I'm also using IPSec and having this issue sinec ethe beginning.
As long as you have a rule that opens your host to access external
services (like WWW, POP3, ...) and have the "mirror" option so to
"on" on these filters, they will allow to scan any port with the correct
source port. (nmap -sS -g80 -P0 1.2.3.4)
I'm using it only on servers where I set a rule "from me to any -> BLOCK",
and open only ports I need to be accessible from the Internet (like port 80
for a web server).
The server itself doesnt have access to the Internet, but the "mirror"
option
allows it to answer requests on port 80.
This way, source port scan doesnt work, only opened ports are accessible.
I suggest following this article :
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
And use a "Block ALL" rule.
A better solution : use a real router or firewall. IPSec is only good for
basic
ports control and is not designed to do advanced packet filtering.
Hope this helps
Have a nice day
Maxime Ducharme Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "first last" <in5ecure24 (at) hotmail (dot) com [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, April 20, 2004 3:34 AM
Subject: IPSec rules
> Hello everyone,
>
> I have been using IPSec for a while now, i am a fan of it BUT theres 1
> weakness that id like to see if theres a way around.
>
> Basicaly It comes down to Source Port Scaning. Now the thing is if you
have
> a rule that allows trafic to go FROM you:any TO the internet:80 all some
one
> has to do is scan from port 80 on there pc. poof allowed traffic. So i
tryed
> to set up more rules ie FROM internet:21,53,80 TO me:21,53,80 and block
this
> hoping since theres a 2nd more specific rule that it will block all
> connections from any:80 TO me:80 since this traffic should never be
> happining anyway... but nope dont work...
>
> So my question for you is how can i do a work-around ? there a registery
> setting i can fix? set priortys for applying IPSec rules? anything at all
>
> The only thing that i can think that would work is to make tens of
thousands
> of allow rules like ...
>
> FROM any:1200 TO me:80 allow
> FROM any:1201 TO me:80 allow
> FROM any:1202 TO me:80 allow and onn and onnn id have to write a script to
> write a script to make the rules (unless i made 1 script w/ tens of
> thousands of MANUALY writen rules and thats not gunna happen...)
>
> Incase i wasnt to clear i want to prevent source port scaning from
reveiling
> every thing running on that box, blocking things like
>
> FROM any:80 TO me:80 block
> FROM any:80 TO me:135 block
> FROM any:80 TO me:445 block ect ect
>
> any ideas?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------
--
-
> ------------------------------------------------------------------------
--
-
>
Hi
I'm also using IPSec and having this issue sinec ethe beginning.
As long as you have a rule that opens your host to access external
services (like WWW, POP3, ...) and have the "mirror" option so to
"on" on these filters, they will allow to scan any port with the correct
source port. (nmap -sS -g80 -P0 1.2.3.4)
I'm using it only on servers where I set a rule "from me to any -> BLOCK",
and open only ports I need to be accessible from the Internet (like port 80
for a web server).
The server itself doesnt have access to the Internet, but the "mirror"
option
allows it to answer requests on port 80.
This way, source port scan doesnt work, only opened ports are accessible.
I suggest following this article :
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
And use a "Block ALL" rule.
A better solution : use a real router or firewall. IPSec is only good for
basic
ports control and is not designed to do advanced packet filtering.
Hope this helps
Have a nice day
Maxime Ducharme Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "first last" <in5ecure24 (at) hotmail (dot) com [email concealed]>
To: <focus-ms (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, April 20, 2004 3:34 AM
Subject: IPSec rules
> Hello everyone,
>
> I have been using IPSec for a while now, i am a fan of it BUT theres 1
> weakness that id like to see if theres a way around.
>
> Basicaly It comes down to Source Port Scaning. Now the thing is if you
have
> a rule that allows trafic to go FROM you:any TO the internet:80 all some
one
> has to do is scan from port 80 on there pc. poof allowed traffic. So i
tryed
> to set up more rules ie FROM internet:21,53,80 TO me:21,53,80 and block
this
> hoping since theres a 2nd more specific rule that it will block all
> connections from any:80 TO me:80 since this traffic should never be
> happining anyway... but nope dont work...
>
> So my question for you is how can i do a work-around ? there a registery
> setting i can fix? set priortys for applying IPSec rules? anything at all
>
> The only thing that i can think that would work is to make tens of
thousands
> of allow rules like ...
>
> FROM any:1200 TO me:80 allow
> FROM any:1201 TO me:80 allow
> FROM any:1202 TO me:80 allow and onn and onnn id have to write a script to
> write a script to make the rules (unless i made 1 script w/ tens of
> thousands of MANUALY writen rules and thats not gunna happen...)
>
> Incase i wasnt to clear i want to prevent source port scaning from
reveiling
> every thing running on that box, blocking things like
>
> FROM any:80 TO me:80 block
> FROM any:80 TO me:135 block
> FROM any:80 TO me:445 block ect ect
>
> any ideas?
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------
--
-
> ------------------------------------------------------------------------
--
-
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]