RE: IPsec vs any personal software firewall

From: Sam Steinmeyer (SamSteinmeyer_at_winn-dixie.com)
Date: 09/30/03

  • Next message: Tod Beardsley: "Re: IPsec vs any personal software firewall"
    To: 'Lee Evans' <lee@vital.co.uk>, 'Kamran Muzaffer' <kmahmed@cyber.net.pk>, focus-ms@securityfocus.com
    Date: Tue, 30 Sep 2003 07:52:47 -0400
    
    

    All,

    Info: The quote that Lee referenced is contained in this Microsoft article.
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
    ol/windowsserver2003/proddocs/deployguide/dnsbj_ips_dbmy.asp
            
    Note: IPSEC for windows 2000 and XP can be set to deny Kerberos and RSVP by
    setting the registry key

    HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=1

    At this point Windows 2000 and XP will allow Broadcast, multicast, and IKE
    traffic.

    XP goes one step farther by allowing you set the registry key

    HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=2

    This will block all the aforementioned traffic.

    IPSEC is not a replacement for a good firewall. However, it's a good back
    up for DMZ's that have multiple servers. If one server gets compromised all
    other servers within the scope of the compromised server could be
    compromised. Thus, IPSEC and a good firewall is the best plan.

    The information I've provided in this e-mail can be found at
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s
    ecurity/askus/auas0801.asp

    Thanks,
             ______
            /_____/\ Harry Steinmeyer
           /____ \\ \ Senior Programmer
          /_____\ \\ / Winn-Dixie, Inc.
         /_____/ \/ / / (904) 370 - 5949
        /_____/ / \//\ rm -r /bin/laden
        \_____\//\ / /
         \_____/ / /\ /
          \_____/ \\ \
           \_____\ \\
            \_____\/
    "Science without religion is lame, religion without science is blind."
    Einstein, Albert (1879-1955)

    REMEMBER: IF IT ISN'T DOCUMENTED IT ISN'T DONE

    -----Original Message-----
    From: Lee Evans [mailto:lee@vital.co.uk]
    Sent: Monday, September 29, 2003 12:43 PM
    To: 'Kamran Muzaffer'; focus-ms@securityfocus.com
    Subject: RE: IPsec vs any personal software firewall

    Hi,

    IPSec filters are not a replacement for a firewall. There are many
    reasons for this, but the most obvious is that potential attackers can
    easily bypass any filters under a default configuration. From MS
    technet:

    "By default in Windows 2000 and Windows XP, broadcast, multicast,
    Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"

    So simply by forging a source port of 88 on any malicious traffic they
    bypass the IPSec filters.

    I believe this is changed for Windows2003

    Regards
    Lee

    -- 
    Lee Evans
    > -----Original Message-----
    > From: Kamran Muzaffer [mailto:kmahmed@cyber.net.pk] 
    > Sent: 26 September 2003 01:35
    > To: focus-ms@securityfocus.com
    > Subject: IPsec vs any personal software firewall
    > 
    > 
    > 
    > 
    > Hi,
    >  
    > I just want to know what is preferred from the machine 
    > utilization point of view, filtering traffic through IPsec or 
    > using any software firewall like Tiny Personal, Zone Alarm 
    > etc. Microsoft's documentation states that IPsec rules do 
    > affect the performance of the machine on which they are 
    > applied. Is there any proper guideline or 'thinks to 
    > remember' for implementing a performance and security 
    > affective IPsec or any firewall structure.
    >  
    > Thanks in advance.
    >  
    > Regards,
    > Kamran Muzaffer 
    > 
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    > 
    > 
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Tod Beardsley: "Re: IPsec vs any personal software firewall"

    Relevant Pages

    • Re: can xp act as server for vpn connection
      ... IPSEC L2TP connections won't work behind a NAT firewall without ... included in Windows XP... ... >>you can set the security policy on the client connection. ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: Win2K Security & Firewall - long post
      ... IPSec, and more so some reasons why it might be a bad idea for MS to ... realize that tailoring an IPSec policy for a specific home user, ... disabled their personal firewall. ... Won't work if the malware uses a "legitimate" means of disabling ...
      (comp.security.firewalls)
    • Re: Isolate systems
      ... some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering, ... firewall yourself from outside the network, even if you use a self scan site ... If legitimate users are trying to attack your computers you may have to see ...
      (microsoft.public.win2000.security)
    • Re: port blocking on Windows 2000/2003 servers
      ... > lock down all unneeded ports on Windows 2000 Server and Windows Server ... The huge disadvantage with IPsec is that there is no logging, ... party firewall or the Windows Firewall in Windows 2003. ...
      (microsoft.public.windows.server.security)
    • Re: Apparent NetBIOS Attack - How Dangerous?
      ... Windows 2000 does not have a built in firewall like Windows 2003 does and ... can be very vulnerable when connected directly to the internet. ... > added some IPSec port filters in order to take care of the NetBIOS ... >> Are you using a firewall such as a personal firewall or a hardware ...
      (microsoft.public.win2000.security)