Re: IPSec rules
From: Brian Eckman (eckman_at_umn.edu)
Date: 04/21/04
- Previous message: Maxime Ducharme: "Re: IPSec rules"
- In reply to: first last: "IPSec rules"
- Next in thread: Aaron Drew: "IPSec 'window size'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Apr 2004 09:27:38 -0500 To: focus-ms@securityfocus.com, in5ecure24@hotmail.com
first last wrote:
> Hello everyone,
>
> I have been using IPSec for a while now, i am a fan of it BUT theres 1
> weakness that id like to see if theres a way around.
>
> Basicaly It comes down to Source Port Scaning. Now the thing is if you
> have a rule that allows trafic to go FROM you:any TO the internet:80 all
> some one has to do is scan from port 80 on there pc. poof allowed
> traffic. So i tryed to set up more rules ie FROM internet:21,53,80 TO
> me:21,53,80 and block this hoping since theres a 2nd more specific rule
> that it will block all connections from any:80 TO me:80 since this
> traffic should never be happining anyway... but nope dont work...
>
> So my question for you is how can i do a work-around ? there a registery
> setting i can fix? set priortys for applying IPSec rules? anything at all
>
> The only thing that i can think that would work is to make tens of
> thousands of allow rules like ...
>
> FROM any:1200 TO me:80 allow
> FROM any:1201 TO me:80 allow
> FROM any:1202 TO me:80 allow and onn and onnn id have to write a script
> to write a script to make the rules (unless i made 1 script w/ tens of
> thousands of MANUALY writen rules and thats not gunna happen...)
>
> Incase i wasnt to clear i want to prevent source port scaning from
> reveiling every thing running on that box, blocking things like
>
> FROM any:80 TO me:80 block
> FROM any:80 TO me:135 block
> FROM any:80 TO me:445 block ect ect
>
> any ideas?
>
I was in the same boat, and installed a Web proxy called Privoxy on a
Windows XP machine running ICF. The XP machine has a hole punched into
ICF for the Privoxy port, and has an IPSec rule that allows access to
that proxy port only to/from the one (locked down) Windows 2000 machine
that needs to talk to it. Then the Windows 2000 box is allowed to
communicate both ways with the proxy port on the XP box, and does not
allow 80/tcp to/from anywhere at all.
Get your copy of Privoxy at http://sourceforge.net/projects/ijbswa
Brian
-- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Maxime Ducharme: "Re: IPSec rules"
- In reply to: first last: "IPSec rules"
- Next in thread: Aaron Drew: "IPSec 'window size'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
