OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Windows 2000 Professional and firewalls
From: Bob Jiantonio (bobjFREENAMEREGISTRY.COM)
Date: Tue Aug 01 2000 - 13:53:53 CDT

I have a OpenBSD box that works as a firewall, and work for NT third party
tools company. Consequently have set up a little 5 box LAN at home with
Win2k. Two Dc's a cert server etc...need to be ready and get certed on
Win2k.

I have been doing some playing around with the IPsec in Win2k, as have
others, and have found that the rules are versatile--Win2k basically comes
with it's own personal firewall--you don't have to use the IPsec for
encryption only, you can use it to block IP/ICMP traffic too.....I have a
lot more to learn but it will be worth looking into. Why use Zone Alarm or
Black Ice on personal or home Win2k boxes if IPsec can do the job? Well,
it's not quite that easy, but...well I still have to figure out how to deny
all ports all at once and then allow only what I need/want.

Check it out if you have Win2k, Local Security Policy : "IP Security Polices
on Local Machine" Do some punching around. Totally block everything by
mistake and be not sure how you did it....:) erm, well it's working again so
I guess I un-did it ok....

The stated purpose of IPSec is to encrypt IP traffic, a functionality that
mainly only interests system admins. Fine, but Windows 2000's implementation
may also offer something to private users, for it comes with an elaborate
(OK, scratch that: CONFUSING:) filtering system that allows you to determine
what traffic to permit or to block, based on IP address, subnet, and/or port
number. It can selectively block ANY IP traffic based on specific criteria,
including ICMP traffic, which means that no outsiders can even ping you if
it's configured correctly. Others have gotten it to achieve "Stealth" on the
GRC "Shields Up" web site...I am not quite there yet... :)
While IPSec's traffic filtering is not dynamic like Zone Alarm. Winroute,
BlackICE, its rules are far more configurable. I found that the bells and
whistles in BID and ZA are sort of 'gee whiz" for a week then it's "ho hum,
just another script kiddie."

BSOD's on NDIS were not so much fun with Black Ice....I gave up on it after
the last few "versions"

 If you have Active Directory on a home or test lan like me, a single set of
IPSec rules can be configured centrally and propagated to all client systems
through GPO. It is, on the other hand, not as easy to use as the personal
firewalls, or even Ipchains or Open BSD--requiring a bit of knowledge about
how IP works. But hey, we ARE talking Win2k users and admins here...not your
average Win9x user who asks "Uh, what's UDP again?" Then again my confusions
very similar to the first IP masq firewall I set up--still learning.

After dealing with Black Ice filter failed problems and BSOD's and
incompatibilities with other 'personal firewalls' I think I am going to
devote some time to figuring out something that comes with Win2k instead of
kludging it up....

If all else fails back to Open BSD :) or that Linksys 4 port router (I have
one now too)

Bob