Re: IPsec vs any personal software firewall
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 09/30/03
- Previous message: simonis: "Re: IPsec vs any personal software firewall"
- In reply to: Sam Steinmeyer: "RE: IPsec vs any personal software firewall"
- Next in thread: Sergey V. Gordeychik: "RE: IPsec vs any personal software firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Sep 2003 11:45:28 -0700 To: Sam Steinmeyer <SamSteinmeyer@winn-dixie.com>
Describes how to configure Microsoft® Windows® 2000 IPSec and Windows XP
IPSec to help secure an internal network server against network-based
attacks from untrusted computers. IPSec enhancements in Windows 2000
service packs and in the Microsoft® Windows Server™ 2003 family are also
described.
http://www.microsoft.com/downloads/details.aspx?familyid=a774012a-ac25-4a1d-8851-b7a09e3f1dc9
Sam Steinmeyer wrote:
>All,
>
>Info: The quote that Lee referenced is contained in this Microsoft article.
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
>ol/windowsserver2003/proddocs/deployguide/dnsbj_ips_dbmy.asp
>
>Note: IPSEC for windows 2000 and XP can be set to deny Kerberos and RSVP by
>setting the registry key
>
>HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=1
>
>At this point Windows 2000 and XP will allow Broadcast, multicast, and IKE
>traffic.
>
>XP goes one step farther by allowing you set the registry key
>
>HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=2
>
>This will block all the aforementioned traffic.
>
>IPSEC is not a replacement for a good firewall. However, it's a good back
>up for DMZ's that have multiple servers. If one server gets compromised all
>other servers within the scope of the compromised server could be
>compromised. Thus, IPSEC and a good firewall is the best plan.
>
>The information I've provided in this e-mail can be found at
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s
>ecurity/askus/auas0801.asp
>
>Thanks,
> ______
> /_____/\ Harry Steinmeyer
> /____ \\ \ Senior Programmer
> /_____\ \\ / Winn-Dixie, Inc.
> /_____/ \/ / / (904) 370 - 5949
> /_____/ / \//\ rm -r /bin/laden
> \_____\//\ / /
> \_____/ / /\ /
> \_____/ \\ \
> \_____\ \\
> \_____\/
>"Science without religion is lame, religion without science is blind."
>Einstein, Albert (1879-1955)
>
>REMEMBER: IF IT ISN'T DOCUMENTED IT ISN'T DONE
>
>
>-----Original Message-----
>From: Lee Evans [mailto:lee@vital.co.uk]
>Sent: Monday, September 29, 2003 12:43 PM
>To: 'Kamran Muzaffer'; focus-ms@securityfocus.com
>Subject: RE: IPsec vs any personal software firewall
>
>Hi,
>
>IPSec filters are not a replacement for a firewall. There are many
>reasons for this, but the most obvious is that potential attackers can
>easily bypass any filters under a default configuration. From MS
>technet:
>
>"By default in Windows 2000 and Windows XP, broadcast, multicast,
>Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"
>
>So simply by forging a source port of 88 on any malicious traffic they
>bypass the IPSec filters.
>
>I believe this is changed for Windows2003
>
>Regards
>Lee
>
>
-- "Don't lose sight of security. Security is a state of being, not a state of budget. He with the most firewalls still does not win. Put down that honeypot and keep up to date on your patches. Demand better security from vendors and hold them responsible. Use what you have, and make sure you know how to use it properly and effectively." ~Rain Forest Puppy http://www.wiretrip.net/rfp/txt/evolution.txt --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: simonis: "Re: IPsec vs any personal software firewall"
- In reply to: Sam Steinmeyer: "RE: IPsec vs any personal software firewall"
- Next in thread: Sergey V. Gordeychik: "RE: IPsec vs any personal software firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
