IPSec question

Discussion in 'Server Security' started by Monty, Sep 17, 2004.

  1. Monty

    Monty Guest

    If I have a rule that specifically blocks ALL ports, all addresses and all
    protocols, how do some get through?
    : ) I realize that is very general so let me make a long story as short as
    possible. I have IPSec enabled on an OU that contains only a W2K3 Server
    running SQL. I also have Sygate installed on that server. I have a rule that
    blocks ALL in IPSec then rules allowing specific subnets on TCP protocol
    only. Sygate is then configured in a similar fashion with the Block All
    being at the end of it's advanced rules as required. I still get blocks in
    the Sygate traffic log for IP's outside the range of the allowed IPSec
    subnets on the UDP protocol. I know a multi-layered defense is the best
    strategy and I'm glad Sygate is catching the culprits but shouldn't IPSec be
    blocking them in the first place?

    Monty, Sep 17, 2004
    1. Advertisements

  2. This might be the explanation:

    The IPSec Policy does not prevent the blocked subnets from reaching the
    interface > it prevents them from being passed above the network layer.
    Sygate blocks those connection attempts before IPSec gets the opportunity.
    Steve Bruce, mct, Sep 17, 2004
    1. Advertisements

  3. Monty

    Monty Guest

    Thanks Steve but I would like to be clear on this. Are you say you SUSPECT
    that is what is happening or you KNOW it to be that way. I have had this
    issue on other occasions and could find no evidence that pointed me in one
    direction or the other. Could you point me toward some conclusive
    information available on the web?
    All is appreciated........
    Monty, Sep 17, 2004
  4. It might be a matter of what is intercepting the traffic first. Also ipsec will not
    block broadcasts [ending in 255], multicast, IKE, kerberos, and certain other types
    of traffic, particularly on Windows 2000. You can make a registry entry to remove
    some of the default exemptions but not all of them. It is always a good idea to scan
    your network connections for vulnerabilities after you configure them to make sure
    they are working as expected. The link below explains default exemptions in
    psec. --- Steve

    Steven L Umbach, Sep 18, 2004
  5. Jorge Coronel [MSFT], Sep 18, 2004
  6. An effective test would be to disable sygate and then run the IpSec Monitor
    to see if sessions can be established from networks that are filtered out.
    Steve Bruce, mct, Sep 18, 2004
  7. Monty

    Monty Guest

    Thanks to all....great information, only small parts of which I was familiar
    with. What you all provided was a great help.
    Monty, Sep 20, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.