From: Sam Steinmeyer (SamSteinmeyerwinn-dixie.com)
Date: Tue Sep 30 2003 - 06:52:47 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All,

Info: The quote that Lee referenced is contained in this Microsoft article.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/deployguide/dnsbj_ips_dbmy.asp
        
Note: IPSEC for windows 2000 and XP can be set to deny Kerberos and RSVP by
setting the registry key

HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=1

At this point Windows 2000 and XP will allow Broadcast, multicast, and IKE
traffic.

XP goes one step farther by allowing you set the registry key

HKLM\SYSTEM \CurrentControlSet \Services \IPSEC: NoDefaultExempt, DWORD=2

This will block all the aforementioned traffic.

IPSEC is not a replacement for a good firewall. However, it's a good back
up for DMZ's that have multiple servers. If one server gets compromised all
other servers within the scope of the compromised server could be
compromised. Thus, IPSEC and a good firewall is the best plan.

The information I've provided in this e-mail can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/s
ecurity/askus/auas0801.asp

Thanks,
         ______
        /_____/\ Harry Steinmeyer
       /____ \\ \ Senior Programmer
      /_____\ \\ / Winn-Dixie, Inc.
     /_____/ \/ / / (904) 370 - 5949
    /_____/ / \//\ rm -r /bin/laden
    \_____\//\ / /
     \_____/ / /\ /
      \_____/ \\ \
       \_____\ \\
        \_____\/
"Science without religion is lame, religion without science is blind."
Einstein, Albert (1879-1955)

REMEMBER: IF IT ISN'T DOCUMENTED IT ISN'T DONE

-----Original Message-----
From: Lee Evans [mailto:leevital.co.uk]
Sent: Monday, September 29, 2003 12:43 PM
To: 'Kamran Muzaffer'; focus-mssecurityfocus.com
Subject: RE: IPsec vs any personal software firewall

Hi,

IPSec filters are not a replacement for a firewall. There are many
reasons for this, but the most obvious is that potential attackers can
easily bypass any filters under a default configuration. From MS
technet:

"By default in Windows 2000 and Windows XP, broadcast, multicast,
Kerberos, RSVP, and ISAKMP traffic is exempt from IPSec filtering"

So simply by forging a source port of 88 on any malicious traffic they
bypass the IPSec filters.

I believe this is changed for Windows2003

Regards
Lee
--
Lee Evans

> -----Original Message-----
> From: Kamran Muzaffer [mailto:kmahmedcyber.net.pk]
> Sent: 26 September 2003 01:35
> To: focus-mssecurityfocus.com
> Subject: IPsec vs any personal software firewall
>
>
>
>
> Hi,
>  
> I just want to know what is preferred from the machine
> utilization point of view, filtering traffic through IPsec or
> using any software firewall like Tiny Personal, Zone Alarm
> etc. Microsoft's documentation states that IPsec rules do
> affect the performance of the machine on which they are
> applied. Is there any proper guideline or 'thinks to
> remember' for implementing a performance and security
> affective IPsec or any firewall structure.
>  
> Thanks in advance.
>  
> Regards,
> Kamran Muzaffer
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]