Implementing IPSec as Firewall.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Greeting. I had been trying to implement IPSec in Windows 2K Srvr as a
firewall. I had defined all the rules and tried a port scanning, and realized
that all other ports are still open. So, I put up another rules in blocking
all other IP Ports. When this is assigned, the rule actually block ALL other
ports, regardless of whether there's a rule permitting a certain ports or
not.

How can I block the other ports efficiently ?
 
IPSec really shouldn't be used as a firewall on current platforms. The
fundamental purpose of IPSec is to authenticate that traffic is coming from
a trusted peer. It happens to allow for firewall-like filtering, but doesn't
come close to the rich feature set available through commercial firewalls,
which you're likely to want.

That said, it sounds like your rules need to be adjusted to put the correct
"weights" on them. What are the rules you've put in place?
 
Thanks for the advice.

I had wanted to allow FTP, HTTP, SMTP, and Terminal Services to go through
the IPSec only. At the mean time, blocking ICMP and all other ports.

What do you think ? It's implementable ?
 
I agree. Microsoft KB states that IPsec is not intended as a firewall. In
addition, the logging is terrible, which causes problems both for
troubleshooting setup as you are doing, and for investigating intrusions.
www.kerio.com, www.sygate.com and www.zonealarm.com are free firewalls.

For windows 2000, unless you harden a particular registry value / group
policy setting, IPsec is trivially bypassed by attackers by forging a
particular source port. there is guidance at www.nsa.gov/snac on how to
properly implement and harden ipsec in w2k and also here:

http://securityadmin.info/faq.asp#ipsec
 
IPsec is not so "trivially" bypassed, because source port forging won't
automatically allow the main mode SA to be created.

If I have an IPsec host that requires all traffic to be secured, you forging
a source port won't by you squat. In fact, this config would prevent
single-packet attacks (e.g., slammer) from compromising a system.

It's all about defense in depth though, and using the Windows Firewall in XP
SP2 (or the upcoming 2003 SP1) in combination with IPsec filters and IPsec
transport are the way to harden a device at the layer 1-4 level.



Karl Levinson [x y] mvp said:
I agree. Microsoft KB states that IPsec is not intended as a firewall. In
addition, the logging is terrible, which causes problems both for
troubleshooting setup as you are doing, and for investigating intrusions.
www.kerio.com, www.sygate.com and www.zonealarm.com are free firewalls.

For windows 2000, unless you harden a particular registry value / group
policy setting, IPsec is trivially bypassed by attackers by forging a
particular source port. there is guidance at www.nsa.gov/snac on how to
properly implement and harden ipsec in w2k and also here:

http://securityadmin.info/faq.asp#ipsec


Ken Lee said:
Thanks for the advice.

I had wanted to allow FTP, HTTP, SMTP, and Terminal Services to go
through
the IPSec only. At the mean time, blocking ICMP and all other ports.

What do you think ? It's implementable ?
Click to expand...
Click to expand...
 
Back
Top