Re: IPSEC

From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 02/01/05 

Date: Mon, 31 Jan 2005 16:37:56 -0800

No, that's why I said best practice. :)

That is pretty much for XP SP2 and 2003 SP1... You could also use a
personal firewall for 2000, it's just that not many of them are "enterprise"
class (as in, extensible, managed with AD/GPO, etc).

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:e$Rvr6ZBFHA.2568@TK2MSFTNGP11.phx.gbl...
> Except that there is no Windows Firewall in Windows 2000. :( --- Steve
>
> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:ep37GzWBFHA.4008@tk2msftngp13.phx.gbl...
>> More specific filter actions will win....
>>
>> Best practice is to use the Windows Firewall to provide that statefulness
>> and use IPsec filters/IPsec transport to augment that and optionally
>> provide per-packet authentication/encryption.
>>
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:O5$nuuQBFHA.3472@TK2MSFTNGP14.phx.gbl...
>>> Ok. Well that is fine. Ipsec is a good way to learn how to setup basic
>>> firewall rules. It would not block traffic into your network with a
>>> source port of 80 TCP because you need to allow the return traffic back
>>> into your computer [via a mirrored filter entry] when you initiate an
>>> internet connection to a website. Since ipsec is not stateful it will
>>> allow any traffic in with a source port of 80 TCP. The block all IP rule
>>> would not stop that traffic because an ipsec specific rule will override
>>> and ipsec general rule such as block all IP [don't ask me the specific
>>> way in which that is calculated as I don't know]. Anyhow your computer
>>> is in no grave danger but ipsec filters act like old packet filter
>>> firewalls before stateful packet inspection came along. --- Steve
>>>
>>>
>>> "Kerodo" <loopback@localhost.com> wrote in message
>>> news:MPG.1c6334d1a52d583c989684@news.west.cox.net...
>>>> In article <aeOdnZ5mBY-6DmTcRVn-sw@comcast.com>, n9rou@n0-spam-for-me-
>>>> comcast.net says...
>>>>> There is no way to do general logging with ipsec in Windows 2000.
>>>>> W2003 does
>>>>> offer some logging such as for dropped packets. You would need to use
>>>>> a
>>>>> software firewall such as Sygate to have some logging. Sygate is free
>>>>> for
>>>>> personal user, is a stateful firewall [unlike ipsec] , and has
>>>>> extensive
>>>>> logging capabilities. Ipsec is not meant to be a first line internet
>>>>> firewall. One weakness of a packet filtering firewall is that due to
>>>>> the
>>>>> rules it is possible for a user to scan your internal network by
>>>>> manipulating the source port of the scan. For instance you may be
>>>>> allowing
>>>>> all traffic from port 80 to your computer from the internet. I could
>>>>> use a
>>>>> program such as Supercan 4 to scan your network by using port 80 as
>>>>> the
>>>>> source port for my scan. A stateful firewall would not allow that. I
>>>>> think
>>>>> ipsec is great for what it is good at, particularly on the lan, but I
>>>>> would
>>>>> not use it as a permanent primary internet firewall. --- Steve
>>>>
>>>> Thanks Steven, that's helpful. I'm very familiar with all the
>>>> firewalls
>>>> out there today. I'm playing with ipsec mostly out of curiosity, to
>>>> see
>>>> if I could find something to use as a packet filter that's ultra lite
>>>> on
>>>> resources, mostly just for fun. Sounds like I'd be better off with
>>>> something like CHX-I, which also has stateful inspection.
>>>>
>>>> If my ipsec rules only allow outbound traffic on remote port 80
>>>> (source:
>>>> my address, destination: any address), then wouldn't ipsec block any
>>>> incoming traffic from remote 80 if I also have a block all incoming
>>>> rule
>>>> in place? Or does ipsec not care about the direction of the traffic?
>>>>
>>>>
>>>> --
>>>> Kerodo
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: IPSEC
    ... that's why I said best practice. ... personal firewall for 2000, it's just that not many of them are "enterprise" ... >> Best practice is to use the Windows Firewall to provide that statefulness ...
    (microsoft.public.win2000.security)
  • Re: WinXP SP2 firewall
    ... I cannot see how such a scenario could be possible already in theory. ... a "Personal Firewall" ever was useful, compared to best practice. ... "Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten ...
    (comp.security.firewalls)
  • Re: Place holder root domain advantage
    ... Old best practice said to not use your ... routeable internet domain name as the domain for your forest root domain. ... it as simple as possible with as few domains as your enterprise can ... What are the underlying reasons why the place holder root domain is ...
    (microsoft.public.windows.server.active_directory)
  • Re: PKI Question
    ... "Best practice" for enterprise doesn't always apply to small site/small ... > I am in charge of a PKI Enterprise Root CA that issues out certs for a ift ... > not going to be very secure (andyone can log on to the server powerup the ...
    (microsoft.public.security)
  • Re: Zone Labs and Sygate
    ... ZA, ZA pro, and ZA Plus are consumer products. ... Thhose are listed on the Enterprise link of the ... I'm not sure if Kerio is the product ... I'm looking at personal firewall from an enterprise solution. ...
    (comp.security.firewalls)