|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rich Wilson (wk633
yahoo.com)Date: Wed Jul 04 2001 - 13:18:05 CDT
Hm, I don't know a lot about IPSec, so most of my assumptions are based on
'real' packet filtering. I'm expecting the packets to not make it to any
applications on the system. That is, if I mess up and leave an SMTP server
running, I'd hope my filter rules prevent anyone from connecting to it. My
tests with a UDP test server showed that was happening. But you do raise a
good point, at what level does the system get the NetBT release and generate an
Event? Presumably before IPSec get's involved.
--- "Laura A. Robinson" <lrobinsonintellimark-it.com> wrote:
> Keep in mind that filtering packets prevents those packets from being passed
> to other interfaces or networks, but doesn't mean the interface receiving
> them never sees them. How would it filter packets if it didn't evaluate them
> first? As long as the NetBIOS release messages you're seeing are only
> getting to that interface and no further, I'd say your filters are working
> as expected. Does this make sense?
>
> Laura A. Robinson
> Technical Instructor/Consultant
> MCT, MCSE, CLI, PCLP
> IntelliMark Pennsylvania Division
> http://www.intellimark-it.com
> lrobinsonintellimark-it.com
> ----- Original Message -----
> From: "Rich Wilson" <wk633yahoo.com>
> To: "Ben Jolly" <Ben.Jollyneonsys.com>; <focus-mssecurityfocus.com>
> Sent: Tuesday, July 03, 2001 6:55 PM
> Subject: RE: NetBT release messages
>
>
> > DOH!
> >
> > Thanks (and to Laura, and a few others who replied privately).
> >
> > It still doesn't answer my questions ('problems') but it does 'solve' the
> > problem, which is good enough for me right now. The messages are being
> > generated by other machines (not the one generating the Event), so I'm
> still a
> > bit worried as to how they are getting through my IPSec filters. I guess
> MS
> > thinks our Computing Experience will be better if some things are left a
> > mystery :-)
> >
> > --- Ben Jolly <Ben.Jollyneonsys.com> wrote:
> > > Disable NetBIOS on the External Interface. If you are just Blocking
> NetBIOS
> > > than NetBIOS is still active on that interface. Go to the Properties of
> the
> > > connection Internet Protocol Properties Advanced Wins select Disable
> NetBIOS
> > > over TCP/IP.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Rich Wilson [mailto:wk633yahoo.com]
> > > Sent: Friday, June 29, 2001 5:21 PM
> > > To: focus-mssecurityfocus.com
> > > Subject: NetBT release messages
> > >
> > >
> > > I have a problem that's driving me batty.
> > >
> > > I have a dual-hostsed server, internal network is 172.16.1.0, external
> is
> > > 192.168.1.0 (all behind a corporate FW). The server has ipsec rules
> applied
> > > for port filtering. There's a default deny everything rule, a rule that
> > > allows
> > > anything from 172.16.1.0, an HTTP rule (allow TCP from any to my address
> on
> > > 80)
> > > an SMTP client rule (allow TCP from me to any on 25) and a DNS client
> rule
> > > (allow TCP/UDP from me to any on 53).
> > >
> > > The server is getting NetBT release messages from other machines on the
> > > 192.168.1.0 network, and generating Event ID 4320. The IP in the data
> of
> > > the
> > > event always points to a 192.168.1.0 machine. The machines generating
> the
> > > release messages don't have access to the 172.16.1.0 network.
> > >
> > > Problem 1 is why other machines are generating these? I've been through
> all
> > > the 'normal' reasons for this (searching http://www.eventid.net and
> > > http://support.microsoft.com/support/kb/articles/Q120/7/52.asp) but I
> can't
> > > see
> > > any duplicate names anywhere. I've heard having a workgroup name and
> system
> > > name the same will cause this, I don't have that.
> > >
> > > Problem 2 is how these messages are getting past IPSec. They appear
> even if
> > > I
> > > have a specific rule to block UDP on ports 137, 138 and 139. I went so
> far
> > > as
> > > to write a client/server to send simple UDP packets to make sure IPSec
> was
> > > working, and it is in fact blocking.
> > >
> > > Anybody run accross something like this before? I am using Win2K
> server,
> > > SP2.
> > >
> > >
> > > =====
> > > : __o
> > > : -\<,
> > > : 0/ 0
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get personalized email addresses from Yahoo! Mail
> > > http://personal.mail.yahoo.com/
> >
> >
> > =====
> > : __o
> > : -\<,
> > : 0/ 0
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail
> > http://personal.mail.yahoo.com/
>
=====
: __o
: -\<,
: 0/ 0
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]