IPSec and you... (W2000/XP)

Quote from Steve Gibson:

Everyone,
In a few hours, Mark Thompson (AnalogX) is going to finally put something up on his site that I have been urging him to finish for quite a while. If you are running a Windows 2000 or XP system, you are going to want to check this out.
Mark managed to untangle one of the worst user-interfaces Microsoft has ever created -- governing the rules of the IPSec (secure IP) system that's built into every Windows 2000 and XP machine. That's all just a big yawn for most of us. But what's not apparent until you really dig down deep, is that these same rules also govern the low-level packet filtering firewall built into Windows 2000 and XP.

Read more:

https://grc.com/x/news.exe?cmd=article&group=grc.news&item=314&utag=

[hr]

Quote from Mark Thompson:

Introduction

Everyone wants their server to be as secure as possible, but there are many different approaches that can be taken to accomplish this ends. Now Microsoft didn't invent IP Security (or IPSec for short), it was developed by them in conjunction with Cisco and the IETF, but Windows 2000 has a very robust implementation of it built in. The intent of IPSec is to help in creating secure connections between different machines, even when the software that's communicating has no knowledge of the encryption. IPSec can also be used to apply rules as to what kind of IP traffic a machine will accept, akin to a limited firewall - that part of IPSec is what this article deals with. I'm going to assume that if you're reading this, you already have Win2k installed and know how to get to the IPSec administration portion - if you don't, please check the additional resources section.

Read more:

http://www.analogx.com/contents/articles/ipsec.htm

 

lol will i guess that leaves out lol i have windows me i guess i could use the windows 2000 that fell off the back of the truck (blaze does his tony sopranoe exprestion)forget about it lol

lol i think id make a good illiterate mobster lol wheres my madicodie and my capochinoe.

so basicly this is added security im still going to look at it sounds intresting cant never go wrong with more security knowledge

 

omg that is so cool windows xp might just be worth something now im relly tempted to upgrade now that fixs alot of isues i had with the ideal of upgrading to xp.

mark better hurry up and post that info lol im already inpathient im like a new kid algain xp eye candy with real security=)

i cant wait i cant wait.

thx fan j that gives me something to relly look foward to

 

Hey Jan, thanks. I'm anxious to try this, but it has me thouroughly confused. Do you know what the step by step proceedure is after installing the registry keys? One place it talks about enabling IPSEC on a machine, and another place it talks about setting up a snapin.
I'm not familiar with any of that stuff. I have Win2k Pro SP3 and could use some specific directions.
I'm getting old and my mind is moving slow.

 

Hi Root

I wished I could tell you more, but I myself have only W98SE, so no go for me on this IPSec (which I regret....).

Well, over at the GRC forum news.feedback is a massive thread going on about this.
I hope it might help you (but be warned: lots and lots of postings; I simply didn't have the time to go through them).

GRC news.feedback forum:

https://grc.com/x/news.exe?cmd=xover&group=grc.news.feedback

The thread is called: Massive Coolness for Win2000 & XP

The start of the thread is here:

https://grc.com/x/news.exe?cmd=article&group=grc.news.feedback&item=40805&utag=

You can read it web-based or with a news-reader (which I don't use myself).

 

Good enough. Thanks Jan.

 

Have you tried the instructions on the following page:
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=15317

CrazyM

 

For those interested in adding an additional layer of security for communications permitted by their system, it is a good option. If you are comfortable working with rules based firewalls, you should not have any problems customizing the policy/rules provided at the Analog X site or creating your own policy/rules from scratch. Use your existing rule set as a guide/template.

Some things for those thinking of using IPSec to be aware of:

Be sure you know what you need/use as far as protocols (ICMP, TCP, UDP). For those not running any services, this would be any outbound to remote services required. If you have not allowed for something you require in the policy/rules, it will not work. There is no logging or alerts (at least not that I’ve found yet) to let you know, it just won’t work/be permitted.

ICMP is either all or nothing. Although some users could probably get by with blocking all, I think most will want to permit all and then define permitted ICMP in their software firewall.

Take advantage of the fact that the rules in the policy can be restricted to specified IP’s if desired. A particular rule can have a sub-set of rules within to accommodate multiple IP’s, protocols or ports.

Make sure you have the TCP, UDP (ICMP if desired) block rules in you policy.

With a properly defined IPSec policy in place on a system not running any services, your system will block unsolicited inbound connection attempts/scans. For those concerned about “stealth”, permitting all ICMP in the policy will usually result in “stealth” for TCP, “closed” for UDP and of course you will be pingable. Blocking all ICMP will result in “stealth” for everything. These results were with no software firewall running on my system (W2K sp3). However, as mentioned above, I think most users will want to permit all ICMP in the IPSec policy and define what is allowed in the software firewall.

On a side note, if I run (assign) my custom IPSec policy (which permits all ICMP) in conjunction with my software firewall, NIS2002 Pro, the firewall still sees/blocks the inbound connection attempts/scans first. With the ICMP rules I have in the firewall, scans will get no response or “stealth”.

Another side effect of running IPSec on my system, as it relates to NIS2002 Pro, is that the IPSec policy will block the particular types of stealth scans used by pcflank.com, resulting in all “stealth” results. Previously NIS2002 Pro would only be “stealthed” for two of the four TCP stealth scans used (older versions of NIS will not get “stealthed” results for any of the TCP stealth scans). Not that being “stealth” is the be all and end all for me, but an interesting side effect NIS users might be interested in.

CrazyM

 

Hi CrazyM,

Thanks a lot for you info !!!

Cheers, Jan.

 

I disabled IPSEC on my PC. I went to PC Flank and passed all the tests using latest SPFW.
Do we really need IPSEC enabled with a capable FireWall installed ?

bill

 

Do you really need it and a software firewall.....No.

The advantage I find in using it is the ability to secure communications to and from my system within the OS and before relying on software.

It is an option I can use in making my system (W2K Pro sp3) as secure as possible in and of itself, before doing anything else in the way of software/hardware firewalls, router/gateway, etc.

I still run a software firewall, IPSec is just part of my overall system security.

CrazyM