Re: Win2K Security & Firewall - long post
From: David (davidwnh_at_adelphia.net)
Date: 11/05/03
- Next message: Shad: "symantec firewall and speedtouch 510 modem"
- Previous message: David: "Re: Need info on setting rules and protecting ports"
- In reply to: Duane Arnold: "Re: Win2K Security & Firewall - long post"
- Next in thread: ClareOldie: "Re: Win2K Security & Firewall - long post"
- Reply: ClareOldie: "Re: Win2K Security & Firewall - long post"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 05 Nov 2003 12:09:49 GMT
Be careful with your conclusions. There is no way that adding a rule for
port 1025 alone would change your scan results from closed to stealth
for your other ports. You either did something else along with it or
logging off and back on again was needed to actually apply certain
policies.
>
>>I have been of late urging just about anyone who would listen, to look
>>at implementing an IPSec policy on Win2K for extra security.
>>Today I went a stage further and did a fresh installation of Win2K,
>>SP4 for test purposes. No security measures were taken except to
>>install an IPSec policy, - no firewall, no router, no
>>processes/services disabled, not even an antivirus prog. No servers
>>installed by me. I wanted the installation to be as basic as poss with
>>the one exception, IPSec. All my needs were allowed for in IPsec rules
>>= browsing, e-mail, programme updates, and downloads(FTP).
>>I then went to GRC ShieldsUp site to check the security of the
>>installation. Result:
>> A few ports were stealth, one was open (1025) and the rest
>> were
>>closed.
>>I logged off and inserted a new rule into IPSec to block 1025 and went
>>back online again where I repeated the test.
>>
>>Result:
>> All ports tested as stealth (the first 1056). The Green
>>Light!!!!!
>>
You have it in a nutshell. Others installations and more important usage
are different. Why would someone enable something like this by default
when they have no idea what servers,services, and client applications
the end user will or will not be using and who they wish to allow access
to. Put yourself at a time before you even heard of IPSec and imagine
the confusion you would have after installing your OS and not being able
to do something. Particularly with something that gives you no
indication why some type of communication is failing. So one may be able
to apply an IPSec policy with considerable ease but troubleshooting the
problems it can cause if you are an average user who doesn't know it is
enabled or even exists does not allow for considerably easy
troubleshooting. No doubt IPSec is a welcome addition to the OS, but it
is not something that eliminates the need for a firewall.Try blocking
the high ports from server connections with IPSec and then use a
download manager to do FTP transfers with port mode FTP. Try using any
number of programs that use secondary connections. How about browser
connections or content(multimedia) that is not coming from the standard
ports? At least some of the firewalls have ALG's and/or connection
tracking that deal with such things without having to keep full ranges
of ports open. IPSec is very limited in what it can do overall if you
are trying to use it as a border firewall.
Then add the fact that Win2k was intended for the enterprise, in which
you will generally need to implement a very customized set of policies
that include authentication and maybe even encryption.
>>While I accept that other installations will differ and indeed may
>>have different ports open at the first test (who knows?) the fact
>>remains that I was with considerable ease able to stealth my computer.
>>Why in the name of security is such a policy not activated as a
>>default at installation?
>
>
>>Why have MS not urged people to implement an IPSec policy as a defence
>>against the latest port probes?
>
>
You should take a better look at why the extra rule was needed. Certain
windows services use dynamic port allocations within the range of high
ports. Difficult to deal with using IPSec since these allocations can
change from boot to boot and when you add or remove other programs and
services. And when you try to block all the high ports to server
connections to account for this you screw up some protocols which use
secondary connections as was mentioned above.
>
>>What the heck is going on? Who is benefiting from this silence?
>>It's not you and me (IMO). Maybe it would block reports to MS? I don't
>>know! For anyone interested, I used the AnalogX Server IPSec policy
>>and deselected all server rules and selected client rules for those
>>items that I use. Besides this I added one rule as mentioned above. I
>>have not figured out why this new rule was needed. It would be nice to
>>know why, but I am not going to spend any time finding out. If anyone
>>knows I would be glad to hear why. This is the link to AnalogX which
>>also has some very useful links
>>http://www.analogx.com/contents/articles/ipsec.htm
>
- Next message: Shad: "symantec firewall and speedtouch 510 modem"
- Previous message: David: "Re: Need info on setting rules and protecting ports"
- In reply to: Duane Arnold: "Re: Win2K Security & Firewall - long post"
- Next in thread: ClareOldie: "Re: Win2K Security & Firewall - long post"
- Reply: ClareOldie: "Re: Win2K Security & Firewall - long post"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
