RE: IPsec vs any personal software firewall

From: Sam Steinmeyer (SamSteinmeyer_at_winn-dixie.com)
Date: 09/30/03

  • Next message: Tod Beardsley: "Re: IPsec vs any personal software firewall"
    To: 'Lee Evans' <lee@vital.co.uk>, 'Kamran Muzaffer' <kmahmed@cyber.net.pk>, focus-ms@securityfocus.com
    Date: Tue, 30 Sep 2003 07:52:47 -0400
    
    

    All,

    Info: The quote that Lee referenced is contained in this Microsoft article.
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
    ol/windowsserver2003/proddocs/deployguide/dnsbj_ips_dbmy.asp
            
    Note: IPSEC for windows 2000 and XP can be set to deny Kerberos and RSVP by
    setting the registry key

    HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=1

    At this point Windows 2000 and XP will allow Broadcast, multicast, and IKE
    traffic.

    XP goes one step farther by allowing you set the registry key

    HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=2

    This will block all the aforementioned traffic.

    IPSEC is not a replacement for a good firewall. However, it's a good back
    up for DMZ's that have multiple servers. If one server gets compromised all
    other servers within the scope of the compromised server could be
    compromised. Thus, IPSEC and a good firewall is the best plan.

    The information I've provided in this e-mail can be found at
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s
    ecurity/askus/auas0801.asp

    Thanks,
             ______
            /_____/\ Harry Steinmeyer
           /____ \\ \ Senior Programmer
          /_____\ \\ / Winn-Dixie, Inc.
         /_____/ \/ / / (904) 370 - 5949
        /_____/ / \//\ rm -r /bin/laden
        \_____\//\ / /
         \_____/ / /\ /
          \_____/ \\ \
           \_____\ \\
            \_____\/
    "Science without religion is lame, religion without science is blind."
    Einstein, Albert (1879-1955)

    REMEMBER: IF IT ISN'T DOCUMENTED IT ISN'T DONE

    -----Original Message-----
    From: Lee Evans [mailto:lee@vital.co.uk]
    Sent: Monday, September 29, 2003 12:43 PM
    To: 'Kamran Muzaffer'; focus-ms@securityfocus.com
    Subject: RE: IPsec vs any personal software firewall

    Hi,

    IPSec filters are not a replacement for a firewall. There are many
    reasons for this, but the most obvious is that potential attackers can
    easily bypass any filters under a default configuration. From MS
    technet:

    "By default in Windows 2000 and Windows XP, broadcast, multicast,
    Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"

    So simply by forging a source port of 88 on any malicious traffic they
    bypass the IPSec filters.

    I believe this is changed for Windows2003

    Regards
    Lee

    -- 
    Lee Evans
    > -----Original Message-----
    > From: Kamran Muzaffer [mailto:kmahmed@cyber.net.pk] 
    > Sent: 26 September 2003 01:35
    > To: focus-ms@securityfocus.com
    > Subject: IPsec vs any personal software firewall
    > 
    > 
    > 
    > 
    > Hi,
    >  
    > I just want to know what is preferred from the machine 
    > utilization point of view, filtering traffic through IPsec or 
    > using any software firewall like Tiny Personal, Zone Alarm 
    > etc. Microsoft's documentation states that IPsec rules do 
    > affect the performance of the machine on which they are 
    > applied. Is there any proper guideline or 'thinks to 
    > remember' for implementing a performance and security 
    > affective IPsec or any firewall structure.
    >  
    > Thanks in advance.
    >  
    > Regards,
    > Kamran Muzaffer 
    > 
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    > 
    > 
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Tod Beardsley: "Re: IPsec vs any personal software firewall"