Re: IPSec rules

From: Noah (noah_at_ieee.org)
Date: 04/20/04

  • Next message: Maxime Ducharme: "Re: IPSec rules"
    To: "first last" <in5ecure24@hotmail.com>, <focus-ms@securityfocus.com>
    Date: Tue, 20 Apr 2004 10:57:46 -0600
    
    

    What you want done is best accomplished on a router or firewall through
    access-lists:

    access-list 101 permit ip any any eq http
    interface ethernet 0 (the outbound to the Internet interface)
    ip access-group 101 out

    The access list above will allow all addresses from the inside to access
    port 80 (http) on the outside. The implicit "deny any" will deny access
    from port 80 (or any other port) from the outside into your network.

    Noah

    > Hello everyone,
    >
    > I have been using IPSec for a while now, i am a fan of it BUT theres 1
    > weakness that id like to see if theres a way around.
    >
    > Basicaly It comes down to Source Port Scaning. Now the thing is if you
    have
    > a rule that allows trafic to go FROM you:any TO the internet:80 all some
    one
    > has to do is scan from port 80 on there pc. poof allowed traffic. So i
    tryed
    > to set up more rules ie FROM internet:21,53,80 TO me:21,53,80 and block
    this
    > hoping since theres a 2nd more specific rule that it will block all
    > connections from any:80 TO me:80 since this traffic should never be
    > happining anyway... but nope dont work...
    >
    > So my question for you is how can i do a work-around ? there a registery
    > setting i can fix? set priortys for applying IPSec rules? anything at all
    >
    > The only thing that i can think that would work is to make tens of
    thousands
    > of allow rules like ...
    >
    > FROM any:1200 TO me:80 allow
    > FROM any:1201 TO me:80 allow
    > FROM any:1202 TO me:80 allow and onn and onnn id have to write a script to
    > write a script to make the rules (unless i made 1 script w/ tens of
    > thousands of MANUALY writen rules and thats not gunna happen...)
    >
    > Incase i wasnt to clear i want to prevent source port scaning from
    reveiling
    > every thing running on that box, blocking things like
    >
    > FROM any:80 TO me:80 block
    > FROM any:80 TO me:135 block
    > FROM any:80 TO me:445 block ect ect
    >
    > any ideas?
    >
    > _________________________________________________________________
    > FREE pop-up blocking with the new MSN Toolbar - get it now!
    > http://toolbar.msn.com/go/onm00200415ave/direct/01/
    >
    >
    > --------------------------------------------------------------------------
    -
    > --------------------------------------------------------------------------
    -
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Maxime Ducharme: "Re: IPSec rules"

    Relevant Pages

    • Re: SBS 2003 and Outlook RPC over HTTP issues
      ... , but some of my clients do not want users to ... definitely closed now cause when I open it up http: ... the article is incorrect in stating that port 80 is needed. ... that port 443 and port 80 must be open to use RPC over HTTP. ...
      (microsoft.public.windows.server.sbs)
    • Re: Public Website on SBS 2003
      ... hosting and PROTECTING a website is specialist field and ... As leythos says you need to open HTTP port to the www. ... network settings are on servers internet connections. ...
      (microsoft.public.windows.server.sbs)
    • Re: Help understanding error message
      ... Saravana Kumar [MVP - BizTalk Server] ... Receive port is reported to be HTTP but I don't any see HTTP packets in ... Maybe you set up a two-way send port being directed to a one-way ... Details:"Unable to read data from the transport connection: The ...
      (microsoft.public.biztalk.general)
    • Re: [fw-wiz] tunnel vs open a hole
      ... It does depend on what protocols you are passing through the port or the ... If the protocol is pure HTTP, ... If the protocol is new whizbang multi-media binary with no RFC or complete ... or tunnel over currently open port 80? ...
      (Firewall-Wizards)
    • Re: SBS 2003 and Outlook RPC over HTTP issues
      ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
      (microsoft.public.windows.server.sbs)