IPSEC

[Kerodo]

I'm using IPSEC as a basic packet filter here on my Win2k machine. Is
there any way to do any kind of logging with IPSEC so I can see what
packets are being blocked?

 

[Steven L Umbach]

There is no way to do general logging with ipsec in Windows 2000. W2003 does
offer some logging such as for dropped packets. You would need to use a
software firewall such as Sygate to have some logging. Sygate is free for
personal user, is a stateful firewall [unlike ipsec] , and has extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be allowing
all traffic from port 80 to your computer from the internet. I could use a
program such as Supercan 4 to scan your network by using port 80 as the
source port for my scan. A stateful firewall would not allow that. I think
ipsec is great for what it is good at, particularly on the lan, but I would
not use it as a permanent primary internet firewall. --- Steve

 

[Kerodo]

There is no way to do general logging with ipsec in Windows 2000. W2003 does
offer some logging such as for dropped packets. You would need to use a
software firewall such as Sygate to have some logging. Sygate is free for
personal user, is a stateful firewall [unlike ipsec] , and has extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be allowing
all traffic from port 80 to your computer from the internet. I could use a
program such as Supercan 4 to scan your network by using port 80 as the
source port for my scan. A stateful firewall would not allow that. I think
ipsec is great for what it is good at, particularly on the lan, but I would
not use it as a permanent primary internet firewall. --- Steve

Thanks Steven, that's helpful. I'm very familiar with all the firewalls
out there today. I'm playing with ipsec mostly out of curiosity, to see
if I could find something to use as a packet filter that's ultra lite on
resources, mostly just for fun. Sounds like I'd be better off with
something like CHX-I, which also has stateful inspection.

If my ipsec rules only allow outbound traffic on remote port 80 (source:
my address, destination: any address), then wouldn't ipsec block any
incoming traffic from remote 80 if I also have a block all incoming rule
in place? Or does ipsec not care about the direction of the traffic?

 

[Steven L Umbach]

Ok. Well that is fine. Ipsec is a good way to learn how to setup basic
firewall rules. It would not block traffic into your network with a source
port of 80 TCP because you need to allow the return traffic back into your
computer [via a mirrored filter entry] when you initiate an internet
connection to a website. Since ipsec is not stateful it will allow any
traffic in with a source port of 80 TCP. The block all IP rule would not
stop that traffic because an ipsec specific rule will override and ipsec
general rule such as block all IP [don't ask me the specific way in which
that is calculated as I don't know]. Anyhow your computer is in no grave
danger but ipsec filters act like old packet filter firewalls before
stateful packet inspection came along. --- Steve

There is no way to do general logging with ipsec in Windows 2000. W2003
does
offer some logging such as for dropped packets. You would need to use a
software firewall such as Sygate to have some logging. Sygate is free for
personal user, is a stateful firewall [unlike ipsec] , and has extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be
allowing
all traffic from port 80 to your computer from the internet. I could use
a
program such as Supercan 4 to scan your network by using port 80 as the
source port for my scan. A stateful firewall would not allow that. I
think
ipsec is great for what it is good at, particularly on the lan, but I
would
not use it as a permanent primary internet firewall. --- Steve

Thanks Steven, that's helpful. I'm very familiar with all the firewalls
out there today. I'm playing with ipsec mostly out of curiosity, to see
if I could find something to use as a packet filter that's ultra lite on
resources, mostly just for fun. Sounds like I'd be better off with
something like CHX-I, which also has stateful inspection.

If my ipsec rules only allow outbound traffic on remote port 80 (source:
my address, destination: any address), then wouldn't ipsec block any
incoming traffic from remote 80 if I also have a block all incoming rule
in place? Or does ipsec not care about the direction of the traffic?

 

[Steve Clark [MSFT]]

More specific filter actions will win....

Best practice is to use the Windows Firewall to provide that statefulness
and use IPsec filters/IPsec transport to augment that and optionally provide
per-packet authentication/encryption.

Ok. Well that is fine. Ipsec is a good way to learn how to setup basic
firewall rules. It would not block traffic into your network with a source
port of 80 TCP because you need to allow the return traffic back into your
computer [via a mirrored filter entry] when you initiate an internet
connection to a website. Since ipsec is not stateful it will allow any
traffic in with a source port of 80 TCP. The block all IP rule would not
stop that traffic because an ipsec specific rule will override and ipsec
general rule such as block all IP [don't ask me the specific way in which
that is calculated as I don't know]. Anyhow your computer is in no grave
danger but ipsec filters act like old packet filter firewalls before
stateful packet inspection came along. --- Steve

There is no way to do general logging with ipsec in Windows 2000. W2003
does
offer some logging such as for dropped packets. You would need to use a
software firewall such as Sygate to have some logging. Sygate is free
for
personal user, is a stateful firewall [unlike ipsec] , and has
extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be
allowing
all traffic from port 80 to your computer from the internet. I could use
a
program such as Supercan 4 to scan your network by using port 80 as the
source port for my scan. A stateful firewall would not allow that. I
think
ipsec is great for what it is good at, particularly on the lan, but I
would
not use it as a permanent primary internet firewall. --- Steve

Thanks Steven, that's helpful. I'm very familiar with all the firewalls
out there today. I'm playing with ipsec mostly out of curiosity, to see
if I could find something to use as a packet filter that's ultra lite on
resources, mostly just for fun. Sounds like I'd be better off with
something like CHX-I, which also has stateful inspection.

If my ipsec rules only allow outbound traffic on remote port 80 (source:
my address, destination: any address), then wouldn't ipsec block any
incoming traffic from remote 80 if I also have a block all incoming rule
in place? Or does ipsec not care about the direction of the traffic?

 

[Kerodo]

More specific filter actions will win....

Best practice is to use the Windows Firewall to provide that statefulness
and use IPsec filters/IPsec transport to augment that and optionally provide
per-packet authentication/encryption.

Ok. Well that is fine. Ipsec is a good way to learn how to setup basic
firewall rules. It would not block traffic into your network with a source
port of 80 TCP because you need to allow the return traffic back into your
computer [via a mirrored filter entry] when you initiate an internet
connection to a website. Since ipsec is not stateful it will allow any
traffic in with a source port of 80 TCP. The block all IP rule would not
stop that traffic because an ipsec specific rule will override and ipsec
general rule such as block all IP [don't ask me the specific way in which
that is calculated as I don't know]. Anyhow your computer is in no grave
danger but ipsec filters act like old packet filter firewalls before
stateful packet inspection came along. --- Steve

There is no way to do general logging with ipsec in Windows 2000. W2003
does
offer some logging such as for dropped packets. You would need to use a
software firewall such as Sygate to have some logging. Sygate is free
for
personal user, is a stateful firewall [unlike ipsec] , and has
extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be
allowing
all traffic from port 80 to your computer from the internet. I could use
a
program such as Supercan 4 to scan your network by using port 80 as the
source port for my scan. A stateful firewall would not allow that. I
think
ipsec is great for what it is good at, particularly on the lan, but I
would
not use it as a permanent primary internet firewall. --- Steve

Thanks Steven, that's helpful. I'm very familiar with all the firewalls
out there today. I'm playing with ipsec mostly out of curiosity, to see
if I could find something to use as a packet filter that's ultra lite on
resources, mostly just for fun. Sounds like I'd be better off with
something like CHX-I, which also has stateful inspection.

If my ipsec rules only allow outbound traffic on remote port 80 (source:
my address, destination: any address), then wouldn't ipsec block any
incoming traffic from remote 80 if I also have a block all incoming rule
in place? Or does ipsec not care about the direction of the traffic?

Thanks to both Steve's... I think I'm safer with stateful inspection.
At first I was misunderstanding things I think. I didn't realize that
allowing traffic out on 80 would also allow it back in if I want things
to work right. Thanks for the clarification and help..

 

[Steven L Umbach]

Except that there is no Windows Firewall in Windows 2000. --- Steve

More specific filter actions will win....

Best practice is to use the Windows Firewall to provide that statefulness
and use IPsec filters/IPsec transport to augment that and optionally
provide per-packet authentication/encryption.

Ok. Well that is fine. Ipsec is a good way to learn how to setup basic
firewall rules. It would not block traffic into your network with a
source port of 80 TCP because you need to allow the return traffic back
into your computer [via a mirrored filter entry] when you initiate an
internet connection to a website. Since ipsec is not stateful it will
allow any traffic in with a source port of 80 TCP. The block all IP rule
would not stop that traffic because an ipsec specific rule will override
and ipsec general rule such as block all IP [don't ask me the specific
way in which that is calculated as I don't know]. Anyhow your computer is
in no grave danger but ipsec filters act like old packet filter firewalls
before stateful packet inspection came along. --- Steve

There is no way to do general logging with ipsec in Windows 2000. W2003
does
offer some logging such as for dropped packets. You would need to use a
software firewall such as Sygate to have some logging. Sygate is free
for
personal user, is a stateful firewall [unlike ipsec] , and has
extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to
the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be
allowing
all traffic from port 80 to your computer from the internet. I could
use a
program such as Supercan 4 to scan your network by using port 80 as the
source port for my scan. A stateful firewall would not allow that. I
think
ipsec is great for what it is good at, particularly on the lan, but I
would
not use it as a permanent primary internet firewall. --- Steve

Thanks Steven, that's helpful. I'm very familiar with all the firewalls
out there today. I'm playing with ipsec mostly out of curiosity, to see
if I could find something to use as a packet filter that's ultra lite on
resources, mostly just for fun. Sounds like I'd be better off with
something like CHX-I, which also has stateful inspection.

If my ipsec rules only allow outbound traffic on remote port 80 (source:
my address, destination: any address), then wouldn't ipsec block any
incoming traffic from remote 80 if I also have a block all incoming rule
in place? Or does ipsec not care about the direction of the traffic?

 

[Steve Clark [MSFT]]

No, that's why I said best practice.

That is pretty much for XP SP2 and 2003 SP1... You could also use a
personal firewall for 2000, it's just that not many of them are "enterprise"
class (as in, extensible, managed with AD/GPO, etc).

Except that there is no Windows Firewall in Windows 2000. --- Steve

More specific filter actions will win....

Best practice is to use the Windows Firewall to provide that statefulness
and use IPsec filters/IPsec transport to augment that and optionally
provide per-packet authentication/encryption.

Ok. Well that is fine. Ipsec is a good way to learn how to setup basic
firewall rules. It would not block traffic into your network with a
source port of 80 TCP because you need to allow the return traffic back
into your computer [via a mirrored filter entry] when you initiate an
internet connection to a website. Since ipsec is not stateful it will
allow any traffic in with a source port of 80 TCP. The block all IP rule
would not stop that traffic because an ipsec specific rule will override
and ipsec general rule such as block all IP [don't ask me the specific
way in which that is calculated as I don't know]. Anyhow your computer
is in no grave danger but ipsec filters act like old packet filter
firewalls before stateful packet inspection came along. --- Steve


There is no way to do general logging with ipsec in Windows 2000.
W2003 does
offer some logging such as for dropped packets. You would need to use
a
software firewall such as Sygate to have some logging. Sygate is free
for
personal user, is a stateful firewall [unlike ipsec] , and has
extensive
logging capabilities. Ipsec is not meant to be a first line internet
firewall. One weakness of a packet filtering firewall is that due to
the
rules it is possible for a user to scan your internal network by
manipulating the source port of the scan. For instance you may be
allowing
all traffic from port 80 to your computer from the internet. I could
use a
program such as Supercan 4 to scan your network by using port 80 as
the
source port for my scan. A stateful firewall would not allow that. I
think
ipsec is great for what it is good at, particularly on the lan, but I
would
not use it as a permanent primary internet firewall. --- Steve

Thanks Steven, that's helpful. I'm very familiar with all the
firewalls
out there today. I'm playing with ipsec mostly out of curiosity, to
see
if I could find something to use as a packet filter that's ultra lite
on
resources, mostly just for fun. Sounds like I'd be better off with
something like CHX-I, which also has stateful inspection.

If my ipsec rules only allow outbound traffic on remote port 80
(source:
my address, destination: any address), then wouldn't ipsec block any
incoming traffic from remote 80 if I also have a block all incoming
rule
in place? Or does ipsec not care about the direction of the traffic?