IPSEC Key Management

Discussion in 'other firewalls' started by Mrkvonic, Sep 22, 2005.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hi,
    I googled and looked for this one but didn't have a good answer.
    Yesterday my Sygate firewall warned me that lsass.exe is being contacted by remote machine through port 500 (IPSEC Key Management). My question is: what the hell is this? I know there's a service for Oakley servers and blah blah, but this answer hardly satisfies me...
    What is the meaning of the remote attempt (which I block)?
    Does anyone have anything to tell me about lsass and Ipsec?
    Thanks guys,
    Mrk
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Unless you have a VPN (Virtual Private Network) this wouldn't apply to you. See:

    VPN

    Port 500

    udp port 500 scans

    Lsass (Local Security Authority Service) is the system process that handles local security and login policies.

    In the early days of Win2000 there was a UDP DoS exploit via port 500. From some notes:

    ------------------------------------------
    For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.
    ------------------------------------------

    If you post your firewall log entry, someone might be able to tell more about it. Meanwhile, your firewall is doing its job.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hi,
    Thanks for the info.
    Actually I do have a VPN connection.
    I connect to the internet using isp dial connection I configured.
    It is a vpn....
    My questions are:
    If I permanently block lsass on this port, will my security, updates whatever be compromised?
    What can possibly happen is this traffic is allowed?
    Along these lines, thanks in advance.
    Mrk

    P.S. Forgot to add:
    I use vpn but for non-encrypted protocols, so I guess this is probably some kid scanning ip ranges and my firewall is alerting me ....?
    I checked the firewall on grc and sygate it's fully stealthed.
    Should I kill this inbound permanently?
     
    Last edited: Sep 22, 2005
Loading...
Similar Threads
  1. IvoShoen
    Replies:
    12
    Views:
    1,357
Thread Status:
Not open for further replies.