IPSEC used as a firewall? - System Security

McKittrick

i know most of you don't care for windows (or at least that is how it comes across here). i was wondering if anyone has tried this. i have read about it but have never seen it implemented. you basically create a "tcp-wrapper" like structure around all packets coming in and out, using IPSEC filtering and encryption.

the thing is, though, doesn't IPSEC have alot of limitations as far as what protocols can be traversed? i have ran IPSEC policies before, but only 1-way. i have done the full tunnel scheme for a security template. i know IKE/IPSEC has it's flaws (forced aggressive mode--keys seen over the wire), but can it be a reliable firewall in practice?

same question i would have in reguards to KERBEROS. i know it can manage domain authentication from a centralized server login point, can it also be extended for complete tunnel isolation and encryption on a network?

mandi

First of all i want to tell you some thing
IP-SEC is not only belongs to windows it is a kind of industrial standard encryption protcol for transmitting data across or between networks,Also IP-SEC Is not a single protocol,it is collection os protocols like ESP and many other things..

Also as far as i know,you can not use this as a fire-wall because IP-SEC only used for encrypting the traffic and it is mainly used because it verifies the integrity of the data being transmitted ,Also as far as i know there are guys who can decrypt the IP-SEC and again pass through them with out breaking the encryption,..

Besides verifying the integrity of the data how can you use this protocol suite to block malicious connections?

I don't see any possibilities....

McKittrick

i brought this up because i read that IPSEC can be used to filter inbound data by having it registered w/ an existing ruleset based on IP addressing/protocol content---i know it is VERY limited. if you look at the IPSEC options in windows (using secpol.msc?), i believe there are 2, one says that you can turn on IPSEC for communication 1 way, or both ways, or strictly deny all together. not sure, it's been awhile since i looked at it. i read that people have implemented IPSEC along with standard windows port filtering. wanted to see if anyone elese had heard about this or done it as well

and yes, i am aware that IPSEC can be bypassed---mainly by triggering a MAIN MODE request which bypasses any key exchange that can be easily seen on the wire (using IKE-scan)

Se7enisLucky

said:

i brought this up because i read that IPSEC can be used to filter inbound data by having it registered w/ an existing ruleset based on IP addressing/protocol content---i know it is VERY limited. if you look at the IPSEC options in windows (using secpol.msc?), i believe there are 2, one says that you can turn on IPSEC for communication 1 way, or both ways, or strictly deny all together. not sure, it's been awhile since i looked at it. i read that people have implemented IPSEC along with standard windows port filtering. wanted to see if anyone elese had heard about this or done it as well

and yes, i am aware that IPSEC can be bypassed---mainly by triggering a MAIN MODE request which bypasses any key exchange that can be easily seen on the wire (using IKE-scan)

Erm. - IP-Sec is encryption only. Usually paired with some sort of tunneling protocol [to encrypt the traffic]...unless my knowledge is failing me. I think by "firewall" when you wrote "i read that people have implemented IPSEC along with standard windows port filtering" I think it's more of something to prevent sniffing or make a MITM attack more difficult? Because that would mean all incoming [or outgoing, depending on config.] would be encrypted via IP-Sec, ontop of the original protocol used to data[TCP/IP or whataver..].

Again - I think it's encryption only, 'cuz 1 difference between IPv6 and IPv4 is that v6 comes with IP-Sec as a default.[Unless I forgot ofc... lol]

Howdy, Stranger!

Top Posters

Who's Online (2)