Re: IPsec vs any personal software firewall
From: Tod Beardsley (todb_at_planb-security.net)
Date: 09/30/03
- Previous message: Marc Fossi: "Article Announcement: Lost in Translation"
- In reply to: Lee Evans: "RE: IPsec vs any personal software firewall"
- Next in thread: Patrick Morris: "Re: IPsec vs any personal software firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: Mon, 29 Sep 2003 20:03:58 -0500
Lee Evans wrote:
> "By default in Windows 2000 and Windows XP, broadcast, multicast,
> Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"
>
> So simply by forging a source port of 88 on any malicious traffic
> they bypass the IPSec filters.
>
> I believe this is changed for Windows2003
It is.
http://support.microsoft.com/?kbid=810207
It's also possible to turn off this behavior post-SP1 on Windows 2000,
since this behavior is silly.
Service Pack 1 included a Registry setting that allows you to disable
the Kerberos ports, by turning off the IPSec driver exempt rule. And as
of SP4, it's purportedly the default behavior. Surprise!
http://support.microsoft.com/?kbid=811832
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
Type: DWORD
Value: 0 or 1. 1 removes the silliness.
-- "It's okay to yell 'fire' in a crowded theater if the theater is actually on fire." Tod Beardsley | www.planb-security.net --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Marc Fossi: "Article Announcement: Lost in Translation"
- In reply to: Lee Evans: "RE: IPsec vs any personal software firewall"
- Next in thread: Patrick Morris: "Re: IPsec vs any personal software firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
