Re: Win2K Security & Firewall - long post

From: David (davidwnh_at_adelphia.net)
Date: 11/06/03 

Date: Thu, 06 Nov 2003 11:41:33 GMT

I think my idea of the "average user" in this respect is not what they
are using the machine for but what they would be able to troubleshoot.
The average *Win2k* user is probably sitting behind a desk using their
computer in a corporate LAN and maybe using corporate applications which
often involve much more than web,email,ftp. And for the home user many
who are not "advanced" users are using windows media player, AOL, Real
Player, P2P apps,etc. None of which are covered in what you or maybe
Mark(AnalogX) deems to be suitable for the "average" user. Almost every
"average" user will have to modify his ruleset. You even deem yourself
an "average" user and have had to modify it. Take away the knowledge you
have gained from this or any other related newsgroup and see how much
grasping or maybe gasping you would be doing, because most home users I
 know do not use Usenet and most of these folks don't even know what it
is. When you deal with a default OS setup you don't cater to what some
people think is the average user, you cater to the largest percentage of
end users (within reason), trying to avoid as many problems and as much
confusion as possible. MS and the computer vendors obviously need a bit
of work with their default installations of windows, but more so in the
regard of disabling insecure functionality within specific applications
and having unnecessary services disabled by default. They need a better
setup wizard for the neophytes. They do not need to enable a feature by
default that will cause a lot of users more grief. So its not a question
of whether or not IPSec is a good thing or not it is just one of those
things that people need to enable themselves so they would know it was
there and what it is, and thus would know it could be a possible source
of certain problems they may encounter.

>
>
> I think "average user" is the important term here. My computer, IMO, is
> useable by the average user (web, email, downloads) because I would consider
> my current usage average. If a similar policy was implemented by default
> then the advanced user would be capable of changing it to suit themselves
> while the "average" user would hardly know it was there.
>
>

No need for apologies, you did not give me that impression. I was just
trying to play the devils advocate to show some of the limitations of
IPSec, and more so some reasons why it might be a bad idea for MS to
have it enabled by default. Take a good look at the extent of Mark's
rules and the extent of what else is possible with IPSec and you might
realize that tailoring an IPSec policy for a specific home user,
particularly if they have more than one machine in a home LAN is not
something for the "non clued-in" user. As far as layering, if you are
using it behind a properly configured firewall, and not using its
authentication or encryption functionalities for a LAN you might only be
adding overhead and no actual additional protection. On the other hand
it might give someone a crutch in case they got some malware that
disabled their personal firewall. There are ways of doing this however
that don't involve the overhead involved with an additional inspection
of every single packet with a potentially large list of rules. These
firewalls should include at least a feature in their design that takes
down the adapter when the firewall fails or is disabled. Most personal
firewalls don't do this but if they run as a service keep in mind you
can configure any service to try to restart or maybe in this case if
restarting fails run a program or script that would disable the adapter.
Just take a look at the recovery tab for services listed in services
applet. Won't work if the malware uses a "legitimate" means of disabling
the service, but most cases of this (viruses, browser installed malware)
can be avoided by not using an account that has elevated privileges to
fetch email,browse the web,etc. In any case you have to face the facts,
if the default windows installation enabled an IPSec policy by default
the malware writers will(just as easily as they can do for personal
firewalls) add routines to disable IPSec. They always use default
configurations as a basis for what "has" to be done to make an exploit
widely effective.
I would agree though that someone who is using only a router or
something like blackice in which there is no effective means of packet
filtering outbound initiated traffic, a well implemented set of IPSec
rules is a very good idea. And I would also say using Mark's ruleset as
a starting point makes things a lot easier. Kudos to AnalogX :)
>
>
> I apologise if I gave the impression that it should be used on its own as a
> firewall. What I meant was that IMO it is a very valuable layer of security
> that sits behind a software firewall (average user who is somewhat clued in)
> and offers some fallback security in the event that the software firewall
> should fall over. For the non clued-in user it is at least something.
>

You shouldn't have to reboot for changes to take effect. Shouldn't is
the key work here since I have seen far too much "unexpected" behavior
with MS products. You shouldn't even have to restart the IPSec Policy
Agent service, but that may be the easiest way to be "doubly" sure that
changes get applied.
>>>
>>You should take a better look at why the extra rule was needed.
>>Certain windows services use dynamic port allocations within the
>>range of high ports. Difficult to deal with using IPSec since these
>>allocations can change from boot to boot and when you add or remove
>>other programs and services. And when you try to block all the high
>>ports to server connections to account for this you screw up some
>>protocols which use secondary connections as was mentioned above.
>
>
> given time I intend to do some more testing on this installation, and will
> try re-booting etc to see if there are differences.
>

Their current direction seems to be putting emphasis on AV software and
firewalls. A far better solution for most home users and easier to
implement and troubleshoot than IPSec. IPSec was designed to secure and
encrypt end to end communications, not to be implemented as a firewall
although its design allows it to perform some functions found in
firewalls.
> I would still be of the opinion that MS could have put some emphasis on this
> as a method of combatting the latest baddies.
> Seán
>
>

Relevant Pages

  • Re: Win2K Security & Firewall - long post
    ... coupled with the fact that most Win2K users are not home users. ... > the regard of disabling insecure functionality within specific ... > of whether or not IPSec is a good thing or not it is just one of those ... > disabled their personal firewall. ...
    (comp.security.firewalls)
  • Re: UDP Port 500 open
    ... I use a free software firewall ... >> I have recently installed a firewall and it says that UDP Port 500 is ... > ISAKMPD uses this port to negotiate IPSec. ... >> perhaps a registry key and/or disabling some service or other in ...
    (comp.security.misc)
  • Re: Isolate systems
    ... some sort of port/protocol/Ip/mac"filtering" via switches, ipsec filtering, ... firewall yourself from outside the network, even if you use a self scan site ... If legitimate users are trying to attack your computers you may have to see ...
    (microsoft.public.win2000.security)
  • Re: How to allow client to disable firewall on XP/sp2 machine
    ... secondary sessions across a wide range of ports. ... If the laptop is on the LAN with ISA, you be able to configure ... firewall exceptions both on the client but more preferably on the ISA server. ... completely disabling it, it'll be a fair amount of work to allow disabling ...
    (microsoft.public.windows.server.sbs)
  • Re: sysvol replication breaks when IPSec running between DCs & fir
    ... IPSec" as per as per Steve Riley ... I do not know how to write a firewall rule to ensure that IP ... Riley says you can "Encapsulate domain controller traffic inside ... the IPsec exists underneath the Windows Firewall ...
    (microsoft.public.windows.server.active_directory)