RE: IPsec vs any personal software firewall

• Previous message: Sergey V. Gordeychik: "RE: IPsec vs any personal software firewall"
• Maybe in reply to: Kamran Muzaffer: "IPsec vs any personal software firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Lee Evans' <lee@vital.co.uk>, 'Kamran Muzaffer' <kmahmed@cyber.net.pk>, focus-ms@securityfocus.com
Date: Tue, 30 Sep 2003 08:39:46 -0400

>""By default in Windows 2000 and Windows XP, broadcast, multicast,
>Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering""

In 2K, using IPSec (IP security) filters, you will *have* to create the
following in the registry.
hklm\system\currentcontrolset\services\ipsec
ADD DWORD NoDefaultExempt = 1

This prevents the source port 88 issue. (not doing so and you might as not
even enable the filters)

HOWEVER, by sending a specially crafted UDP packet to the broadcast address
of the network.
It is possible to bypass the filters and contact a service listening on UDP.
Even with the added
entry.

SNMP is such a service. (yes, I did paraphrase the above from hacking
exposed win2k)

Does all this mean you should not use it? No, you should always use as many
tools available to
you when securing a machine that is directly connected to the net.

Should you use it if you have a firewall running externally of the machine?
No, probably not.
Should you use it if this machine is providing basic web services, does not
have a firewall device
in front of it, it can't hurt.

The way I look at it, most of the things you do security wise is keeping the
script-kiddies with their automated tools out. And making it undesirable
for a hacker. But if a hacker wants to get in, nothing you do is really
going to stop them. Because they will find a way in. All you can do is put
up as many road blocks as possible that they have to work thru.

LordInfidel

-----Original Message-----
From: Lee Evans [mailto:lee@vital.co.uk]
Sent: Monday, September 29, 2003 12:43 PM
To: 'Kamran Muzaffer'; focus-ms@securityfocus.com
Subject: RE: IPsec vs any personal software firewall

Hi,

IPSec filters are not a replacement for a firewall. There are many
reasons for this, but the most obvious is that potential attackers can
easily bypass any filters under a default configuration. From MS
technet:

"By default in Windows 2000 and Windows XP, broadcast, multicast,
Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"

So simply by forging a source port of 88 on any malicious traffic they
bypass the IPSec filters.

I believe this is changed for Windows2003

Regards
Lee

-- 
Lee Evans
> -----Original Message-----
> From: Kamran Muzaffer [mailto:kmahmed@cyber.net.pk] 
> Sent: 26 September 2003 01:35
> To: focus-ms@securityfocus.com
> Subject: IPsec vs any personal software firewall
> 
> 
> 
> 
> Hi,
>  
> I just want to know what is preferred from the machine 
> utilization point of view, filtering traffic through IPsec or 
> using any software firewall like Tiny Personal, Zone Alarm 
> etc. Microsoft's documentation states that IPsec rules do 
> affect the performance of the machine on which they are 
> applied. Is there any proper guideline or 'thinks to 
> remember' for implementing a performance and security 
> affective IPsec or any firewall structure.
>  
> Thanks in advance.
>  
> Regards,
> Kamran Muzaffer 
> 
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
> 
> 
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Sergey V. Gordeychik: "RE: IPsec vs any personal software firewall"
• Maybe in reply to: Kamran Muzaffer: "IPsec vs any personal software firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]