Re: ipsecpol on Windows 2000
From: Rich Wilson (wk633@yahoo.com)
Date: 12/25/02
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #118"
- In reply to: Eric: "Re: ipsecpol on Windows 2000"
- Next in thread: Hahn, Jacob: "RE: ipsecpol on Windows 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Dec 2002 22:56:46 -0800 (PST) From: Rich Wilson <wk633@yahoo.com> To: Eric <ews@tellurian.net>, focus-ms@securityfocus.com
Using IPSec as a backup port filter seems to be so popular, that I wonder why
nobody else seems to run into the same problem I did.
To use IPSec to port filter a server, you cannot allow any TCP client services
on the server. In particular, DNS, in order to do reverse lookups, would have
to be UDP only. DNS needs TCP for any responses that won't fit into UDP. Some
resolvers actually use TCP all the time. e.g. SMTP service on IIS, I've been
told.
The problem is that IPsec doesn't inspect the TCP flags to determine the state
of the connection. It has no way of knowing if a packet from port 53 on the
outside to a random port on the inside is part of an existing connection, or an
attempt at a new connection. As long as you have a rule allowing TCP packets
between any port on the server, and port 53 on any IP, you will also be
allowing packets from port 53 on any IP to any port on the server.
--- Eric <ews@tellurian.net> wrote:
> to remove all dynamic IPSec policies, use -u
>
> ipsecpol -u
>
> I did a small writeup on using ipsecpol from both GUI and CL the other day
> - available here:
>
http://hfnetchk.shavlik.com/support/ipsec/ipsec_scan.htm#Scanning_Secured_Machines_Using_IPSec_Port_Filters/Creating_IPSec_Port_Filters_from_the_command_line/Windows_2000.htm
>
> (url may be wrapped)
>
>
>
> At 11:51 PM 12/17/2002 +0000, Damon McMahon wrote:
>
>
> >Greetings,
> >
> >I've been experimenting with ipsecpol from the Windows
> >2000 Resource Kit to work as a backup firewall for my
> >Windows 2000 Professional gateway.
> >
> >On pages 223-4 of 'Hacking Exposed' (2nd ed) Scambray,
> >McClure & Kurtz outline using IPSec filters to filter
> >traffic on an internet-exposed Win 2000 host using
> >ipsecpol from the Resource Kit. For example (ONLY an
> >example!)
> >
> > ipsecpol -f [0+*::ICMP]
> >
> >creates a dynamic rule to drop all icmp packets.
> >
> >This dynamic rule is implemented successfully [tested]
> >but what I can't do is remove it! I've tried:
> >
> > ipsecpol -f (0+*::ICMP)
> >
> >which the documentation says should create a
> >pass-through filter for the filtering criteria - and I
> >would assume would override the previous block filter.
> >However, icmp traffic is still dropped, and the only
> >way to remove the rule I can determine is to restart
> >the IPSec Policy Agent service.
> >
> >What am I doing wrong?
> >
> >Note that (if possible) I want to create dynamic
> >filters rather than static filters.
>
>
=====
| __o
| -\<,
| 0/ 0
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
- Next message: Eric Schultze: "MDAC 2.7 SP1 now available as a standalone install"
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #118"
- In reply to: Eric: "Re: ipsecpol on Windows 2000"
- Next in thread: Hahn, Jacob: "RE: ipsecpol on Windows 2000"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
