-Douglas Adams

> -----Original Message-----
> From: Skinner, Kit [mailto:KSkinner@sandstream.com]
> Sent: Monday, February 04, 2002 3:32 PM
> To: 'garberoa@WellsFargo.COM'; TurnerL@tea-emh1.army.mil;
> focus-ms@securityfocus.com
> Subject: RE: TCP/IP Filtering problem on W2KAS
>
> Obviously, locking out NoDefaultExempt will allow you to filter Broadcast
> and Multi-Cast as well, but what are the concerns of IKE and Kerberos?
> Kerberos would only come into play if you had a domain controller you were
> authenticating against. However, IKE(UDP 500) is what would be used to
> keep negotiate the security during the communication.
>
> What are the vulnerabilities of leaving these open? The main concern
> would be IKE because all servers would use this. Wouldn't this traffic be
> encrypted as well? Perhaps if you were doing certificate encryption with
> IPSec, you could send bad security negotiations to this port to cause a
> DoS, but you would hope it would have a higher threshold then your
> Internet connection.
>
> Security is always a factor of usability vs. security, and I have to
> wonder if these are legitimate security concerns of IPSec or if these are
> simply an indication that multiple levels of security are always needed?
> As David Ellis points out, don't use IPSec filters as a replacement for a
> firewall, but rather a backup. But for an environment when you have
> internal servers and you can't afford a firewall at every port, this
> becomes a very useful tool.
>
> Thanks,
> -K
>
> -----Original Message-----
> From: garberoa@WellsFargo.COM [ <mailto:garberoa@WellsFargo.COM>]
> Sent: Monday, February 04, 2002 2:30 PM
> To: johnlmorello@hotmail.com; TurnerL@tea-emh1.army.mil;
> focus-ms@securityfocus.com
> Subject: RE: TCP/IP Filtering problem on W2KAS
>
>
> Gentlemen,
>
> Bypassing Windows 2000 IPSec port filtering is trivial. One can specify an
>
> exempt source port, and pass right through (see Traffic That Can--and
> Cannot--Be Secured by IPSec (Q253169)
> <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q253169> ).
> Even if NoDefaultExempt is enabled, IKE traffic is still exempt (See
> <http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/column
> s/s>
> ecurity/au091100.asp ).
>
> Best Regards,
>
> Andrew Garberoglio, MCSE, CISSP
> Middleware Engineer/Architect
> Wells Fargo Services, Internet Technology Services
>
> "Let us prepare to grapple with the ineffable itself, and see if we may
> not
> eff it after all"
> -Douglas Adams
>
>
> -----Original Message-----
> From: John Morello [ <mailto:johnlmorello@hotmail.com>]
> Sent: Monday, February 04, 2002 8:52 AM
> To: 'Turner, Keith'; focus-ms@securityfocus.com
> Subject: RE: TCP/IP Filtering problem on W2KAS
>
>
> Keith-
> I've seen some strange behavior with the regular IP filtering on
> Win2000. I've found that using IPSec is a much more powerful and
> reliable mechanism for locking down your TCP and UDP ports. Check out
> this column on the MS website for detailed instructions:
>
> Using IPSec to Lock Down a Server
> <http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp>
>
> -----Original Message-----
> From: Turner, Keith [ <mailto:TurnerL@tea-emh1.army.mil>]
> Sent: Monday, February 04, 2002 8:15 AM
> To: focus-ms@securityfocus.com
> Subject: TCP/IP Filtering problem on W2KAS
>
>
> I've enabled TCP/IP filtering on a W2KAS IIS server. As a result, the
> server can no longer use DNS (as a client). According to MSKB Q309798,
> "TCP/IP Filtering can filter only inbound traffic. This feature does not
> affect outbound traffic or response ports that are created to accept
> responses from outbound requests." So, in theory, I should not have to
> add
> *any* ports to the "allowed" list for the IIS server to be able to start
> a
> conversation with a dns server and receive an answer. I started a
> capture
> with network monitor, opened nslookup and fired off a few dns queries.
> The
> query is making it to the dns server, which is responding with an
> answer.
> Network Monitor sees this answer, but nslookup never gets it.
> Does anyone have any suggestions on how to get dns queries working with
> TCP/IP filtering? If I remember correctly, this worked fine in NT4.
>
> Thanks,
> Keith
>

Relevant Pages

  • RE: Access to well-known ports on Win2K
    ... IPSEc does not provide security at the user level; ... policy - works for all users of the machine; and can allow or block access ... many routes for deployment as you mention: Group Policy; Local Security ... > TCP/IP Filtering does not provide port level security at the ...
    (Focus-Microsoft)
  • Re: Port Ranges in IPSec
    ... You could do something like this with 3Com's Embedded Firewall. ... All of the filtering is done in hardware, which stops anyone from bypassing the firewall. ... it allows you to setup a filter that utilizes port ranges. ... > As far as I'm concerned, IPSec port filtering is useful for stopping casual ...
    (Focus-Microsoft)
  • Re: TCP/IP Filtering
    ... IPsec filtering, NOT the TCP/IP filtering feature. ... Generally, TCP and UDP connections use two port numbers, not just one... ... See below for more info and links about both TCP/IP Filtering and IPsec ...
    (microsoft.public.win2000.security)
  • Re: IPSec and Active Directory
    ... It throws "IP Security can not be triggered by port ... > The production segment is a hosting segment, so it is not behind any ... It seems you are using IPSec more as a blocking tool ...
    (microsoft.public.win2000.active_directory)
  • RE: TCP/IP Filtering problem on W2KAS
    ... IPSec, you could send bad security negotiations to this port to cause a DoS, ... Bypassing Windows 2000 IPSec port filtering is trivial. ... Using IPSec to Lock Down a Server ...
    (Focus-Microsoft)