2 Apr 2002 00:11
Re: Port Ranges in IPSec
Jared Valentine <hidden <at> xmission.com>
2002-04-01 22:11:08 GMT
2002-04-01 22:11:08 GMT
You could do something like this with 3Com's Embedded Firewall. It's a centreally managed "firewall on a NIC". All of the filtering is done in hardware, which stops anyone from bypassing the firewall. You can filter based on source/destination address/mask/port, ip protocol (tcp/udp, etc.) and direction (inbound/outbound/both). It's a reliable way to do filtering on a server, and you don't have to rely on software. Plus, it allows you to setup a filter that utilizes port ranges. Jared Valentine hidden <at> xmission.com On Fri, 22 Mar 2002, Rich Wilson wrote: > Short answer, no. > > A couple of things to watch out for. If you're scripting this, be sure you > specify UDP and/or TCP. If you fall back to ANY, then non-port protocols > (everything but UCP and TCP AFAIK) will be allowed in. That is, if you have an > ANY rule, you will allow in ICMP, and you may not want to. > > If you have any client services, then you will be open to attacks sourced from > the destination port of that rule. Say what? ok, e.g. you want to allow SMTP > traffic out. So you have a rule that allows host IP any port to any IP port > 25. That will also allow any IP sourced from port 25 to connect to any port on > the host IP. IPSec doesn't inspect the TCP packet to decide if it is part of > an existing connection (no SYN flag) or an initial connection attempt (SYN flag > set). > > As far as I'm concerned, IPSec port filtering is useful for stopping casual > client use of a server, and that's about it. > > Ok, it will block ping and traceroute/tracert, but that's just obscurity. > > --- "Jonathan G. Lampe" <jonathan <at> stdnet.com> wrote: > > I was doing a little work for a customer the other day who made extensive > > use of the IPSec PERMIT and DENY rules and filters on Windows 2000 to keep > > machines from receiving or emitting traffic. After some playing around > > with Veritas's BackupExec product, we found that we needed to define more > > than 50 IPSec filters to get the product to work. (BackupExec consumes 1 > > TCP port for its agent (6103), plus 25xTCP/UDP ports for RPC (24001-24025 > > recommended - some tinkering required), plus NetBIOS ports and UDP port 88 > > for Kerberos.) > > > > It took almost an hour just to bang all this in. > > > > My question is...is there any way at all to define RANGES of ports in > > Windows 2000 IPSec without specifying each port individually? > > > > - Jonathan Lampe > > - jonathan <at> stdnet.com > > > > > ===== > | __o > | -\<, > | 0/ 0 > > __________________________________________________ > Do You Yahoo!? > Yahoo! Movies - coverage of the 74th Academy Awards® > http://movies.yahoo.com/ >
RSS Feed