Archived from groups: microsoft.public.win2000.security (
More info?)
IPsec is not so "trivially" bypassed, because source port forging won't
automatically allow the main mode SA to be created.
If I have an IPsec host that requires all traffic to be secured, you forging
a source port won't by you squat. In fact, this config would prevent
single-packet attacks (e.g., slammer) from compromising a system.
It's all about defense in depth though, and using the Windows Firewall in XP
SP2 (or the upcoming 2003 SP1) in combination with IPsec filters and IPsec
transport are the way to harden a device at the layer 1-4 level.
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:etWR6ivxEHA.4004@tk2msftngp13.phx.gbl...
>I agree. Microsoft KB states that IPsec is not intended as a firewall. In
> addition, the logging is terrible, which causes problems both for
> troubleshooting setup as you are doing, and for investigating intrusions.
> www.kerio.com, www.sygate.com and www.zonealarm.com are free firewalls.
>
> For windows 2000, unless you harden a particular registry value / group
> policy setting, IPsec is trivially bypassed by attackers by forging a
> particular source port. there is guidance at www.nsa.gov/snac on how to
> properly implement and harden ipsec in w2k and also here:
>
>
http://securityadmin.info/faq.asp#ipsec
>
>
> "Ken Lee" <KenLee@discussions.microsoft.com> wrote in message
> news:FA57D9E9-89D1-4E90-8512-7E8500F84AB8@microsoft.com...
>> Thanks for the advice.
>>
>> I had wanted to allow FTP, HTTP, SMTP, and Terminal Services to go
>> through
>> the IPSec only. At the mean time, blocking ICMP and all other ports.
>>
>> What do you think ? It's implementable ?
>>
>> --
>> Ken.
>>
>> "David Beder [MSFT]" wrote:
>>
>> > IPSec really shouldn't be used as a firewall on current platforms. The
>> > fundamental purpose of IPSec is to authenticate that traffic is coming
> from
>> > a trusted peer. It happens to allow for firewall-like filtering, but
> doesn't
>> > come close to the rich feature set available through commercial
> firewalls,
>> > which you're likely to want.
>> >
>> > That said, it sounds like your rules need to be adjusted to put the
> correct
>> > "weights" on them. What are the rules you've put in place?
>> >
>> > --
>> > David
>> > Microsoft Windows Networking
>> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
>> >
>> >
>> > "Ken Lee" <Ken Lee@discussions.microsoft.com> wrote in message
>> > news:A6BAEFCC-8D8B-49D5-A70B-57C29EAD90C9@microsoft.com...
>> > > Greeting. I had been trying to implement IPSec in Windows 2K Srvr as
>> > > a
>> > > firewall. I had defined all the rules and tried a port scanning, and
>> > > realized
>> > > that all other ports are still open. So, I put up another rules in
>> > > blocking
>> > > all other IP Ports. When this is assigned, the rule actually block
>> > > ALL
>> > > other
>> > > ports, regardless of whether there's a rule permitting a certain
>> > > ports
> or
>> > > not.
>> > >
>> > > How can I block the other ports efficiently ?
>> >
>> >
>> >
>
>