Re: IPSEC not blocking specific IP address per Ethereal
From: T. Sean Weintz (strap_at_hanh-ct.org)
Date: 04/19/05
- Previous message: Herb Martin: "Re: Security log is full"
- In reply to: Alfredo: "IPSEC not blocking specific IP address per Ethereal"
- Next in thread: Alfredo: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Alfredo: "Re: IPSEC not blocking specific IP address per Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Apr 2005 18:18:04 -0400
Alfredo wrote:
> Win2k advanced server, updated service packs, IP sec with a few pinholes
> for some daemons, port blocking working well per GRC's "Shields UP",
> etc.
>
> However, when I try to block a specific IP address by using IPSEC, the
> packets get through anyway according to my ethereal sniffer which is
> running on the same machine. I have added a very specific filter
> against those IPs but ethereal still shows their packets getting in past
> the front door.
>
> (At least that's what I think is happening, it could be that ethereal is
> capturing the packets before IPSEC gets to block them, which would be
> worrisome because that would certainly be an exploitable
> vulnerability.)
>
Yup. That is what's happening. Winpcap, which allows the captures for
ethereal, is snagging the packets before they get passed to the IP
stack. Think about it - winpcap is non layer 3 specific - it will
capture IPX, etc. -- not just IP. It HAS to work before things get
passed to the IP stack. The IPSEC settings in windoze are of course IP
specific, therefore are higher level than winpcap.
- Previous message: Herb Martin: "Re: Security log is full"
- In reply to: Alfredo: "IPSEC not blocking specific IP address per Ethereal"
- Next in thread: Alfredo: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Alfredo: "Re: IPSEC not blocking specific IP address per Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
