Re: IPSec rules

• Previous message: Jannie Hanekom: "RE: Location Aware GPO question"
• In reply to: first last: "IPSec rules"
• Next in thread: Maxime Ducharme: "Re: IPSec rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "first last" <in5ecure24@hotmail.com>, <focus-ms@securityfocus.com>
Date: Tue, 20 Apr 2004 10:57:46 -0600

What you want done is best accomplished on a router or firewall through
access-lists:

access-list 101 permit ip any any eq http
interface ethernet 0 (the outbound to the Internet interface)
ip access-group 101 out

The access list above will allow all addresses from the inside to access
port 80 (http) on the outside. The implicit "deny any" will deny access
from port 80 (or any other port) from the outside into your network.

Noah

> Hello everyone,
>
> I have been using IPSec for a while now, i am a fan of it BUT theres 1
> weakness that id like to see if theres a way around.
>
> Basicaly It comes down to Source Port Scaning. Now the thing is if you
have
> a rule that allows trafic to go FROM you:any TO the internet:80 all some
one
> has to do is scan from port 80 on there pc. poof allowed traffic. So i
tryed
> to set up more rules ie FROM internet:21,53,80 TO me:21,53,80 and block
this
> hoping since theres a 2nd more specific rule that it will block all
> connections from any:80 TO me:80 since this traffic should never be
> happining anyway... but nope dont work...
>
> So my question for you is how can i do a work-around ? there a registery
> setting i can fix? set priortys for applying IPSec rules? anything at all
>
> The only thing that i can think that would work is to make tens of
thousands
> of allow rules like ...
>
> FROM any:1200 TO me:80 allow
> FROM any:1201 TO me:80 allow
> FROM any:1202 TO me:80 allow and onn and onnn id have to write a script to
> write a script to make the rules (unless i made 1 script w/ tens of
> thousands of MANUALY writen rules and thats not gunna happen...)
>
> Incase i wasnt to clear i want to prevent source port scaning from
reveiling
> every thing running on that box, blocking things like
>
> FROM any:80 TO me:80 block
> FROM any:80 TO me:135 block
> FROM any:80 TO me:445 block ect ect
>
> any ideas?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Jannie Hanekom: "RE: Location Aware GPO question"
• In reply to: first last: "IPSec rules"
• Next in thread: Maxime Ducharme: "Re: IPSec rules"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]