RE: IPsec vs any personal software firewall

From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 09/30/03

  • Next message: LordInfidel: "RE: IPsec vs any personal software firewall" 
    Date: Tue, 30 Sep 2003 09:50:06 +0400
To: "Lee Evans" <lee@vital.co.uk>, "Kamran  Muzaffer" <kmahmed@cyber.net.pk>, <focus-ms@securityfocus.com>

    I agree - "IPSec filters are not a replacement for a firewall", but good
    _free_ tool for filtering.

    You can disable default exempts by playing with registry (KB 811832)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExem
    pt

    In W2k SP 4 you can disable all traffic except ISAKMP.

    BUT BAD GUY still can bypass IPSec's SPD packet filters by using source
    port number of any allowed service (for example 445 TCP - CIFS/SMB -
    typical open for communications with file server, i.e. my_ip:any ->>
    any:445 - permit).
    And BAD GUY can connect from any:445 ->> to hacked:135 for example.

    -----Original Message-----
    From: Lee Evans [mailto:lee@vital.co.uk]
    Sent: Monday, September 29, 2003 8:43 PM
    To: 'Kamran Muzaffer'; focus-ms@securityfocus.com
    Subject: RE: IPsec vs any personal software firewall

    Hi,

    IPSec filters are not a replacement for a firewall. There are many
    reasons for this, but the most obvious is that potential attackers can
    easily bypass any filters under a default configuration. From MS
    technet:

    "By default in Windows 2000 and Windows XP, broadcast, multicast,
    Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"

    So simply by forging a source port of 88 on any malicious traffic they
    bypass the IPSec filters.

    I believe this is changed for Windows2003

    Regards
    Lee 

    -- 
Lee Evans
> -----Original Message-----
> From: Kamran Muzaffer [mailto:kmahmed@cyber.net.pk] 
> Sent: 26 September 2003 01:35
> To: focus-ms@securityfocus.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: LordInfidel: "RE: IPsec vs any personal software firewall"

    Relevant Pages

    • RE: Simple Firewall: Summary
      ... Regarding IPSec filters - don't know why you desided that there's no deny ... > Are there any good tools for testing firewall performance. ... > I need a deny capability. ...
      (Security-Basics)
    • Re: Blocking outbound traffic with XP Firewall
      ... You can create ipsec filters to manage outbound traffic but they do not care ... a firewall like Zone Alarm instead or a firewall device that can have a ... "Windows Firewall doesn't prevent outbound, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Win 2003 integrated firewall enough?
      ... > protected a standalone web server. ... protection -- the slow down and limit ... The built in firewall offers virtually no extra security ... all connections on other ports with IPSec filters. ...
      (microsoft.public.windows.server.networking)
    • Re: Stopping multiple FTP connection attempts
      ... users (IE China, Eastern Europe, ect). ... Not with built-in tools. ... I use IPSec filters but this ... than a full blown firewall, ...
      (microsoft.public.windows.server.general)