Re: Port Ranges in IPSec

From: Rich Wilson (wk633@yahoo.com)
Date: 03/23/02 

Date: Fri, 22 Mar 2002 17:06:15 -0800 (PST)
From: Rich Wilson <wk633@yahoo.com>
To: "Jonathan G. Lampe" <jonathan@stdnet.com>, focus-ms@securityfocus.com

Short answer, no.

A couple of things to watch out for. If you're scripting this, be sure you
specify UDP and/or TCP. If you fall back to ANY, then non-port protocols
(everything but UCP and TCP AFAIK) will be allowed in. That is, if you have an
ANY rule, you will allow in ICMP, and you may not want to.

If you have any client services, then you will be open to attacks sourced from
the destination port of that rule. Say what? ok, e.g. you want to allow SMTP
traffic out. So you have a rule that allows host IP any port to any IP port
25. That will also allow any IP sourced from port 25 to connect to any port on
the host IP. IPSec doesn't inspect the TCP packet to decide if it is part of
an existing connection (no SYN flag) or an initial connection attempt (SYN flag
set).

As far as I'm concerned, IPSec port filtering is useful for stopping casual
client use of a server, and that's about it.

Ok, it will block ping and traceroute/tracert, but that's just obscurity.

--- "Jonathan G. Lampe" <jonathan@stdnet.com> wrote:
> I was doing a little work for a customer the other day who made extensive
> use of the IPSec PERMIT and DENY rules and filters on Windows 2000 to keep
> machines from receiving or emitting traffic. After some playing around
> with Veritas's BackupExec product, we found that we needed to define more
> than 50 IPSec filters to get the product to work. (BackupExec consumes 1
> TCP port for its agent (6103), plus 25xTCP/UDP ports for RPC (24001-24025
> recommended - some tinkering required), plus NetBIOS ports and UDP port 88
> for Kerberos.)
>
> It took almost an hour just to bang all this in.
>
> My question is...is there any way at all to define RANGES of ports in
> Windows 2000 IPSec without specifying each port individually?
>
> - Jonathan Lampe
> - jonathan@stdnet.com
>

=====
| __o
| -\<,
| 0/ 0

__________________________________________________
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards®
http://movies.yahoo.com/

Relevant Pages

  • Re: excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • excessive TCP dulplicate acks revisted
    ... The tcp duplicate ACK attack is back. ... there was a thread on duplicate TCP acks in -CURRENT. ... TCP STREAM TEST from localhost port 0 AF_INET to greenhouse- george.18clay.com port 0 AF_INET ... Socket Socket Message Elapsed ...
    (freebsd-current)
  • Re: How to tell if a firewall alert is suspicious or not
    ... > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port ... They have to parts, a kernel and the userland, in which programs, which are ... With Internet Protocol and TCP it is so, that any network interface in the ... To initiate a TCP connection, first the server has to "listen" on a port. ...
    (comp.security.firewalls)
  • RE: Configure Hardware Firewall for SBS 2003
    ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Can someone tell me what this is exactly?
    ... >But port 80 connections seem to get through. ... >on port 80 (tcp). ... >Host: www ... >Connnection: close ...
    (comp.os.ms-windows.nt.admin.security)