Re: IPSec Vs Firewall software

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/09/04

• Next message: Tim: "Re: Virus tranmission via Windows Automatic Updates?"
• Previous message: Tim: "Re: Virus tranmission via Windows Automatic Updates?"
• In reply to: Calvin Lai: "IPSec Vs Firewall software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 09 Mar 2004 22:09:28 GMT

I have used ipsec to work in a similar situation though I think you are better off
with a firewall. Start with a mirrored block all IP rule, add a mirrored permit all
rule for the subnet if you are on one, add a mirrored permit rule with a filter
containing the allowed outbound traffic such as 80 tcp, 443 tcp, 53 udp [dns], etc.
You might first want to check your filter so that it is allowing inbound traffic from
any IP and FROM port 80 tcp to any port on your computer. --- Steve

http://www.securityfocus.com/infocus/1559

"Calvin Lai" <clai[at]qdata[dot]com> wrote in message
news:%23vpgr7eBEHA.2628@TK2MSFTNGP11.phx.gbl...
> Hi all,
>
> At the beginning I thought I could implement a firewall using IPSec provided
> w/ Win2k Server. However, I have at least one scenario that can't be
> implemented using IPSec that could be achieved thru firewall software.
>
> Here is the problem:
> I want to block all inbound IP request on every port except 80 and perhaps
> 21. On the other hand, I want my local network to access internet freely. As
> a reuslt, a very naive approach would be to set up:
> a. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
> and set this to Block
> b. Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror,
> port 80/21, and set this to Permit
> to your per
> however, this leads to a very serious problem. Whenever my client within the
> network trying to fetch anything from outside, e.g. a web page. they IP
> request can pass thru the policy (since there is no restriction on
> outbound). But when the data comes back to the server, they are blocked
> because of the first rule.
>
> I coulnd't think of anyway how this could be fixed using IPSec. Does anyone
> know if this is one of the constraints of using IPSec as "firewall"? Thanks
> for all inputs here.
>
> Calvin
>
>

• Next message: Tim: "Re: Virus tranmission via Windows Automatic Updates?"
• Previous message: Tim: "Re: Virus tranmission via Windows Automatic Updates?"
• In reply to: Calvin Lai: "IPSec Vs Firewall software"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Firewall recommendation ... Though not really designed to be a firewall, you might look into using ipsec ... filtering which uses only permit/deny filter actions and no negotiation for ESP/AH. ... (comp.security.firewalls) Re: Spyware Blocklist (slightly off topic) ... IPsec is more in the encryption realm of things which is more an internal ... internet then it is no alternative to a firewall. ... You can filter IP ... (comp.security.firewalls) IPSec Vs Firewall software ... At the beginning I thought I could implement a firewall using IPSec provided ... w/ Win2k Server. ... Create an IP filter to filter all TCP from ANY IP to MY IP, NO mirror, ... (microsoft.public.win2000.security) Re: IPSEC ... More specific filter actions will win.... ... Best practice is to use the Windows Firewall to provide that statefulness ... Ipsec is a good way to learn how to setup basic ... (microsoft.public.win2000.general) Re: IPSEC ... More specific filter actions will win.... ... Best practice is to use the Windows Firewall to provide that statefulness ... Ipsec is a good way to learn how to setup basic ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint